Bitcoin Core (Bitcoin-Qt) 0.9.1 released - update required - page 6.

wumpus

hero member

Activity: 812

Merit: 1022

No Maps for These Territories

Quote from: windpath on April 09, 2014, 08:30:57 AM

With the rename to "Bitcoin Core", you would think it would be just that, the CORE p2p network/functionality.

IMO the foundation has no business competing with other clients and features, be responsible for the core, let others build on it.

At the very least separate out all "features" that are not required by the core as a separate application.

I'm not sure I follow you. In the post that you reply to, I talk about splitting off the wallet functionality. I don't see why you still feel that you need to rant. This can't be done in one day (unless we get a lot of knowledgeable new contributors), but it is the planned direction.

windpath

legendary

Activity: 1258

Merit: 1027

Quote from: wumpus on April 09, 2014, 07:22:03 AM

Quote from: Hyena on April 09, 2014, 06:57:56 AM

The protocol specifies flawless security (except quantum computing vulnerability). WHY on earth has this flawless security be ruined by eager developers adding features that are not essential to bitcoin protocol?

Right, in principle, wallet functionality isn't needed at all to maintain the Bitcoin P2P network, the reason for Bitcoin Core's existence.

This is why --disable-wallet mode was introduced in 0.9.0. It allows you to build without the wallet, which removes quite a few dependencies (OpenSSL however is still required as we also use it for ECDSA at this point, and for RPC SSL support, but this could change after merging sipa's ECDSA library).

In the long run there are two options: either we remove the wallet, or we keep it and try to keep up with features of other wallets. Keeping up includes the payment protocol. If payment protocol was not supported people would be complaining about lack of support for the new merchant integration methods.

With the rename to "Bitcoin Core", you would think it would be just that, the CORE p2p network/functionality.

IMO the foundation has no business competing with other clients and features, be responsible for the core, let others build on it.

At the very least separate out all "features" that are not required by the core as a separate application.

IIOII

legendary

Activity: 1153

Merit: 1012

Quote from: wumpus on April 09, 2014, 08:18:49 AM

In any case the plan is to split the wallet off to a different repository, so that it can be maintained separately. This means you can create a fork with your own (subset of) features, without forking the entire node implementation as well.

This can happen only after SPV functionality has been implemented though. This would also isolate the wallet from potential bugs in the P2P network code (and vice versa), and also means that even if you run a full node, you don't have to have your wallet always online.

This is encouraging.

IIOII

legendary

Activity: 1153

Merit: 1012

Quote from: Luke-Jr on April 09, 2014, 07:53:37 AM

Of all the possible security flaws... OpenSSL, a security-oriented library, having a vulnerability in the most fundamental security feature used by virtually everything... is the LAST thing anyone would have reasonably considered to be a risk to security.

Any reliance on external libraries is added security risk. Because Core is financial software the most paranoid security approach should be in place. So where external libraries are not essential they should be avoided.

Quote from: Luke-Jr on April 09, 2014, 07:53:37 AM

It's much less confusing and makes it easier to use Bitcoin correctly.
Coin Control is handy, but inevitably a power user tool that is likely to give newbies the wrong idea.
Multiwallet support is unfortunately lagging behind since CodeShark went and made his own wallet instead. Sad

This is Bitcoin Core. You do not need to hide all complexity from the user. I'm accustomed to initiate all payments by myself - I dislike direct debit and similar things, because it gives me less feeling of control. Maybe this is also a question of cultural socialisation, so preference maybe different across countries - I don't know. Regardless, I think a Bitcoin Core user can be expected to know how to copy and paste Bitcoin addresses and type in the correct amount - there is no need for simplification.
There can be third party wallets which are "easier" to use.

wumpus

hero member

Activity: 812

Merit: 1022

No Maps for These Territories

Quote from: IIOII on April 09, 2014, 07:41:13 AM

Quote from: wumpus on April 09, 2014, 07:22:03 AM

If payment protocol was not supported people would be complaining about lack of support for the new merchant integration methods.

Who did complain?

No one yet. But that would happen soon enough after the new BIP007x features are rolled out by other (BitcoinJ) based wallets.

In any case the plan is to split the wallet off to a different repository, so that it can be maintained separately. This means you can create a fork with your own (subset of) features, without forking the entire node implementation as well.

This can happen only after SPV functionality has been implemented though. This would also isolate the wallet from potential bugs in the P2P network code (and vice versa), and also means that even if you run a full node, you don't have to have your wallet always online.

Luke-Jr

legendary

Activity: 2576

Merit: 1186

Quote from: bet4btc on April 09, 2014, 08:09:21 AM

Quote from: Luke-Jr on April 09, 2014, 08:01:23 AM

Quote from: bet4btc on April 09, 2014, 07:58:27 AM

Luke,
what will happen if i will run the Linux version and then switch back to the ppa version, will the wallet will sync properly?

It should, but there's no point.

Well, as for the openssl, what i did is this :

aptitude show libssl1.0.0 | grep Version

and it show this-

Version: 1.0.1-4ubuntu5.12

which seems to be the latest for ubuntu 12.04 LTS

I am still not sure i am protected..

http://www.ubuntu.com/usn/usn-2165-1/

bet4btc

newbie

Activity: 17

Merit: 0

Quote from: Luke-Jr on April 09, 2014, 08:01:23 AM

Quote from: bet4btc on April 09, 2014, 07:58:27 AM

Luke,
what will happen if i will run the Linux version and then switch back to the ppa version, will the wallet will sync properly?

It should, but there's no point.

Well, as for the openssl, what i did is this :

aptitude show libssl1.0.0 | grep Version

and it show this-

Version: 1.0.1-4ubuntu5.12

which seems to be the latest for ubuntu 12.04 LTS

I am still not sure i am protected..

Luke-Jr

legendary

Activity: 2576

Merit: 1186

Quote from: bet4btc on April 09, 2014, 07:58:27 AM

Luke,
what will happen if i will run the Linux version and then switch back to the ppa version, will the wallet will sync properly?

It should, but there's no point.

bet4btc

newbie

Activity: 17

Merit: 0

Luke,
what will happen if i will run the Linux version and then switch back to the ppa version, will the wallet will sync properly?

Luke-Jr

legendary

Activity: 2576

Merit: 1186

Everyone should keep in mind at all times that Bitcoin is still an experiment, Bitcoin technology (consensus systems) is still a very new field of computer science, and the whole thing could fall apart overnight.

Quote from: IIOII on April 09, 2014, 07:41:13 AM

If payment protocol is distributed with Core, it should be an optional thing, which the user can decide to activate (by checkbox, whatever). Security is much more important.

Of all the possible security flaws... OpenSSL, a security-oriented library, having a vulnerability in the most fundamental security feature used by virtually everything... is the LAST thing anyone would have reasonably considered to be a risk to security.

Quote from: IIOII on April 09, 2014, 07:41:13 AM

Edit. imho the dialog introduced in 0.9.0 which replaced the receiving addresses field is not an improvement. It makes things more awkward. (An example of a really good improvement is coincontrol and wallet file selection.)

It's much less confusing and makes it easier to use Bitcoin correctly.
Coin Control is handy, but inevitably a power user tool that is likely to give newbies the wrong idea.
Multiwallet support is unfortunately lagging behind since CodeShark went and made his own wallet instead. Sad

Quote from: bet4btc on April 09, 2014, 07:49:54 AM

When the ppa version will be ready? Angry

Never, it's not affected (although your OS probably is...)

bet4btc

newbie

Activity: 17

Merit: 0

When the ppa version will be ready? Angry

what will happen if i will run the Linux version, with the Current version of qt (ppa)
Is it possible to "switch" between versions at any given time, consider the block chain is updating sometimes from the linux version and some times from the pp version?

fryarminer

hero member

Activity: 686

Merit: 500

Quote from: Luke-Jr on April 09, 2014, 02:36:44 AM

Quote from: 7Priest7 on April 08, 2014, 08:35:00 PM

Memorized private keys, the safest way to own bitcoin.

Memorized private keys are in fact one of the least secure ways to own bitcoin.

Dang it! I was sitting here trying to memorize private keys!

IIOII

legendary

Activity: 1153

Merit: 1012

Quote from: wumpus on April 09, 2014, 07:22:03 AM

If payment protocol was not supported people would be complaining about lack of support for the new merchant integration methods.

Who did complain?

If payment protocol is distributed with Core, it should be an optional thing, which the user can decide to activate (by checkbox, whatever). Security is much more important.

Edit. imho the dialog introduced in 0.9.0 which replaced the receiving addresses field is not an improvement. It makes things more awkward. (An example of a really good improvement is coincontrol and wallet file selection.)

wumpus

hero member

Activity: 812

Merit: 1022

No Maps for These Territories

Quote from: Hyena on April 09, 2014, 06:57:56 AM

The protocol specifies flawless security (except quantum computing vulnerability). WHY on earth has this flawless security be ruined by eager developers adding features that are not essential to bitcoin protocol?

Right, in principle, wallet functionality isn't needed at all to maintain the Bitcoin P2P network, the reason for Bitcoin Core's existence.

This is why --disable-wallet mode was introduced in 0.9.0. It allows you to build without the wallet, which removes quite a few dependencies (OpenSSL however is still required as we also use it for ECDSA at this point, and for RPC SSL support, but this could change after merging sipa's ECDSA library).

In the long run there are two options: either we remove the wallet, or we keep it and try to keep up with features of other wallets. Keeping up includes the payment protocol. If payment protocol was not supported people would be complaining about lack of support for the new merchant integration methods.

Lucko

hero member

Activity: 826

Merit: 1000

Quote from: ShadesOfMarble on April 09, 2014, 06:56:32 AM

Quote from: Lucko on April 09, 2014, 06:52:59 AM

Grate. About 2 hours before this showed up I lost 1,6 something BTC to this... And it took only about 2 hours of running application... So it is not that impossible... Well I think it was this since I have no clue what else could it be... Is there any trace left so I can be sure?

I guess wallet stealing trojans exists almost as long as Bitcoin, so your loss could have many (other) causes.

First, scan your computer. Second, did you click on any "bitcoin:"-link?

It runs only wallet and no I just installed it... I used Ufasoft coin till now but it really runs bad with current blockchain size so I migrate keys.

I do have antivirus and malware bits on... So I don't think it is that. It also has own firewalled subnet...

EDIT: Scan completed. Noting found by AVG or Malwarebits

IIOII

legendary

Activity: 1153

Merit: 1012

Quote from: Hyena on April 09, 2014, 06:57:56 AM

Quote from: mjosephs on April 09, 2014, 06:23:54 AM

Quote from: theymos on April 08, 2014, 05:41:37 PM

If you ever used the payment protocol (you clicked a bitcoin: link and saw a green box in Bitcoin Core's send dialog), then you should consider your wallet to be compromised.

At least two dozen people (and I was nowhere near the first one) told the devs that using the OpenSSL CA infrastructure for their "payment protocol" coin-tracking fantasies was a (a) crazy, (b) stupid, and (c) risky scheme that involved an utterly massive expansion of the attack surface to include all of SSL and the entire certificate authority ponzi-scheme.

What did they do? They ignored common sense.

The bitcoin dev responsible for this idiocy is totally incompetent and should step down effective immediately. Oh wait, that happened.

Carry on.

0.9 introduced a bunch of bullshit. How the hell can bitcoin magnet link be vulnerable?! If they continue introducing unwanted bullshit features, bloating the bitcoin official client then bitcoin will be dead for me. This has already gone too far. The protocol specifies flawless security (except quantum computing vulnerability). WHY on earth has this flawless security be ruined by eager developers adding features that are not essential to bitcoin protocol?

+1

Funny... you posted this.. while I was still typing my reply.

IIOII

legendary

Activity: 1153

Merit: 1012

Quote from: madmadmax on April 08, 2014, 06:38:23 PM

That's exactly what all those three letter organizations doing within the Bitcoin Foundation, introducing vulnerabilities to the protocol.

Yeah that's a risk that should not be disregarded lightly.

As far as I understand the main vulnerability was introduced in Bitcoin Core 0.9.0 by the payment protocol's reliance on OpenSSL. If I understand correctly the payment protocol was first introduced with Core 0.9.0 (I think Gavin was doing this).

I think (and mentioned this in the past) that the payment protocol is an entirely optional feature that is not essential for Bitcoin and should not be included. It can be substituted by third parties. The added security risk by reliance on (more) external libraries is much more relevant than providing a somehow useful, but non-essential feature.

Hyena

legendary

Activity: 2114

Merit: 1015

Quote from: mjosephs on April 09, 2014, 06:23:54 AM

Quote from: theymos on April 08, 2014, 05:41:37 PM

If you ever used the payment protocol (you clicked a bitcoin: link and saw a green box in Bitcoin Core's send dialog), then you should consider your wallet to be compromised.

At least two dozen people (and I was nowhere near the first one) told the devs that using the OpenSSL CA infrastructure for their "payment protocol" coin-tracking fantasies was a (a) crazy, (b) stupid, and (c) risky scheme that involved an utterly massive expansion of the attack surface to include all of SSL and the entire certificate authority ponzi-scheme.

What did they do? They ignored common sense.

The bitcoin dev responsible for this idiocy is totally incompetent and should step down effective immediately. Oh wait, that happened.

Carry on.

0.9 introduced a bunch of bullshit. How the hell can bitcoin magnet link be vulnerable?! If they continue introducing unwanted bullshit features, bloating the bitcoin official client then bitcoin will be dead for me. This has already gone too far. The protocol specifies flawless security (except quantum computing vulnerability). WHY on earth has this flawless security be ruined by eager developers adding features that are not essential to bitcoin protocol?

ShadesOfMarble

donator

Activity: 543

Merit: 500

Quote from: Lucko on April 09, 2014, 06:52:59 AM

Grate. About 2 hours before this showed up I lost 1,6 something BTC to this... And it took only about 2 hours of running application... So it is not that impossible... Well I think it was this since I have no clue what else could it be... Is there any trace left so I can be sure?

I guess wallet stealing trojans exists almost as long as Bitcoin, so your loss could have many (other) causes.

First, scan your computer. Second, did you click on any "bitcoin:"-link?

Lucko

hero member

Activity: 826

Merit: 1000

Grate. About 2 hours before this showed up I lost 1,6 something BTC to this... And it took only about 2 hours of running application... So it is not that impossible... Well I think it was this since I have no clue what else could it be... Is there any trace left so I can be sure?

Topic: Bitcoin Core (Bitcoin-Qt) 0.9.1 released - update required - page 6. (Read 64172 times)