Stupid question, although I think someone else was wondering the same...
How was that mass 'vulnerability' message sent and displayed within the affected Bitcoin GUIs/Clients ?
I saw that (in the lower left of my Bitcoin-QT Windows GUI) before I saw the forum warning....
I guess what I am most wondering is, what call was used on the client-side to retrieve that warning ? (getmininginfo.something ?)
I would like to be able to display future warnings etc in my Web Mining monitor, that I also display other BTC info in using API calls.
Topic: [ANN] Critical vulnerability (denial-of-service attack) - page 2. (Read 25767 times)
Is there something about 0.6+ that refuses to read block chain files copied in from earlier versions? Just built it, but every time I run it, it ignores the blk*.dat files and deletes the __db.* files from the configuration directory. Then it tries to reload the whole block chain off the network. I wouldn't mind doing that on a spare machine, but now I'm worried if I do let it run, then when I copy the directory over to a hot machine it'll just start all over again.
Has anyone else run into this problem?
Has anyone else run into this problem?
Can Qt version be made to look and function indistinguishable from wx?
Probably. Does wx have a consistent look? I thought it just wrapped GTK+ :pAs for function, it should be possible, though probably a lot of work.
Can Qt version be made to look and function indistinguishable from wx?
Probably. Does wx have a consistent look? I thought it just wrapped GTK+ :pAs for function, it should be possible, though probably a lot of work.
Can Qt version be made to look and function indistinguishable from wx?
Probably. Does wx have a consistent look? I thought it just wrapped GTK+ :pAs for function, it should be possible, though probably a lot of work.
There are some software based on Qt that look good and are intuitive to use, but not many.
Qt doesn't have "looks"; Qt applications just adopt the appearance of your OS, whatever that may be (at least by default; I understand there's some way to "skin" Qt applications...). 
Probably not by me, unless someone want to run Bitcoin look-alike wallet stealer 
But there is some people who like the wx version better. Maybe starting to collect bounty to be paid for releasing up-to-date Bitcoin-wx is a better idea.
But there is some people who like the wx version better. Maybe starting to collect bounty to be paid for releasing up-to-date Bitcoin-wx is a better idea.It might be more efficient to raise funds to fix whatever you don't like in the -qt GUI— even if there are irreconcilable differences maintaining a fork of the QT gui would be a lot less work than WX, it's easier to get people willing to work with QT, and the WX version is even a pain to build.
What an offtopic.
Oh my. I think I may have an idea what this is all about, and if I'm right this attack would be scarily easy to implement.
Probably not by me, unless someone want to run Bitcoin look-alike wallet stealer But there is some people who like the wx version better. Maybe starting to collect bounty to be paid for releasing up-to-date Bitcoin-wx is a better idea.
But there is some people who like the wx version better. Maybe starting to collect bounty to be paid for releasing up-to-date Bitcoin-wx is a better idea.It might be more efficient to raise funds to fix whatever you don't like in the -qt GUI— even if there are irreconcilable differences maintaining a fork of the QT gui would be a lot less work than WX, it's easier to get people willing to work with QT, and the WX version is even a pain to build.
Quote
I only support bitcoind 0.4.x, not wxBitcoin. If you want to resurrect it, I'm happy to help, but there will need to be at least one real developer who cares about it...
Wasn't BitcoinD the same Bitcoin client in "headless" mode?Quote
If you want to resurrect it, I'm happy to help, but there will need to be at least one real developer who cares about it...
Probably not by me, unless someone want to run Bitcoin look-alike wallet stealer But there is some people who like the wx version better. Maybe starting to collect bounty to be paid for releasing up-to-date Bitcoin-wx is a better idea.
Quote
I only support bitcoind 0.4.x, not wxBitcoin. If you want to resurrect it, I'm happy to help, but there will need to be at least one real developer who cares about it...
Wasn't BitcoinD the same Bitcoin client in "headless" mode?Quote
If you want to resurrect it, I'm happy to help, but there will need to be at least one real developer who cares about it...
Probably not by me, unless someone want to run Bitcoin look-alike wallet stealer But there is some people who like the wx version better. Maybe starting to collect bounty to be paid for releasing up-to-date Bitcoin-wx is a better idea. Quote
SourceForge uploads require 3 independent people to build the same binaries to verify their integrity. Want to volunteer to help out with 0.4.x? :p
Maybe. The wx version sure needs to live on, as it is better in all aspects than qt version in my opinion.The biggest problem is that I'm not a programmer. I can compile software from source, I can take look at the code and guess what it probably does, and that's all.
Getting stuff on SourceForge requires being able to compile with gitian, not much more. That requires Ubuntu right now. If you can help with this, ping me in #Bitcoin-Dev (IRC) and I'll try to help you through it.
First of all I did not doubt the genuinity of Gavin's post at all. I was surprised that the Gavin's key did not match one stored in my keyring, and I was lazy enough to not look for other signatures.
Quote
SourceForge uploads require 3 independent people to build the same binaries to verify their integrity. Want to volunteer to help out with 0.4.x? :p
Maybe. The wx version sure needs to live on, as it is better in all aspects than qt version in my opinion. The biggest problem is that I'm not a programmer. I can compile software from source, I can take look at the code and guess what it probably does, and that's all. Why Gavin did not use 0xBE38D3A8 key for signing the post? Did I got wrong key in my chain?
I can't speak for why Gavin signed the message with his "CODE SIGNING KEY" rather than his normal one, but at least I can confirm that this key is 4096-bit (his normal one is only 1024-bit) and signed by the normal one. It's also the one he uses to sign all his release builds.I don't know if it is relevant, but I happened to see the post when it was first put up, and I saw a signed statement, and upon refresh I saw the signature removed, and another refresh I saw the signature put back on. Unfortunately, I didn't keep any copies of the first post and its initial signature.
It's not relevant. The signature was removed when he edited the post to correct the stable version numbers (he had 1 higher than the correct versions), and he resigned the corrected message later. Why Gavin did not use 0xBE38D3A8 key for signing the post? Did I got wrong key in my chain?
The key Gavin used is signed by 0xBE38D3A8. It's his code-signing key.
Why Gavin did not use 0xBE38D3A8 key for signing the post? Did I got wrong key in my chain?
No, you didn't. I'm curious of this myself.Why Gavin did not use 0xBE38D3A8 key for signing the post? Did I got wrong key in my chain?
No, you didn't. I'm curious of this myself. Backports for older releases (0.5.5 and 0.4.6) are also available if
you cannot upgrade to version 0.6.2.
you cannot upgrade to version 0.6.2.
Why Gavin did not use 0xBE38D3A8 key for signing the post? Did I got wrong key in my chain?
And when sf.net will have latest 0.4.x uploaded?
And when sf.net will have latest 0.4.x uploaded?
In light of Gavin's statements, this seemed like a very reasonable post to me.
Anyhow...
Thanks for the update, Gavin. And thanks to all the coders and testers involved with fixing this.
And when sf.net will have latest 0.4.x uploaded?
SourceForge uploads require 3 independent people to build the same binaries to verify their integrity. Want to volunteer to help out with 0.4.x? :p
Why Gavin did not use 0xBE38D3A8 key for signing the post? Did I got wrong key in my chain?
And when sf.net will have latest 0.4.x uploaded?
And when sf.net will have latest 0.4.x uploaded?
FWIW, the network is now 5% secure against CVE-2012-2459.
I'm glad you understand what this means. I assume it's a good thing.
Thanks to all of your programmers fighting the good fight!
Jump to: