Author

Topic: Github build vs downloading source (Read 259 times)

legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
August 24, 2022, 07:08:57 AM
#13
--snip--

There should be more tutorials on YT showing you how to download latest code, sign it and build it. I've looked on YT and most are just downloading from GitHub. Most people nowadays use YT has a SERP since it's more intuitive to look at a video and hear it than read for most folks.

I get your point, but realistically there are few problem
1. There aren't many people willing to make such detailed video.
2. Shorter video usually is preferable for most folks and youtube seems to show shorter video first on search result[1].

[1] https://www.statista.com/statistics/1256144/youtubecom-top-search-results-distribution-video-duration/
sr. member
Activity: 322
Merit: 449
August 23, 2022, 10:00:34 AM
#12
I see all these tutorials that teach people how to build the source are using the git clone https://github.com/bitcoin/bitcoin method which builds im assuming the most recent changes, so you get a version 23.0 followed by some alphanumeric string. Why use this and not just build the official release? Isn't this a more conservative way keep yourself updated?

Not all tutorials use latest commit, i managed to find few which checkout to specific tag[1-2] before compiling. If you find tutorial which use latest commit, it's likely the tutorial only show you how to compile Bitcoin Core without consideration for production system or managing real money.

[1] https://medium.com/coinmonks/how-to-compile-bitcoin-core-from-source-5539ff9fbce5
[2] https://github.com/jonatack/bitcoin-development/blob/master/how-to-compile-bitcoin-core-from-source-on-linux-and-macOS.md

There should be more tutorials on YT showing you how to download latest code, sign it and build it. I've looked on YT and most are just downloading from GitHub. Most people nowadays use YT has a SERP since it's more intuitive to look at a video and hear it than read for most folks.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
May 29, 2022, 12:38:21 AM
#11
For the record, the "official" documentation in Bitcoin's GitHub repository instructs to build using the git clone.
~
It makes sense since it's in GitHub where you can assume that the readers have audited the code.
However, 'all those tutorials' might have just imitated what's written there.

That's because the build documentation on Github is intended for developers, that's why it tells them to use git clone.

Like the download notice says, users should be using the deterministicly signed binaries from bitcoincore.org.
legendary
Activity: 2618
Merit: 6452
Self-proclaimed Genius
May 28, 2022, 10:33:02 PM
#10
I see all these tutorials that teach people how to build the source are using the git clone https://github.com/bitcoin/bitcoin method which builds im assuming the most recent changes, -snip-
For the record, the "official" documentation in Bitcoin's GitHub repository instructs to build using the git clone.

These for example: github.com/bitcoin/bitcoin/blob/master/doc/build-windows.md and /doc/build-unix.md
From: github.com/bitcoin/bitcoin/tree/master/doc

It makes sense since it's in GitHub where you can assume that the readers have audited the code.
However, 'all those tutorials' might have just imitated what's written there.
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
May 28, 2022, 10:01:33 AM
#9
Based on the information provided in the github repo:

Do not use the links provided by GitHub, rather use the above download links, they are guaranteed to be generated deterministically and signed.

So basically that means that you should download https://bitcoincore.org/bin/bitcoin-core-23.0/bitcoin-23.0.tar.gz in this case as you mentioned.

But more importantly, you need to verify the downloaded source code, like this for example: https://bitcoin.stackexchange.com/questions/565/how-can-one-download-the-bitcoin-client-securely
Actually, both the source from that Github release and the release provided by bitcoincore.org are the same. There used to be an issue with how the tarball generated with the Github release and it resulted in the autogenerated tarball not being deterministic. It is fixed however, I think the warning (or advisory, I would say) is just in case the autogenerated tarball isn't reproducible. Checked it again and it works fine.
hero member
Activity: 1008
Merit: 960
May 28, 2022, 09:53:20 AM
#8
Based on the information provided in the github repo:

Do not use the links provided by GitHub, rather use the above download links, they are guaranteed to be generated deterministically and signed.

So basically that means that you should download https://bitcoincore.org/bin/bitcoin-core-23.0/bitcoin-23.0.tar.gz in this case as you mentioned.

But more importantly, you need to verify the downloaded source code, like this for example: https://bitcoin.stackexchange.com/questions/565/how-can-one-download-the-bitcoin-client-securely
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
May 20, 2022, 11:18:36 AM
#7
Don't know if that's what you're asking, but:

Theoretically, it's safer to download the source code outside GitHub and then verify the signature of it, by downloading the public keys from GitHub. If you download both the signature, the public key(s) and the source code from GitHub, it's easier for an attacker, or from GitHub itself, to screw you. On the other hand, if you do the former, the attacker needs to compromise both sites at the same time.
legendary
Activity: 952
Merit: 1386
May 20, 2022, 06:53:49 AM
#6
You actually do not want to clone the code from Github and use it verbatim because if you build that, you will get a debug build.

In particular, it will include commits from a few hours ago that are not tested fully and can compromise the stability of Core and could even have regressions.

Checking out the tree to a known working version e.g.  23.0 is identical to downloading the corresponding source code from bitcoincore.org (and the Github Releases page), and is absolutely necessary to do if you want a stable Core.


That's why it is better to rely on TAGs provided by authors. Usually tag x = release x, that way you are (almost) sure that final product will be the same as released binary.
For example for the latest version you look for that state: https://github.com/bitcoin/bitcoin/tree/v23.0
The same zipped sources which you see under /releases/ have the same content you find using tags.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
May 20, 2022, 06:38:17 AM
#5
I see all these tutorials that teach people how to build the source are using the git clone https://github.com/bitcoin/bitcoin method which builds im assuming the most recent changes, so you get a version 23.0 followed by some alphanumeric string. Why use this and not just build the official release? Isn't this a more conservative way keep yourself updated?

Not all tutorials use latest commit, i managed to find few which checkout to specific tag[1-2] before compiling. If you find tutorial which use latest commit, it's likely the tutorial only show you how to compile Bitcoin Core without consideration for production system or managing real money.

[1] https://medium.com/coinmonks/how-to-compile-bitcoin-core-from-source-5539ff9fbce5
[2] https://github.com/jonatack/bitcoin-development/blob/master/how-to-compile-bitcoin-core-from-source-on-linux-and-macOS.md
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
May 19, 2022, 10:26:31 PM
#4
You actually do not want to clone the code from Github and use it verbatim because if you build that, you will get a debug build.

In particular, it will include commits from a few hours ago that are not tested fully and can compromise the stability of Core and could even have regressions.

Checking out the tree to a known working version e.g.  23.0 is identical to downloading the corresponding source code from bitcoincore.org (and the Github Releases page), and is absolutely necessary to do if you want a stable Core.
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
May 19, 2022, 07:06:48 PM
#3
Why use this and not just build the official release? Isn't this a more conservative way keep yourself updated?

I think it's a case of doing it how they're used to doing it with other/most software. It's likely that broken parts of the code will be commented out/not compiled for most software that's expected to be downloaded a lot this way but it isn't the best way to do it and there is probably a greater chance of getting bugs too.

legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
May 19, 2022, 11:33:55 AM
#2
The official releases are meant to be stable and they are meant for people to use.

You can clone and compile from the master branch but they are work in progress so they are supposed to be used for testing and not for normal users. If not then, you can compile from the stable branch as well (ie. git checkout [version]). You can validate against the signature when you're compiling.
sr. member
Activity: 322
Merit: 449
May 19, 2022, 11:05:56 AM
#1
What is safer, to build directly from github including all most recent changes, or to get the source code from the Bitcoin Core website? (in this case, https://bitcoincore.org/bin/bitcoin-core-23.0/bitcoin-23.0.tar.gz)

I see all these tutorials that teach people how to build the source are using the git clone https://github.com/bitcoin/bitcoin method which builds im assuming the most recent changes, so you get a version 23.0 followed by some alphanumeric string. Why use this and not just build the official release? Isn't this a more conservative way keep yourself updated?
Jump to: