Author

Topic: bitcoins open sourceness (Read 1578 times)

hero member
Activity: 755
Merit: 515
May 17, 2011, 06:01:15 AM
#9
Well, could anyone create a tree with all the libraries pre-installed and setup so compiling would be EASY, for Christ sake?
If you are on Windows, well you are in luck, see https://bitcointalksearch.org/topic/windows-build-archive-4750 and https://bitcointalksearch.org/topic/m.86700.
If you are on Linux, the instructions really are quite easy, ask if you have questions.
If you are on Mac...well you are pretty much SOL, I might get around to writing some more build instructions for Mac, but I don't have the time atm...
member
Activity: 124
Merit: 10
May 17, 2011, 03:02:50 AM
#8
Is it possible to view the code of the actual bitcoin.exe program available for download rather than trust that the open source code provided online is indeed the same as the download? if not, it seems that the one downloaded could potentially be a sort of a look-a-like program that actually holds a malicious timebomb of sorts. I'm sure there is an simple answer, I just have not found it yet.

Don't trust the binaries then. Compile the source yourself. That's the beauty of open source: you have no reason to trust a software developer but many ways  to check the source code :-)

Rage
sr. member
Activity: 420
Merit: 250
May 17, 2011, 01:44:58 AM
#7
most operating systems can use CMake.. utilize it....
legendary
Activity: 1386
Merit: 1000
May 17, 2011, 01:39:12 AM
#6
I'm sure there is an simple answer, I just have not found it yet.

You can use gentoo operating system, like I do.
Everything here comes either from my own build server or compiled directly from source.
legendary
Activity: 1652
Merit: 2301
Chief Scientist
May 14, 2011, 07:53:17 PM
#5
I make the Amazon virtual machine images that I used to build the Windows and Linux binaries available... but Amazon recently took them down because they contain my ssh public key in the "allowed to login without a password" file. Removing the public key and then making the modified virtual machines public again is on my TODO list (Amazon doesn't want anybody to have a 'back door' into a public machine image, and bravo to them for checking-- I had no intention of logging into other's bitcoin-build-environment virtual machines, I just needed an easy way to login while I was putting together the releases).

If you have an EC2 account, you can run them and recreate the exact build environment and check to make sure you get exactly the same executable code  (the compilers may put timestamps inside the files which you'd have to ignore).

The plan for future releases is to use devrandom's 'gitian' build system, which is a spiffy way of creating a well-defined virtual machine image from signed and trusted repositories, fetching a specific version of the code from the git source tree, and compiling in a way that is completely reproducible.
 See: https://github.com/devrandom/gitian-builder

hero member
Activity: 672
Merit: 500
BitLotto - best odds + best payouts + cheat-proof
May 14, 2011, 04:43:04 PM
#4
I've heard plans that one day there will be a generic build environment people can use to verify it. Then anyone can check the one already compiled against the one they just built to ensure it's ok. Not sure how far off that is though.
member
Activity: 102
Merit: 10
May 14, 2011, 04:29:28 PM
#3
Simple answer would be to build it yourself if you want to.
But then you're still not guaranteed that the compiler you use is not generating something not in original code for you.

It's a pretty old issue, actually.

You can take it even further, say, if you bootstrap your own compiler and compile the source yourself, how can you be absolutely certain that there are no programmatic trapdoors left in your CPU microcode?
full member
Activity: 327
Merit: 124
May 14, 2011, 04:29:06 PM
#2
Is it possible to view the code of the actual bitcoin.exe program available for download rather than trust that the open source code provided online is indeed the same as the download? if not, it seems that the one downloaded could potentially be a sort of a look-a-like program that actually holds a malicious timebomb of sorts. I'm sure there is an simple answer, I just have not found it yet.

The developers build the distribution you download, which comes with source.  It is highly unlikely they would distribute binaries with extra stuff in them which don't match the source they provide.

You are welcome to build the programs, as well as the libraries they use, completely from source, and run those.  Aside from things like date strings, they should verify against the provided binaries.

You are probably orders of magnitude more likely at risk from bugs than you are from a developer conspiracy.

Not to mention the 100 million lines of Windows source you don't have, that is also running on your machine.

hero member
Activity: 504
Merit: 500
May 14, 2011, 04:16:48 PM
#1
Is it possible to view the code of the actual bitcoin.exe program available for download rather than trust that the open source code provided online is indeed the same as the download? if not, it seems that the one downloaded could potentially be a sort of a look-a-like program that actually holds a malicious timebomb of sorts. I'm sure there is an simple answer, I just have not found it yet.
Jump to: