I guess the popular a Cryptocurrency becomes, the more it gets scrutinized.
Who would even care to add backdoors in Cryptocurrencies no one uses?
Though I won't be surprised if people/governments are sneaking in very sophisticated backdoors
Topic: Who is doing Peer review on Alt coins and Open Source projects? (Read 228 times)
...
I would rather want to see independent unbiased Peer review from the general public that are skilled enough to do this Peer review, than some government with hidden agendas and zero transparency in their review criteria.
I would rather want to see independent unbiased Peer review from the general public that are skilled enough to do this Peer review, than some government with hidden agendas and zero transparency in their review criteria.
When looking at bitcoin, the credo is „be your own bank“ and „no need to trust anyone“. Hence the open source, and everyone to be able to look at the code. Trusting in „white hats“ is against the principle. And creating a list of „approved“ white hats, that would verify the code? Who watches the watchers? This involves a new set of trust complexity, one should be aware of.
Very few people can verify the code by themselves, even those with good programming skills. Almost all of us put trust in Bitcoin contributors who write and test code, and since there's no discussions about some major flaws on social media and news sites, we tend to believe that the code is sound. It's the same as in other activities like science or technology, we trust that something is true when someone has done research and someone has verified it and no one made any counter-arguments, it would be extremely counterproductive and just impossible for everyone to verify everything.
The difference between open and free projects like Bitcoin is that users who can't verify the system on their own are free to choose their own "watchers" that they trust, they can use multiple sources and the final decision is always their own. In centralized systems like governments and proprietary software users have very little choice in general and have to blindly trust some few "watchers".
In case of altcoins which are based on bitcoin code, it's not very difficult.
You don't have to review a ton of code in this case. You need to follow a few simple steps.
1) Find a version of bitcoin which altcoin is based on.
2) Download a bitcoin source code for this version.
3) Use diff tool for comparison.
You can simplify it a little bit further.
For instance: a vast majority of pos coins based on Peercoin code.
As a result if you need to review any of those forks, you do above mentioned steps on Peercoin code instead of bitcoin code.
P.S.: Pay a special attention to GetBlockSubsidy function. Usually all premines are defined there.
You don't have to review a ton of code in this case. You need to follow a few simple steps.
1) Find a version of bitcoin which altcoin is based on.
2) Download a bitcoin source code for this version.
3) Use diff tool for comparison.
You can simplify it a little bit further.
For instance: a vast majority of pos coins based on Peercoin code.
As a result if you need to review any of those forks, you do above mentioned steps on Peercoin code instead of bitcoin code.
P.S.: Pay a special attention to GetBlockSubsidy function. Usually all premines are defined there.
Sometimes people and projects will pay for 'independent' code reviews and such. That's been somewhat common in my experience. Or people who end up with a personal or financial interest in the project and who know what their doing will spend their time reviewing. Of course that's not something you can always count on.
It's probably rare to non-existent for actual qualified white-hats to be going out of their way to review code that they have no self interest in. Sometimes it happens when a new project comes out and gets attention and people get a shady vibe from it. Then you'll have some people who will go out of their way to try to help people avoid being scammed. But that's certainly not happening very often.
Overall it's a big problem with no obvious solutions other than trying to make sure people are extra cautious about who they trust and what code they run.
It's probably rare to non-existent for actual qualified white-hats to be going out of their way to review code that they have no self interest in. Sometimes it happens when a new project comes out and gets attention and people get a shady vibe from it. Then you'll have some people who will go out of their way to try to help people avoid being scammed. But that's certainly not happening very often.
Overall it's a big problem with no obvious solutions other than trying to make sure people are extra cautious about who they trust and what code they run.
We should not trust any 'independent' code reviews, when these people are paid by the project owners. This is like Coca-Cola paying supposed 'independent' companies to test if Coca-Cola is bad for your health. You seldom bite the hands that feeds you.
I just love it when a White Hats, expose hidden exploits in people's code. We have seen this lately with a hardware wallet and also in previous implementations of Bitcoin.
As a community, we should create a fund or something to reward these people, when they expose exploits in other people's projects. This will be the driving force for people to do this. I know some companies/projects pay people, when they find exploits, but this is something separate to what I am looking for.
We need some incentive scheme for people to actively search for exploits in other people's projects and if this "find" is big enough, then the community can reward that person or group that exposed that exploit. We need continuous action, not just a idle approach to protect our community.
Yes, I agree that most reviewers should be viewed with a big dose of skepticism. I do remember a few people back in the day who were pretty shady but tried to build up a brand for themselves doing reviews in the altcoin world.
Yeah, I also love seeming white hats reveal scams and such. Some sort of fund would be a good idea if there were a way to make it happen.
Sometimes people and projects will pay for 'independent' code reviews and such. That's been somewhat common in my experience. Or people who end up with a personal or financial interest in the project and who know what their doing will spend their time reviewing. Of course that's not something you can always count on.
It's probably rare to non-existent for actual qualified white-hats to be going out of their way to review code that they have no self interest in. Sometimes it happens when a new project comes out and gets attention and people get a shady vibe from it. Then you'll have some people who will go out of their way to try to help people avoid being scammed. But that's certainly not happening very often.
Overall it's a big problem with no obvious solutions other than trying to make sure people are extra cautious about who they trust and what code they run.
It's probably rare to non-existent for actual qualified white-hats to be going out of their way to review code that they have no self interest in. Sometimes it happens when a new project comes out and gets attention and people get a shady vibe from it. Then you'll have some people who will go out of their way to try to help people avoid being scammed. But that's certainly not happening very often.
Overall it's a big problem with no obvious solutions other than trying to make sure people are extra cautious about who they trust and what code they run.
We should not trust any 'independent' code reviews, when these people are paid by the project owners. This is like Coca-Cola paying supposed 'independent' companies to test if Coca-Cola is bad for your health. You seldom bite the hands that feeds you.
I just love it when a White Hats, expose hidden exploits in people's code. We have seen this lately with a hardware wallet and also in previous implementations of Bitcoin.
As a community, we should create a fund or something to reward these people, when they expose exploits in other people's projects. This will be the driving force for people to do this. I know some companies/projects pay people, when they find exploits, but this is something separate to what I am looking for.
We need some incentive scheme for people to actively search for exploits in other people's projects and if this "find" is big enough, then the community can reward that person or group that exposed that exploit. We need continuous action, not just a idle approach to protect our community.
There is no formal process, and I believe no fellow developer will do any "peer review" unless requested by the developers of the project or unless the project is very interesting forcing other developers to look.
Weiss ratings and that Chinese rating do not count. Both were making up random numbers good enough for a random number generator. Hahaha.
Weiss ratings and that Chinese rating do not count. Both were making up random numbers good enough for a random number generator. Hahaha.
Yes, "many still question the legitimacy of these rankings. There is little information available as to how exactly the rankings were created and what criteria carried the most weight. Many have suggested that the committee favored strength of blockchain over the currency itself. This is apparent as only 1 of the top 4 cryptos by market cap broke into the top 10."
Source : https://cryptocoinmastery.com/china-releases-crypto-rankings-list-and-bitcoin-places-13th/
I would rather want to see independent unbiased Peer review from the general public that are skilled enough to do this Peer review, than some government with hidden agendas and zero transparency in their review criteria.
I am more interested in the feedback from people
There are people like Bitcoin contributor Peter Todd who does peer reviews, but the problem is they are very busy. Plus not all "peer reviews" can be trusted. Remember the DAO was a project that was "reviewed" and concluded as secure and ready for release. Haha.
That list is a joke. They forget decentralization and scaling are also important for Cryptocurrency, more complex technology/features/innovation usually sacrifice both decentralization and scaling at same time.
Unless they think decentralization isn't important
. Unless they think decentralization isn't important
I believe scaling should be considered less important. If a cryptocurrency foregoes a little security, decentralization and censorship resistance for "scaling" then that project should lose some points in my opinion.
Sometimes people and projects will pay for 'independent' code reviews and such. That's been somewhat common in my experience. Or people who end up with a personal or financial interest in the project and who know what their doing will spend their time reviewing. Of course that's not something you can always count on.
It's probably rare to non-existent for actual qualified white-hats to be going out of their way to review code that they have no self interest in. Sometimes it happens when a new project comes out and gets attention and people get a shady vibe from it. Then you'll have some people who will go out of their way to try to help people avoid being scammed. But that's certainly not happening very often.
Overall it's a big problem with no obvious solutions other than trying to make sure people are extra cautious about who they trust and what code they run.
It's probably rare to non-existent for actual qualified white-hats to be going out of their way to review code that they have no self interest in. Sometimes it happens when a new project comes out and gets attention and people get a shady vibe from it. Then you'll have some people who will go out of their way to try to help people avoid being scammed. But that's certainly not happening very often.
Overall it's a big problem with no obvious solutions other than trying to make sure people are extra cautious about who they trust and what code they run.
When looking at bitcoin, the credo is „be your own bank“ and „no need to trust anyone“. Hence the open source, and everyone to be able to look at the code. Trusting in „white hats“ is against the principle. And creating a list of „approved“ white hats, that would verify the code? Who watches the watchers? This involves a new set of trust complexity, one should be aware of.
This is very tricky issue. When money is involved (and huge amounts of it), an open-source code needs to be perfect, but is there a metric to judge how much a code has been peer-reviewed or what percentage of web developers choose to declare it as "trustworthy"?Understanding commented code to see what it does is one thing(to be your own bank) but not all of us are technically adept enough to be able to find bugs in thousands of lines of code. We take the security and sanctity of code for bitcoin for granted because of the huge community and the history behind it.
This is why any serious investor would realize that all of the thousands of alt-coins can never be trusted to take bitcoin's place. There are so many parts to the network including the peers, code, mining hardware etc., all of which can be manipulated in some way but are proven to be trustworthy enough with bitcoin.
...
I would rather want to see independent unbiased Peer review from the general public that are skilled enough to do this Peer review, than some government with hidden agendas and zero transparency in their review criteria.
I would rather want to see independent unbiased Peer review from the general public that are skilled enough to do this Peer review, than some government with hidden agendas and zero transparency in their review criteria.
When looking at bitcoin, the credo is „be your own bank“ and „no need to trust anyone“. Hence the open source, and everyone to be able to look at the code. Trusting in „white hats“ is against the principle. And creating a list of „approved“ white hats, that would verify the code? Who watches the watchers? This involves a new set of trust complexity, one should be aware of.
There is no formal process, and I believe no fellow developer will do any "peer review" unless requested by the developers of the project or unless the project is very interesting forcing other developers to look.
Weiss ratings and that Chinese rating do not count. Both were making up random numbers good enough for a random number generator. Hahaha.
Weiss ratings and that Chinese rating do not count. Both were making up random numbers good enough for a random number generator. Hahaha.
Yes, "many still question the legitimacy of these rankings. There is little information available as to how exactly the rankings were created and what criteria carried the most weight. Many have suggested that the committee favored strength of blockchain over the currency itself. This is apparent as only 1 of the top 4 cryptos by market cap broke into the top 10."
Source : https://cryptocoinmastery.com/china-releases-crypto-rankings-list-and-bitcoin-places-13th/
I would rather want to see independent unbiased Peer review from the general public that are skilled enough to do this Peer review, than some government with hidden agendas and zero transparency in their review criteria.
I am more interested in the feedback from people
There is no formal process, and I believe no fellow developer will do any "peer review" unless requested by the developers of the project or unless the project is very interesting forcing other developers to look.
Weiss ratings and that Chinese rating do not count. Both were making up random numbers good enough for a random number generator. Hahaha.
Weiss ratings and that Chinese rating do not count. Both were making up random numbers good enough for a random number generator. Hahaha.
Something that we frequently see is that people are forking from Bitcoin or creating their own Alt coins from the Bitcoin protocol. There are also a lot of Open source projects, for example Wallet providers / Paper wallet generators / Gambling sites that provides the source code on a Github repository.
Is there people out there that are constantly monitoring and checking if this source code is legit and without backdoors or do we just take it for granted that this software is "clean"?
Most developers are so busy with their own projects, that I cannot think that they are spending time to check other people's code?
Any thoughts?
Is there people out there that are constantly monitoring and checking if this source code is legit and without backdoors or do we just take it for granted that this software is "clean"?
Most developers are so busy with their own projects, that I cannot think that they are spending time to check other people's code?
Any thoughts?
Jump to: