Topic: 0.13.0 Binary Safety Warning - page 3. (Read 2337 times)
I currently have a backup 0.12.1 wallet in case my primary ledger wallet fails. Because of this, should I not download the next version of qt until this problem is solved? Or should I download from github and compile it myself?
Not sure I have heard of those characters, with the possible exception of harding (if it's the harding from this forum, I haven't seen that user here in a while).
Well, they generally are only involved in website related work. As far as Cobra is concerned, they're anonymous (i.e. nobody really knows who they are - I don't remember who gave them commit access). I've added a Github link for the contributors.Interesting. Sipa is way too involved to be unaware of such issues, so I smell potential drama.
From what I can gather on the public communication channels, nobody really knows what the reason behind this is. You can see the commit was pushed here:
Interesting information that may be relevant:
https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html
Quote
The GnuPG Project is pleased to announce the availability of new Libgcrypt and GnuPG versions to fix a critical security problem. Felix Dörre and Vladimir Klebanov from the Karlsruhe Institute of Technology found a bug in the mixing functions of Libgcrypt's random number generator: An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions.
Impact:Quote
All Libgcrypt and GnuPG versions released before 2016-08-17 are affected on all platforms. A first analysis on the impact of this bug in GnuPG shows that existing RSA keys are not weakened. For DSA and Elgamal keys it is also unlikely that the private key can be predicted from other public information. This needs more research and I would suggest not to overhasty revoke keys.
I find it a little odd that Core team (who presumably control Bitcoin.org?) could be at all certain about the origin or target of such a threat.
No. The people who have commit access/contribute to Bitcoin Core do not control Bitcoin.org. The people who work (or have commit access) on Bitcoin.org are Cobra, saivan, harding, etc.Not sure I have heard of those characters, with the possible exception of harding (if it's the harding from this forum, I haven't seen that user here in a while).
11:06 what's up with this: https://bitcoin.org/en/alert/2016-08-17-binary-safety
11:06 we don't know
11:06
Interesting. Sipa is way too involved to be unaware of such issues, so I smell potential drama.
I find it a little odd that Core team (who presumably control Bitcoin.org?) could be at all certain about the origin or target of such a threat.
No. The people who have commit access/contribute to Bitcoin Core do not control Bitcoin.org. The people who work (or have commit access) on Bitcoin.org are Cobra, saivan, harding, etc. They are usually quite different from the Bitcoin Core team. From what I can understand so far, Cobra skipped the peer-review process around 2 hours ago and pushed this commit. Bitcoin-core-dev:Quote
11:06 what's up with this: https://bitcoin.org/en/alert/2016-08-17-binary-safety
11:06 we don't know
11:06
Currently found on Bitcoin.org. There seems to be a lack of information regarding this. Any information (speculative posts are likely to be removed due to be insubstantial)?
I find it a little odd that Core team (who presumably control Bitcoin.org?) could be at all certain about the origin or target of such a threat. If the threat itself is public, a simple hyperlink to the threat would suffice. If the threat is private, it depends a great deal on the status (and therefore also the identity) of the menace. Maybe the reference to China is only a reference to China's majority hashrate, and not to anything specific about the known threat.
Quote
Summary
Bitcoin.org has reason to suspect that the binaries for the upcoming Bitcoin Core release will likely be targeted by state sponsored attackers. As a website, Bitcoin.org does not have the necessary technical resources to guarantee that we can defend ourselves from attackers of this calibre. We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website.
In such a situation, not being careful before you download binaries could cause you to lose all your coins. This malicious software might also cause your computer to participate in attacks against the Bitcoin network. We believe Chinese services such as pools and exchanges are most at risk here due to the origin of the attackers.
Mitigation
The hashes of Bitcoin Core binaries are cryptographically signed with this key.
We strongly recommend that you download that key, which should have a fingerprint of 01EA5486DE18A882D4C2684590C8019E36C2E964. You should securely verify the signature and hashes before running any Bitcoin Core binaries. This is the safest and most secure way of being confident that the binaries you’re running are the same ones created by the Core Developers.
Currently found on Bitcoin.org. There seems to be a lack of information regarding this. Any information (speculative posts are likely to be removed due to be insubstantial)? Bitcoin.org has reason to suspect that the binaries for the upcoming Bitcoin Core release will likely be targeted by state sponsored attackers. As a website, Bitcoin.org does not have the necessary technical resources to guarantee that we can defend ourselves from attackers of this calibre. We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website.
In such a situation, not being careful before you download binaries could cause you to lose all your coins. This malicious software might also cause your computer to participate in attacks against the Bitcoin network. We believe Chinese services such as pools and exchanges are most at risk here due to the origin of the attackers.
Mitigation
The hashes of Bitcoin Core binaries are cryptographically signed with this key.
We strongly recommend that you download that key, which should have a fingerprint of 01EA5486DE18A882D4C2684590C8019E36C2E964. You should securely verify the signature and hashes before running any Bitcoin Core binaries. This is the safest and most secure way of being confident that the binaries you’re running are the same ones created by the Core Developers.
Jump to: