From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Sun, 21 Jul 2024 11:04:16 -0700 Received: from mail-yb1-f191.google.com ([209.85.219.191]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sVauu-00028V-8D for bitcoindev@gnusha.org; Sun, 21 Jul 2024 11:04:16 -0700 Received: by mail-yb1-f191.google.com with SMTP id 3f1490d57ef6-e05d72f044csf7364451276.3 for ; Sun, 21 Jul 2024 11:04:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1721585050; x=1722189850; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=i4JfYIzBYOHwGIyn+hObwnWzcFxKO5ULRZ6AP/RLVeQ=; b=I/clC5GWbAjfwdCPpTrB+m0ZHK+2cuNntnEX+v7Ij3tHL13WwV328ai5AWaJt0CnnC 7lCPaRelxWQ5DZYDVPMg0/v3gufru51vEXt4AEV46tMY+jjOFTLSCQEM+5vd0l7zZpp4 g+pbYSJ6Ew3yItZ6bZUxCc34D2XL0tbu5J7WFCdXjRU84tepEgPDeDPdu8eWaNNqgil8 dTN0pXyVdQdNYPbhoncK99Nbr817eHp6POt8Madp4T3YhDdwNvAE4z7SYMzUR/9391Di LKei6kJ1Ptmy6btJp+ZHKAfssprQ1bP37tOtxzR7nms4vdpE/gOW6EjRRuDIJDDiWohb 2qVw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721585050; x=1722189850; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=i4JfYIzBYOHwGIyn+hObwnWzcFxKO5ULRZ6AP/RLVeQ=; b=nMT/PviRHRVeFs+Y24PVvSL4UVRggSNVA0Z3on7J1AvcJoTeoL98NP54ymXfCmODrK Z8lOGEjwdugVdTb13egKNtNM/F96Ps1+Hp2zi03AKswa2uN+w31qrxbDKSp1KzrWBaX9 4ay5f5OIWAnjVHRPxOYVawFlIR+tZaEGMOu9eBAarsoWhpAnDudObI/cUy68U7dFxtzm +8bsjqkZ9VzNT/fLY8fD82nEibrKa2w8ds6O34o3FV1X/R0+78DhewYP9ieNuC6zh+ua zYvufb6ztL6to0TZtJoBy/7EDq8TDwnnG8NsiGcBw79g824mEewYRR3oZT0Cxm0J+ALR dPjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721585050; x=1722189850; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=i4JfYIzBYOHwGIyn+hObwnWzcFxKO5ULRZ6AP/RLVeQ=; b=tTxVbyxEQXw9GqNkNYuugQCWEsRHNUaJAkP7jyhy/f6mSdNP6nh4m1RySXu01DmNrM pnycFwesJ8uA/GkGhfFcRENUkATx87GJK/ZjsTEsr2JDk0VM6KYCDaWqz4MAzJjpaqVC Z6Ap3lhfYw7m1AjahFZ7hSYc1f7dp57gMGSxQN/YrJilr9QWDeXFC2FptwHoOq9+eo6h rzrUHtuc8iocIUDF/eRqvaKu5hr9oNxq3lAptni7vOnZbePAp0Q/Zp1yDbUqbCvUdvSg VYS7T3L2PSrGXIjJvvK8jWaOJQyqaneNKQdAQxSZVeH6uu6ZuayDqP1gw0jgZgc0vsCw 1FVg== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=1; AJvYcCWTVMlJFaf3Eq6xwzhXqpNRwXHF4P4UxArr1jPkOV9TaElybvVRbmZz/io1ruW5moLQz8wF5XjuhQuio+Rk7bDPbqH4IVQ= X-Gm-Message-State: AOJu0YyRwrARpVcmLNZ2Q1DdYg0BPMtUb6iuh/uY8swYOq+lt8LbbzqE 67KTGW7xMrQAW9VR2L+bnji5IEEQqsMQgn3HLUNratklyVoLSMCQ X-Google-Smtp-Source: AGHT+IGOnnzg0oQKtq7Jl6FDfDFk0vZybENcsYdK6nJ8yG4IPkjV32Y4IHWABFxcQc/xN3BPgnZZSw== X-Received: by 2002:a05:6902:150b:b0:e08:84b0:986d with SMTP id 3f1490d57ef6-e0884b0a4f8mr4010174276.20.1721585050098; Sun, 21 Jul 2024 11:04:10 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:a25:c5c7:0:b0:e08:7bc1:5a4c with SMTP id 3f1490d57ef6-e087bc16666ls1026375276.0.-pod-prod-00-us; Sun, 21 Jul 2024 11:04:08 -0700 (PDT) X-Received: by 2002:a05:6902:1204:b0:e02:f35c:d398 with SMTP id 3f1490d57ef6-e086f372bdcmr218102276.0.1721585048861; Sun, 21 Jul 2024 11:04:08 -0700 (PDT) Received: by 2002:a05:690c:2d11:b0:66a:8967:a513 with SMTP id 00721157ae682-66a8967cff9ms7b3; Sat, 20 Jul 2024 23:16:45 -0700 (PDT) X-Received: by 2002:a05:690c:dce:b0:648:2f1d:1329 with SMTP id 00721157ae682-66a6335cb81mr5072827b3.1.1721542604672; Sat, 20 Jul 2024 23:16:44 -0700 (PDT) Date: Sat, 20 Jul 2024 23:16:44 -0700 (PDT) From: /dev /fd0 To: Bitcoin Development Mailing List Message-Id: <955e7097-ca7a-452a-953f-718aca14cdc6n@googlegroups.com> In-Reply-To: References: <18a5e5a2-92b3-4345-853d-5a63b71d848bn@googlegroups.com> <9c4c2a65-2c87-47f1-85d1-137c32099fb7n@googlegroups.com> Subject: Re: [bitcoindev] Re: A "Free" Relay Attack Taking Advantage of The Lack of Full-RBF In Core MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_282838_657973650.1721542604474" X-Original-Sender: alicexbtong@gmail.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) ------=_Part_282838_657973650.1721542604474 Content-Type: multipart/alternative; boundary="----=_Part_282839_1953426107.1721542604474" ------=_Part_282839_1953426107.1721542604474 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Peter, I agree that handling of vulnerability reports could be improved, although= =20 I have less expectations from bitcoin core to acknowledge any feedback.=20 Here are a few things that we can do to improve the process: - Report vulnerabilities anonymously and share real identity with=20 disclosure later if required. - Send the email to achow101 or sipa or fanquake and keep=20 security@bitcoincore.org in Cc. - Lets create a hall of fame webpage which has the name of all developers= =20 who reported vulnerabilities along with other details. Community could also= =20 donate directly to developers. - Do not expect response on weekends and wait for at least 7-30 days before= =20 full disclosure if vulnerability report is ignored. Maybe you and others on mailing list could add suggest more improvements. /dev/fd0 floppy disk guy On Saturday, July 20, 2024 at 3:12:46=E2=80=AFPM UTC Peter Todd wrote: > On Fri, Jul 19, 2024 at 10:57:40PM -0700, /dev /fd0 wrote: > > Hi Antoine, > >=20 > > > I'm interested if you can propose a formal or mathematical definition= =20 > of=20 > > what constitute > > > an in-topic of off-topic comments on a matters like full RBF, which= =20 > has=20 > > been controversial > > > for like a decade. > >=20 > > I will quote _willcl-ark_'s last comment as I do not have enough=20 > > permissions in bitcoin core repository to moderate comments: > >=20 > > "However the comments section here has become difficult to follow due t= o=20 > > numerous off-topic comments, a few personal disagreements, and=20 > repetition=20 > > of arguments. In the interest of having a more productive and focused= =20 > > technical and philosophical discussion we are going to close and lock= =20 > this=20 > > PR." > >=20 > > A new pull request should help reviewers. If you do not agree with it,= =20 > feel=20 > > free to discuss it with moderators in bitcoin core IRC channel. > > It's quite bizzare to use "off topic comments" as an excuse to close a=20 > pull-req > fixing a specific security vulnerability, assuming you actually care abou= t=20 > that > vulnerability. As I've said elsewhere, Core could have easily and quietly > merged that pull-req as-is, possibly by having a few people write some=20 > obvious > ACK rationals. > > The only good explanation for closing it is to further delay merging the > pull-req, as well as disclosing the vulnerability. > > --=20 > https://petertodd.org 'peter'[:-1]@petertodd.org > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/= bitcoindev/955e7097-ca7a-452a-953f-718aca14cdc6n%40googlegroups.com. ------=_Part_282839_1953426107.1721542604474 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Peter,

I agree that handling of vulnerability repor= ts could be improved, although I have less expectations from bitcoin core t= o acknowledge any feedback. Here are a few things that we can do to improve= the process:

- Report vulnerabilities anonymous= ly and share real identity with disclosure later if required.
- S= end the email to achow101 or sipa or fanquake and keep security@bitcoincore= .org in Cc.
- Lets create a hall of fame webpage which has the na= me of all developers who reported vulnerabilities along with other details.= Community could also donate directly to developers.
- Do not exp= ect response on weekends and wait for at least 7-30 days before full disclo= sure if vulnerability report is ignored.

Maybe y= ou and others on mailing list could add suggest more improvements.

/dev/fd0
floppy disk guy

On Satur= day, July 20, 2024 at 3:12:46=E2=80=AFPM UTC Peter Todd wrote:
On Fri, Jul 19, 2024 at 1= 0:57:40PM -0700, /dev /fd0 wrote:
> Hi Antoine,
>=20
> > I'm interested if you can propose a formal or mathematic= al definition of=20
> what constitute
> > an in-topic of off-topic comments on a matters like full RBF,= which has=20
> been controversial
> > for like a decade.
>=20
> I will quote _willcl-ark_'s last comment as I do not have enou= gh=20
> permissions in bitcoin core repository to moderate comments:
>=20
> "However the comments section here has become difficult to fo= llow due to=20
> numerous off-topic comments, a few personal disagreements, and rep= etition=20
> of arguments. In the interest of having a more productive and focu= sed=20
> technical and philosophical discussion we are going to close and l= ock this=20
> PR."
>=20
> A new pull request should help reviewers. If you do not agree with= it, feel=20
> free to discuss it with moderators in bitcoin core IRC channel.

It's quite bizzare to use "off topic comments" as an excu= se to close a pull-req
fixing a specific security vulnerability, assuming you actually care ab= out that
vulnerability. As I've said elsewhere, Core could have easily and q= uietly
merged that pull-req as-is, possibly by having a few people write some = obvious
ACK rationals.

The only good explanation for closing it is to further delay merging th= e
pull-req, as well as disclosing the vulnerability.

--=20
https://petertodd.org 'peter'[:-1]@petertodd.org

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg= id/bitcoindev/955e7097-ca7a-452a-953f-718aca14cdc6n%40googlegroups.com.=
------=_Part_282839_1953426107.1721542604474-- ------=_Part_282838_657973650.1721542604474--