Author

Topic: Auto update (Read 8307 times)

LZ
legendary
Activity: 1722
Merit: 1072
P2P Cryptocurrency
September 02, 2010, 06:15:43 PM
#12
What about storing the update hash in the bitcoin journal?
newbie
Activity: 9
Merit: 0
August 20, 2010, 04:40:17 PM
#11
Not without the user's permission.  Some packages are not updated automaticly for similar reasons.

That's easy - just make Bitcoin come with a Debian VM.
legendary
Activity: 1708
Merit: 1010
August 20, 2010, 04:31:12 PM
#10
Also, if someone maintained a package and submitted it to distributions, it would already be auto-updated without the need to build it into the client.

Not without the user's permission.  Some packages are not updated automaticly for similar reasons.
sr. member
Activity: 294
Merit: 252
Firstbits: 1duzy
August 20, 2010, 04:22:22 PM
#9
Also, if someone maintained a package and submitted it to distributions, it would already be auto-updated without the need to build it into the client.

Unless you run Windows.
newbie
Activity: 9
Merit: 0
August 20, 2010, 03:56:36 PM
#8
Also, if someone maintained a package and submitted it to distributions, it would already be auto-updated without the need to build it into the client.
legendary
Activity: 1596
Merit: 1100
August 20, 2010, 03:25:11 PM
#7
I can see this as a security risk if the updater were able to be set to automatic.  Invariablely, some users will disregard the risks in the ongoing absolute trust of a particular server, and enough might be able to break the system if some cracker were to be able to compromise that trusted server and replace the client download with a compromised client with malware.  Even if that only lasted for a short time.

That's why crypto-signed updates have existed in software systems for over a decade.  You don't need to trust the server, if you have a public key stored locally.  Fedora, Ubuntu, Debian etc. sign all their binary software packages with GPG, as an example.

Eventually bitcoin will catch up with the times Smiley  Even without auto-updates, this is a serious vulnerability with the packages on bitcoin.org.  Posting SHA1 sums is useless without a cryptographic signature of some sort.

legendary
Activity: 980
Merit: 1020
August 20, 2010, 02:51:53 PM
#6
I agree with creighto, I think at most the client should give a notification that there is a new version available, but I don't like the idea of auto-updating.

People who don't download and install update is at a security risk. There will be many more security risk incurred from outdated clients than there are in an unlikely hacking attack. It's a tradeoff.
newbie
Activity: 9
Merit: 0
August 20, 2010, 02:49:47 PM
#5
I was thinking of automatic updating being off by default (but checking being on by default). Update user verification is useless for me because I always click yes -  It's rare that the update server is being played with, but even if it were, I would not be able to tell.

How about using TLS for authenticating the update server?
full member
Activity: 307
Merit: 102
August 20, 2010, 02:47:18 PM
#4
I agree with creighto, I think at most the client should give a notification that there is a new version available, but I don't like the idea of auto-updating.
legendary
Activity: 1708
Merit: 1010
August 20, 2010, 02:24:14 PM
#3
Since there can be important security updates and a lot of people don't check the site, the Bitcoin client should have an optional auto-updater (on by default), with "how often?" options ranging from each five minutes to each day and an option to install without asking (only security updates or all updates?)

I can see this as a security risk if the updater were able to be set to automatic.  Invariablely, some users will disregard the risks in the ongoing absolute trust of a particular server, and enough might be able to break the system if some cracker were to be able to compromise that trusted server and replace the client download with a compromised client with malware.  Even if that only lasted for a short time.  If the client were to ever include an update notification function, I disagree that it should *ever* update without user verification.  Even a normal client modified to send a copy of your wallet.dat file to a particular email address would screw a lot of people over in a hurry.
legendary
Activity: 1596
Merit: 1100
August 20, 2010, 01:59:03 PM
#2

+1, updating from existing clients would be a useful feature.

newbie
Activity: 9
Merit: 0
August 20, 2010, 10:23:00 AM
#1
Since there can be important security updates and a lot of people don't check the site, the Bitcoin client should have an optional auto-updater (on by default), with "how often?" options ranging from each five minutes to each day and an option to install without asking (only security updates or all updates?)
Jump to: