From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Sun, 21 Jul 2024 11:04:16 -0700 Received: from mail-yb1-f191.google.com ([209.85.219.191]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <bitcoindev+bncBCU2P6FJ3EBBBGM36W2AMGQEC4SYBLQ@googlegroups.com>) id 1sVauu-00028V-8D for bitcoindev@gnusha.org; Sun, 21 Jul 2024 11:04:16 -0700 Received: by mail-yb1-f191.google.com with SMTP id 3f1490d57ef6-e05d72f044csf7364451276.3 for <bitcoindev@gnusha.org>; Sun, 21 Jul 2024 11:04:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1721585050; x=1722189850; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=i4JfYIzBYOHwGIyn+hObwnWzcFxKO5ULRZ6AP/RLVeQ=; b=I/clC5GWbAjfwdCPpTrB+m0ZHK+2cuNntnEX+v7Ij3tHL13WwV328ai5AWaJt0CnnC 7lCPaRelxWQ5DZYDVPMg0/v3gufru51vEXt4AEV46tMY+jjOFTLSCQEM+5vd0l7zZpp4 g+pbYSJ6Ew3yItZ6bZUxCc34D2XL0tbu5J7WFCdXjRU84tepEgPDeDPdu8eWaNNqgil8 dTN0pXyVdQdNYPbhoncK99Nbr817eHp6POt8Madp4T3YhDdwNvAE4z7SYMzUR/9391Di LKei6kJ1Ptmy6btJp+ZHKAfssprQ1bP37tOtxzR7nms4vdpE/gOW6EjRRuDIJDDiWohb 2qVw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721585050; x=1722189850; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=i4JfYIzBYOHwGIyn+hObwnWzcFxKO5ULRZ6AP/RLVeQ=; b=nMT/PviRHRVeFs+Y24PVvSL4UVRggSNVA0Z3on7J1AvcJoTeoL98NP54ymXfCmODrK Z8lOGEjwdugVdTb13egKNtNM/F96Ps1+Hp2zi03AKswa2uN+w31qrxbDKSp1KzrWBaX9 4ay5f5OIWAnjVHRPxOYVawFlIR+tZaEGMOu9eBAarsoWhpAnDudObI/cUy68U7dFxtzm +8bsjqkZ9VzNT/fLY8fD82nEibrKa2w8ds6O34o3FV1X/R0+78DhewYP9ieNuC6zh+ua zYvufb6ztL6to0TZtJoBy/7EDq8TDwnnG8NsiGcBw79g824mEewYRR3oZT0Cxm0J+ALR dPjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721585050; x=1722189850; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=i4JfYIzBYOHwGIyn+hObwnWzcFxKO5ULRZ6AP/RLVeQ=; b=tTxVbyxEQXw9GqNkNYuugQCWEsRHNUaJAkP7jyhy/f6mSdNP6nh4m1RySXu01DmNrM pnycFwesJ8uA/GkGhfFcRENUkATx87GJK/ZjsTEsr2JDk0VM6KYCDaWqz4MAzJjpaqVC Z6Ap3lhfYw7m1AjahFZ7hSYc1f7dp57gMGSxQN/YrJilr9QWDeXFC2FptwHoOq9+eo6h rzrUHtuc8iocIUDF/eRqvaKu5hr9oNxq3lAptni7vOnZbePAp0Q/Zp1yDbUqbCvUdvSg VYS7T3L2PSrGXIjJvvK8jWaOJQyqaneNKQdAQxSZVeH6uu6ZuayDqP1gw0jgZgc0vsCw 1FVg== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=1; AJvYcCWTVMlJFaf3Eq6xwzhXqpNRwXHF4P4UxArr1jPkOV9TaElybvVRbmZz/io1ruW5moLQz8wF5XjuhQuio+Rk7bDPbqH4IVQ= X-Gm-Message-State: AOJu0YyRwrARpVcmLNZ2Q1DdYg0BPMtUb6iuh/uY8swYOq+lt8LbbzqE 67KTGW7xMrQAW9VR2L+bnji5IEEQqsMQgn3HLUNratklyVoLSMCQ X-Google-Smtp-Source: AGHT+IGOnnzg0oQKtq7Jl6FDfDFk0vZybENcsYdK6nJ8yG4IPkjV32Y4IHWABFxcQc/xN3BPgnZZSw== X-Received: by 2002:a05:6902:150b:b0:e08:84b0:986d with SMTP id 3f1490d57ef6-e0884b0a4f8mr4010174276.20.1721585050098; Sun, 21 Jul 2024 11:04:10 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:a25:c5c7:0:b0:e08:7bc1:5a4c with SMTP id 3f1490d57ef6-e087bc16666ls1026375276.0.-pod-prod-00-us; Sun, 21 Jul 2024 11:04:08 -0700 (PDT) X-Received: by 2002:a05:6902:1204:b0:e02:f35c:d398 with SMTP id 3f1490d57ef6-e086f372bdcmr218102276.0.1721585048861; Sun, 21 Jul 2024 11:04:08 -0700 (PDT) Received: by 2002:a05:690c:2d11:b0:66a:8967:a513 with SMTP id 00721157ae682-66a8967cff9ms7b3; Sat, 20 Jul 2024 23:16:45 -0700 (PDT) X-Received: by 2002:a05:690c:dce:b0:648:2f1d:1329 with SMTP id 00721157ae682-66a6335cb81mr5072827b3.1.1721542604672; Sat, 20 Jul 2024 23:16:44 -0700 (PDT) Date: Sat, 20 Jul 2024 23:16:44 -0700 (PDT) From: /dev /fd0 <alicexbtong@gmail.com> To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com> Message-Id: <955e7097-ca7a-452a-953f-718aca14cdc6n@googlegroups.com> In-Reply-To: <ZpvS2haduzUQiojV@petertodd.org> References: <Zpk7EYgmlgPP3Y9D@petertodd.org> <18a5e5a2-92b3-4345-853d-5a63b71d848bn@googlegroups.com> <9c4c2a65-2c87-47f1-85d1-137c32099fb7n@googlegroups.com> <fd1e1dd3-ffda-416b-9bc8-900d0b69c8c1n@googlegroups.com> <ZpvS2haduzUQiojV@petertodd.org> Subject: Re: [bitcoindev] Re: A "Free" Relay Attack Taking Advantage of The Lack of Full-RBF In Core MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_282838_657973650.1721542604474" X-Original-Sender: alicexbtong@gmail.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: <bitcoindev.googlegroups.com> X-Google-Group-Id: 786775582512 List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com> List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com> List-Archive: <https://groups.google.com/group/bitcoindev List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com> List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>, <https://groups.google.com/group/bitcoindev/subscribe> X-Spam-Score: -0.5 (/) ------=_Part_282838_657973650.1721542604474 Content-Type: multipart/alternative; boundary="----=_Part_282839_1953426107.1721542604474" ------=_Part_282839_1953426107.1721542604474 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Peter, I agree that handling of vulnerability reports could be improved, although= =20 I have less expectations from bitcoin core to acknowledge any feedback.=20 Here are a few things that we can do to improve the process: - Report vulnerabilities anonymously and share real identity with=20 disclosure later if required. - Send the email to achow101 or sipa or fanquake and keep=20 security@bitcoincore.org in Cc. - Lets create a hall of fame webpage which has the name of all developers= =20 who reported vulnerabilities along with other details. Community could also= =20 donate directly to developers. - Do not expect response on weekends and wait for at least 7-30 days before= =20 full disclosure if vulnerability report is ignored. Maybe you and others on mailing list could add suggest more improvements. /dev/fd0 floppy disk guy On Saturday, July 20, 2024 at 3:12:46=E2=80=AFPM UTC Peter Todd wrote: > On Fri, Jul 19, 2024 at 10:57:40PM -0700, /dev /fd0 wrote: > > Hi Antoine, > >=20 > > > I'm interested if you can propose a formal or mathematical definition= =20 > of=20 > > what constitute > > > an in-topic of off-topic comments on a matters like full RBF, which= =20 > has=20 > > been controversial > > > for like a decade. > >=20 > > I will quote _willcl-ark_'s last comment as I do not have enough=20 > > permissions in bitcoin core repository to moderate comments: > >=20 > > "However the comments section here has become difficult to follow due t= o=20 > > numerous off-topic comments, a few personal disagreements, and=20 > repetition=20 > > of arguments. In the interest of having a more productive and focused= =20 > > technical and philosophical discussion we are going to close and lock= =20 > this=20 > > PR." > >=20 > > A new pull request should help reviewers. If you do not agree with it,= =20 > feel=20 > > free to discuss it with moderators in bitcoin core IRC channel. > > It's quite bizzare to use "off topic comments" as an excuse to close a=20 > pull-req > fixing a specific security vulnerability, assuming you actually care abou= t=20 > that > vulnerability. As I've said elsewhere, Core could have easily and quietly > merged that pull-req as-is, possibly by having a few people write some=20 > obvious > ACK rationals. > > The only good explanation for closing it is to further delay merging the > pull-req, as well as disclosing the vulnerability. > > --=20 > https://petertodd.org 'peter'[:-1]@petertodd.org > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/= bitcoindev/955e7097-ca7a-452a-953f-718aca14cdc6n%40googlegroups.com. ------=_Part_282839_1953426107.1721542604474 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Peter,<div><br /></div><div>I agree that handling of vulnerability repor= ts could be improved, although I have less expectations from bitcoin core t= o acknowledge any feedback. Here are a few things that we can do to improve= the process:</div><div><br /></div><div>- Report vulnerabilities anonymous= ly and share real identity with disclosure later if required.</div><div>- S= end the email to achow101 or sipa or fanquake and keep security@bitcoincore= .org in Cc.</div><div>- Lets create a hall of fame webpage which has the na= me of all developers who reported vulnerabilities along with other details.= Community could also donate directly to developers.</div><div>- Do not exp= ect response on weekends and wait for at least 7-30 days before full disclo= sure if vulnerability report is ignored.</div><div><br /></div><div>Maybe y= ou and others on mailing list could add suggest more improvements.</div><di= v><br /></div><div>/dev/fd0</div><div>floppy disk guy</div><div><br /></div= ><div class=3D"gmail_quote"><div dir=3D"auto" class=3D"gmail_attr">On Satur= day, July 20, 2024 at 3:12:46=E2=80=AFPM UTC Peter Todd wrote:<br/></div><b= lockquote class=3D"gmail_quote" style=3D"margin: 0 0 0 0.8ex; border-left: = 1px solid rgb(204, 204, 204); padding-left: 1ex;">On Fri, Jul 19, 2024 at 1= 0:57:40PM -0700, /dev /fd0 wrote: <br>> Hi Antoine, <br>>=20 <br>> > I'm interested if you can propose a formal or mathematic= al definition of=20 <br>> what constitute <br>> > an in-topic of off-topic comments on a matters like full RBF,= which has=20 <br>> been controversial <br>> > for like a decade. <br>>=20 <br>> I will quote _willcl-ark_'s last comment as I do not have enou= gh=20 <br>> permissions in bitcoin core repository to moderate comments: <br>>=20 <br>> "However the comments section here has become difficult to fo= llow due to=20 <br>> numerous off-topic comments, a few personal disagreements, and rep= etition=20 <br>> of arguments. In the interest of having a more productive and focu= sed=20 <br>> technical and philosophical discussion we are going to close and l= ock this=20 <br>> PR." <br>>=20 <br>> A new pull request should help reviewers. If you do not agree with= it, feel=20 <br>> free to discuss it with moderators in bitcoin core IRC channel. <br> <br>It's quite bizzare to use "off topic comments" as an excu= se to close a pull-req <br>fixing a specific security vulnerability, assuming you actually care ab= out that <br>vulnerability. As I've said elsewhere, Core could have easily and q= uietly <br>merged that pull-req as-is, possibly by having a few people write some = obvious <br>ACK rationals. <br> <br>The only good explanation for closing it is to further delay merging th= e <br>pull-req, as well as disclosing the vulnerability. <br> <br>--=20 <br><a href=3D"https://petertodd.org" target=3D"_blank" rel=3D"nofollow" da= ta-saferedirecturl=3D"https://www.google.com/url?hl=3Den&q=3Dhttps://pe= tertodd.org&source=3Dgmail&ust=3D1721626646552000&usg=3DAOvVaw2= JSBe0750jhDyC3Zta_EyJ">https://petertodd.org</a> 'peter'[:-1]@<a hr= ef=3D"http://petertodd.org" target=3D"_blank" rel=3D"nofollow" data-safered= irecturl=3D"https://www.google.com/url?hl=3Den&q=3Dhttp://petertodd.org= &source=3Dgmail&ust=3D1721626646552000&usg=3DAOvVaw0bBHxHb8vxSN= ez5PQ90-bw">petertodd.org</a> <br></blockquote></div> <p></p> -- <br /> You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.<br /> To unsubscribe from this group and stop receiving emails from it, send an e= mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind= ev+unsubscribe@googlegroups.com</a>.<br /> To view this discussion on the web visit <a href=3D"https://groups.google.c= om/d/msgid/bitcoindev/955e7097-ca7a-452a-953f-718aca14cdc6n%40googlegroups.= com?utm_medium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msg= id/bitcoindev/955e7097-ca7a-452a-953f-718aca14cdc6n%40googlegroups.com</a>.= <br /> ------=_Part_282839_1953426107.1721542604474-- ------=_Part_282838_657973650.1721542604474--