Author

Topic: How secure is the bitcoin code at github? (Read 2146 times)

sr. member
Activity: 392
Merit: 268
Tips welcomed: 1CF4GhXX1RhCaGzWztgE1YZZUcSpoqTbsJ
June 26, 2015, 10:49:41 AM
#18
The scenario being discussed of someone external (e.g. github staff) tampering with the source isn't valid since it would leave the repo inconsistent due to hashing of commits (which would be evident to anyone interacting with the repo when they have a local copy with some commits). Additionally, tags can be GPG-signed, which additionally prevents tampering since changes would break the signature.
legendary
Activity: 3472
Merit: 4801
what if the developers themselves are coerced to sneak something in?

This is certainly a problem in bitcoin XT where only… one? two? individual(s) have commit access.

You can still download it and check it does it?

Also when a release comes out, it usually has a checksum and a signature, any alteration after the release is easily detactable..

So if wallet 2.0 comes out, and it has a hash, but if you sneak something shady in it after, it wont match the hash of the 2.0.

My concern is after people have switched to XT due do the 8 Mb max block size. In that scenario, and assuming they will be coerced to put some unwanted code (eg. CoinValidation—and Hearn was pretty much for that IIRC), how are we going to switch back to Bitcoin Core? We can pretty much assume we won't, with the result that TPTB will have successfully co-opted bitcoin.

I'd rather see the 8 Mb change in Core, or stay at 1 Mb until more people have governance over XT.

If we reach the point where Bitcoin XT forks the blockchains, and has enough support to matter, perhaps I'll put together a wallet that maintains both blockchains in the same wallet.  That would allow users to access either one, and would provide some competition to prevent Hearn and his associates from implementing unpopular features.  If it comes to that, I'll see about creating some sort of diverse group to handle decisions regarding the software.



legendary
Activity: 1974
Merit: 1029
what if the developers themselves are coerced to sneak something in?

This is certainly a problem in bitcoin XT where only… one? two? individual(s) have commit access.

You can still download it and check it does it?

Also when a release comes out, it usually has a checksum and a signature, any alteration after the release is easily detactable..

So if wallet 2.0 comes out, and it has a hash, but if you sneak something shady in it after, it wont match the hash of the 2.0.

My concern is after people have switched to XT due do the 8 Mb max block size. In that scenario, and assuming they will be coerced to put some unwanted code (eg. CoinValidation—and Hearn was pretty much for that IIRC), how are we going to switch back to Bitcoin Core? We can pretty much assume we won't, with the result that TPTB will have successfully co-opted bitcoin.

I'd rather see the 8 Mb change in Core, or stay at 1 Mb until more people have governance over XT.
sr. member
Activity: 1148
Merit: 252
Undeads.com - P2E Runner Game
what if the developers themselves are coerced to sneak something in?

This is certainly a problem in bitcoin XT where only… one? two? individual(s) have commit access.

You can still download it and check it does it?

Also when a release comes out, it usually has a checksum and a signature, any alteration after the release is easily detactable..

So if wallet 2.0 comes out, and it has a hash, but if you sneak something shady in it after, it wont match the hash of the 2.0.
legendary
Activity: 1974
Merit: 1029
what if the developers themselves are coerced to sneak something in?

This is certainly a problem in bitcoin XT where only… one? two? individual(s) have commit access.
hero member
Activity: 513
Merit: 500
Source?

Sounds like the wrong approach to me. We are dealing with something that has value to some. Remember "being your own bank" - as cool as it may sound - comes with responsibilities as well.

I remember an exchange was doing auto-updates, but I can't recall the details. Let's hope I'm wrong about that one.

That said, I'm very interested in the implementation of a completely decentralized version of GitHub. I know Git itself by nature is decentralized.

But would be nice if there is a platform that doesn't rely on DNS whatsoever. Perhaps it's still too early for that.
legendary
Activity: 1358
Merit: 1001
https://gliph.me/hUF
You are forgetting that many nodes and vital parts of the ecosystem are configured to automatically sync and update/recompile using what's on GitHub.[...]

Source?

Sounds like the wrong approach to me. We are dealing with something that has value to some. Remember "being your own bank" - as cool as it may sound - comes with responsibilities as well.

hero member
Activity: 513
Merit: 500
You, buddy, clearly do not understand how Open Source repo works. Changing the code in Github wont have any immediate impact on bitcoin. You are still immersed in the paradox of a centrally controlled system.

You are forgetting that many nodes and vital parts of the ecosystem are configured to automatically sync and update/recompile using what's on GitHub.

Do you think Bitcoin ATMs get manually updated? Another issue is, what if the developers themselves are coerced to sneak something in?

In other words - shouldn't Bitcoin stakeholders be able to vote on who is the authorized developer?
hero member
Activity: 616
Merit: 500
I AM A SCAMMER
Only person who have login information
can acces to github repository.

...its same as any other website, yoo need password
to acces account

what if someone working with github has inside ability to get login information?
or do you think people who work at github cannot figure out what someones login or password is at github?
is it a security risk, seeing as how there is money involved with bitcoin?

You, buddy, clearly do not understand how Open Source repo works. Changing the code in Github wont have any immediate impact on bitcoin. You are still immersed in the paradox of a centrally controlled system.
legendary
Activity: 3472
Merit: 4801
what if someone working with github has inside ability to get login information?
or do you think people who work at github cannot figure out what someones login or password is at github?
is it a security risk, seeing as how there is money involved with bitcoin?

The code is duplicated on every developer's computer.

If the github source changes, then every developer will notice when they attempt to synchronize their local code with the server code.
newbie
Activity: 30
Merit: 0
Only person who have login information
can acces to github repository.

...its same as any other website, yoo need password
to acces account

what if someone working with github has inside ability to get login information?
or do you think people who work at github cannot figure out what someones login or password is at github?
is it a security risk, seeing as how there is money involved with bitcoin?
legendary
Activity: 3472
Merit: 4801
The code is duplicated on every developer's computer.

If the github source changes, then every developer will notice when they attempt to synchronize their local code with the server code.
hero member
Activity: 513
Merit: 500
Just as a thought experiment...

If GitHub itself is coerced into serving a modified version of the code, none of the developers can prevent it.
sr. member
Activity: 420
Merit: 250
It can't be changed by anyone other than the original developers, unless they were to be hacked of course.
legendary
Activity: 1223
Merit: 1002
Only person who have login information
can acces to github repository.

...its same as any other website, yoo need password
to acces account
sr. member
Activity: 1148
Merit: 252
Undeads.com - P2E Runner Game
how does bitcoin secure the github?
I don't know much about github, but if the code is sitting at github,
what is to stop someone from changing it?

someone please explain this to me, I am interested.

They would need to hack the github server to change to code.

Or they would need to set up a phishing site with modified code.

Or they would need to set up a malware on your PC that would show other code on the site , when you visit it, but only for you.
legendary
Activity: 1442
Merit: 1186
In order to change the code or files on github you would have to have commit access to the bitcoin repository.
Any outsider altering the code would have to clone it under a new repository, essentially creating an alt coin that no one would use.

Check out the help section on github. https://help.github.com/
newbie
Activity: 30
Merit: 0
how does bitcoin secure the github?
I don't know much about github, but if the code is sitting at github,
what is to stop someone from changing it?

someone please explain this to me, I am interested.
Jump to: