Github build vs downloading source | Bitcointalksearch.org

ABCbits

legendary

Activity: 2870

Merit: 7490

Crypto Swap Exchange

Quote from: takuma sato on August 23, 2022, 10:00:34 AM

Quote from: ABCbits on May 20, 2022, 06:38:17 AM

--snip--

There should be more tutorials on YT showing you how to download latest code, sign it and build it. I've looked on YT and most are just downloading from GitHub. Most people nowadays use YT has a SERP since it's more intuitive to look at a video and hear it than read for most folks.

I get your point, but realistically there are few problem
1. There aren't many people willing to make such detailed video.
2. Shorter video usually is preferable for most folks and youtube seems to show shorter video first on search result[1].

[1] https://www.statista.com/statistics/1256144/youtubecom-top-search-results-distribution-video-duration/

takuma sato

sr. member

Activity: 317

Merit: 448

Quote from: ABCbits on May 20, 2022, 06:38:17 AM

Quote from: takuma sato on May 19, 2022, 11:05:56 AM

I see all these tutorials that teach people how to build the source are using the git clone https://github.com/bitcoin/bitcoin method which builds im assuming the most recent changes, so you get a version 23.0 followed by some alphanumeric string. Why use this and not just build the official release? Isn't this a more conservative way keep yourself updated?

Not all tutorials use latest commit, i managed to find few which checkout to specific tag[1-2] before compiling. If you find tutorial which use latest commit, it's likely the tutorial only show you how to compile Bitcoin Core without consideration for production system or managing real money.

[1] https://medium.com/coinmonks/how-to-compile-bitcoin-core-from-source-5539ff9fbce5
[2] https://github.com/jonatack/bitcoin-development/blob/master/how-to-compile-bitcoin-core-from-source-on-linux-and-macOS.md

There should be more tutorials on YT showing you how to download latest code, sign it and build it. I've looked on YT and most are just downloading from GitHub. Most people nowadays use YT has a SERP since it's more intuitive to look at a video and hear it than read for most folks.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: nc50lc on May 28, 2022, 10:33:02 PM

For the record, the "official" documentation in Bitcoin's GitHub repository instructs to build using the git clone.
~
It makes sense since it's in GitHub where you can assume that the readers have audited the code.
However, 'all those tutorials' might have just imitated what's written there.

That's because the build documentation on Github is intended for developers, that's why it tells them to use git clone.

Like the download notice says, users should be using the deterministicly signed binaries from bitcoincore.org.

nc50lc

legendary

Activity: 2534

Merit: 6080

Self-proclaimed Genius

Quote from: takuma sato on May 19, 2022, 11:05:56 AM

I see all these tutorials that teach people how to build the source are using the git clone https://github.com/bitcoin/bitcoin method which builds im assuming the most recent changes, -snip-

For the record, the "official" documentation in Bitcoin's GitHub repository instructs to build using the git clone.

These for example: github.com/bitcoin/bitcoin/blob/master/doc/build-windows.md and /doc/build-unix.md
From: github.com/bitcoin/bitcoin/tree/master/doc

It makes sense since it's in GitHub where you can assume that the readers have audited the code.
However, 'all those tutorials' might have just imitated what's written there.

ranochigo

legendary

Activity: 3038

Merit: 4418

Crypto Swap Exchange

Quote from: nullama on May 28, 2022, 09:53:20 AM

Based on the information provided in the github repo:

Quote from: https://github.com/bitcoin/bitcoin/releases/tag/v23.0

Do not use the links provided by GitHub, rather use the above download links, they are guaranteed to be generated deterministically and signed.

So basically that means that you should download https://bitcoincore.org/bin/bitcoin-core-23.0/bitcoin-23.0.tar.gz in this case as you mentioned.

But more importantly, you need to verify the downloaded source code, like this for example: https://bitcoin.stackexchange.com/questions/565/how-can-one-download-the-bitcoin-client-securely

Actually, both the source from that Github release and the release provided by bitcoincore.org are the same. There used to be an issue with how the tarball generated with the Github release and it resulted in the autogenerated tarball not being deterministic. It is fixed however, I think the warning (or advisory, I would say) is just in case the autogenerated tarball isn't reproducible. Checked it again and it works fine.

nullama

hero member

Activity: 1008

Merit: 960

Based on the information provided in the github repo:

Quote from: https://github.com/bitcoin/bitcoin/releases/tag/v23.0

Do not use the links provided by GitHub, rather use the above download links, they are guaranteed to be generated deterministically and signed.

So basically that means that you should download https://bitcoincore.org/bin/bitcoin-core-23.0/bitcoin-23.0.tar.gz in this case as you mentioned.

But more importantly, you need to verify the downloaded source code, like this for example: https://bitcoin.stackexchange.com/questions/565/how-can-one-download-the-bitcoin-client-securely

BlackHatCoiner

legendary

Activity: 1512

Merit: 7340

Farewell, Leo

Don't know if that's what you're asking, but:

Theoretically, it's safer to download the source code outside GitHub and then verify the signature of it, by downloading the public keys from GitHub. If you download both the signature, the public key(s) and the source code from GitHub, it's easier for an attacker, or from GitHub itself, to screw you. On the other hand, if you do the former, the attacker needs to compromise both sites at the same time.

PawGo

legendary

Activity: 952

Merit: 1385

Quote from: NotATether on May 19, 2022, 10:26:31 PM

You actually do not want to clone the code from Github and use it verbatim because if you build that, you will get a debug build.

In particular, it will include commits from a few hours ago that are not tested fully and can compromise the stability of Core and could even have regressions.

Checking out the tree to a known working version e.g. 23.0 is identical to downloading the corresponding source code from bitcoincore.org (and the Github Releases page), and is absolutely necessary to do if you want a stable Core.

That's why it is better to rely on TAGs provided by authors. Usually tag x = release x, that way you are (almost) sure that final product will be the same as released binary.
For example for the latest version you look for that state: https://github.com/bitcoin/bitcoin/tree/v23.0
The same zipped sources which you see under /releases/ have the same content you find using tags.

ABCbits

legendary

Activity: 2870

Merit: 7490

Crypto Swap Exchange

Quote from: takuma sato on May 19, 2022, 11:05:56 AM

I see all these tutorials that teach people how to build the source are using the git clone https://github.com/bitcoin/bitcoin method which builds im assuming the most recent changes, so you get a version 23.0 followed by some alphanumeric string. Why use this and not just build the official release? Isn't this a more conservative way keep yourself updated?

Not all tutorials use latest commit, i managed to find few which checkout to specific tag[1-2] before compiling. If you find tutorial which use latest commit, it's likely the tutorial only show you how to compile Bitcoin Core without consideration for production system or managing real money.

[1] https://medium.com/coinmonks/how-to-compile-bitcoin-core-from-source-5539ff9fbce5
[2] https://github.com/jonatack/bitcoin-development/blob/master/how-to-compile-bitcoin-core-from-source-on-linux-and-macOS.md

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

You actually do not want to clone the code from Github and use it verbatim because if you build that, you will get a debug build.

In particular, it will include commits from a few hours ago that are not tested fully and can compromise the stability of Core and could even have regressions.

Checking out the tree to a known working version e.g. 23.0 is identical to downloading the corresponding source code from bitcoincore.org (and the Github Releases page), and is absolutely necessary to do if you want a stable Core.

jackg

copper member

Activity: 2856

Merit: 3071

https://bit.ly/387FXHi lightning theory

Quote from: takuma sato on May 19, 2022, 11:05:56 AM

Why use this and not just build the official release? Isn't this a more conservative way keep yourself updated?

I think it's a case of doing it how they're used to doing it with other/most software. It's likely that broken parts of the code will be commented out/not compiled for most software that's expected to be downloaded a lot this way but it isn't the best way to do it and there is probably a greater chance of getting bugs too.

ranochigo

legendary

Activity: 3038

Merit: 4418

Crypto Swap Exchange

The official releases are meant to be stable and they are meant for people to use.

You can clone and compile from the master branch but they are work in progress so they are supposed to be used for testing and not for normal users. If not then, you can compile from the stable branch as well (ie. git checkout [version]). You can validate against the signature when you're compiling.

takuma sato

sr. member

Activity: 317

Merit: 448

What is safer, to build directly from github including all most recent changes, or to get the source code from the Bitcoin Core website? (in this case, https://bitcoincore.org/bin/bitcoin-core-23.0/bitcoin-23.0.tar.gz)

I see all these tutorials that teach people how to build the source are using the git clone https://github.com/bitcoin/bitcoin method which builds im assuming the most recent changes, so you get a version 23.0 followed by some alphanumeric string. Why use this and not just build the official release? Isn't this a more conservative way keep yourself updated?

Topic: Github build vs downloading source (Read 255 times)