* [Bitcoin-development] Linux packaging letter @ 2013-07-23 20:01 Mike Hearn 2013-07-23 20:14 ` Gregory Maxwell ` (3 more replies) 0 siblings, 4 replies; 27+ messages in thread From: Mike Hearn @ 2013-07-23 20:01 UTC (permalink / raw) To: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 680 bytes --] Hi, Some of us have put together an open letter to the Linux packaging community, outlining why Bitcoin is different to other programs and asking them to not patch or modify the upstream sources. Please consider signing it if you agree (I think the wording by now is fine, so don't edit the contents - use the comment feature if you want to though). https://docs.google.com/document/d/1naenR6N6fMWSpHM0f4jpQhYBEkCEQDbLBs8AXC19Y-o/edit#heading=h.i7tz3gqh65mi The trigger for this is the discovery that Debian bitcoind's got split out of the consensus some time in April, for reasons that nobody yet figured out but is presumably related to a patch (eg it uses system leveldb). [-- Attachment #2: Type: text/html, Size: 940 bytes --] ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [Bitcoin-development] Linux packaging letter 2013-07-23 20:01 [Bitcoin-development] Linux packaging letter Mike Hearn @ 2013-07-23 20:14 ` Gregory Maxwell 2013-07-23 20:32 ` Mike Hearn 2013-07-23 22:02 ` Scott Howard ` (2 subsequent siblings) 3 siblings, 1 reply; 27+ messages in thread From: Gregory Maxwell @ 2013-07-23 20:14 UTC (permalink / raw) To: Mike Hearn; +Cc: Bitcoin Dev On Tue, Jul 23, 2013 at 1:01 PM, Mike Hearn <mike@plan99.net> wrote: > Hi, > > Some of us have put together an open letter to the Linux packaging > community, outlining why Bitcoin is different to other programs and asking > them to not patch or modify the upstream sources. > > Please consider signing it if you agree (I think the wording by now is fine, > so don't edit the contents - use the comment feature if you want to though). > > https://docs.google.com/document/d/1naenR6N6fMWSpHM0f4jpQhYBEkCEQDbLBs8AXC19Y-o/edit#heading=h.i7tz3gqh65mi Ah, this is not entirely in sync with the last (mostly minor) copyedits that had been signed off by Gavin, Pieter, Jgarzik, and I... but that appears to be a smaller issue than the fact that the whole thing is now being rewritten by "anonymous beaver" and friends. ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [Bitcoin-development] Linux packaging letter 2013-07-23 20:14 ` Gregory Maxwell @ 2013-07-23 20:32 ` Mike Hearn 2013-07-23 20:50 ` Gregory Maxwell 0 siblings, 1 reply; 27+ messages in thread From: Mike Hearn @ 2013-07-23 20:32 UTC (permalink / raw) To: Gregory Maxwell; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 1360 bytes --] Yes. Someone decided to actually delete the people who had signed so far and replace it with a request for PGP signing - no. Not everyone even uses PGP, which is overkill for this anyway. I'm going to roll the document back and lock it. Sorry, I had hoped people would respect my request to not fiddle with the content, which they did not do. If you'd like to have your name on it, let me know or post here and I'll add it. On Tue, Jul 23, 2013 at 10:14 PM, Gregory Maxwell <gmaxwell@gmail.com>wrote: > On Tue, Jul 23, 2013 at 1:01 PM, Mike Hearn <mike@plan99.net> wrote: > > Hi, > > > > Some of us have put together an open letter to the Linux packaging > > community, outlining why Bitcoin is different to other programs and > asking > > them to not patch or modify the upstream sources. > > > > Please consider signing it if you agree (I think the wording by now is > fine, > > so don't edit the contents - use the comment feature if you want to > though). > > > > > https://docs.google.com/document/d/1naenR6N6fMWSpHM0f4jpQhYBEkCEQDbLBs8AXC19Y-o/edit#heading=h.i7tz3gqh65mi > > Ah, this is not entirely in sync with the last (mostly minor) > copyedits that had been signed off by Gavin, Pieter, Jgarzik, and I... > but that appears to be a smaller issue than the fact that the whole > thing is now being rewritten by "anonymous beaver" and friends. > [-- Attachment #2: Type: text/html, Size: 2013 bytes --] ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [Bitcoin-development] Linux packaging letter 2013-07-23 20:32 ` Mike Hearn @ 2013-07-23 20:50 ` Gregory Maxwell 2013-07-28 18:21 ` John Dillon 0 siblings, 1 reply; 27+ messages in thread From: Gregory Maxwell @ 2013-07-23 20:50 UTC (permalink / raw) To: Mike Hearn; +Cc: Bitcoin Dev On Tue, Jul 23, 2013 at 1:32 PM, Mike Hearn <mike@plan99.net> wrote: > Yes. Someone decided to actually delete the people who had signed so far and Some people/person went and actually started making substantive edits to the text. The text it's rolled back to is missing the last copyedits from last night too. The text that had been ACKed last night was a3e52973, available at http://luke.dashjr.org/tmp/code/20130723-linux-distribution-packaging-and-bitcoin.md As far as the PGP goes— I think using the PGP is good: it's making use of the right tools, avoids issues like we just had where people go changing the content after names had been affixed, shows solidarity with people building security infrastructure that our ecosystem depends on. If you only use it occasionally then its easy for someone to strip it when it _is_ needed and disguise that just as regular non-use. It's my general view that for people working in our domain basic competence and use of these tools, even when they kinda stink, is a kind of civic hygiene. At the same time it's not urgent. It's poorly used by people and will be ignored by most but packagers are the most frequent users of it that I've encountered. Fortunately, it's harmless in any case. If people are interested in offering PGP signatures of it: wget http://luke.dashjr.org/tmp/code/20130723-linux-distribution-packaging-and-bitcoin.md gpg --clearsign 20130723-linux-distribution-packaging-and-bitcoin.md and post the little signature asc. The result composes nicely: http://luke.dashjr.org/tmp/code/20130723-linux-distribution-packaging-and-bitcoin.md.asc ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [Bitcoin-development] Linux packaging letter 2013-07-23 20:50 ` Gregory Maxwell @ 2013-07-28 18:21 ` John Dillon 0 siblings, 0 replies; 27+ messages in thread From: John Dillon @ 2013-07-28 18:21 UTC (permalink / raw) To: Gregory Maxwell; +Cc: Bitcoin Dev My signature: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Linux distribution packaging and Bitcoin ======================================== 2013-07-23 This note summarises the dangers inherent in the Linux distribution packaging model for Bitcoin, and forms a request from upstream maintainers to not distribute Bitcoin node software as part of distribution package repositories without understanding the special requirements of Bitcoin. Distributors typically unbundle internal libraries and apply other patches for a variety of generally good reasons, including ensuring that security-critical fixes can be applied once, rather than multiple times for many different packages. In most cases, the common distribution packaging policy has many advantages. However, Bitcoin nodes are an unusual category of software: they implement a complex group consensus in which every client verifies the behaviour of every other exactly. Even an exceptionally subtle change - including apparently harmless bugfixes - can cause a failure to reach consensus. A consensus failure of one client is a security risk to the user of that client. A significant number of nodes failing to reach consensus - as happened in March 2013 due to a change in database libraries[1] - is a critical problem that threatens the functionality and security of the system for all users. For this reason, it is _vital_ that as much of the network as possible uses _unmodified_ implementations that have been carefully audited and tested, including dependencies. For instance, if the included copy of LevelDB in bitcoind is replaced by a system-wide shared library, _any_ change to that shared library requires auditing and testing, a requirement generally not met by standard distributor packaging practices. Because distributed global consensus is a new area of computer science research, the undersigned request that distributors refrain from packaging Bitcoin node software (including bitcoind and Bitcoin-Qt) and direct users to the upstream-provided binaries instead _until they understand the unique testing procedures and other requirements to achieve consensus_. Beyond being globally consistent, upstream binaries are produced using a reproducible build system[2], ensuring that they can be audited for backdoors. 1. https://en.bitcoin.it/wiki/BIP_0050 2. http://gitian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBCAAGBQJR9WC5AAoJEEWCsU4mNhiPg6UH/2oHzBWBPaQMhH/GCTHQEi5U 7GSRfqwihIs/M2ROHLNq0HhgWR7mPAh5TTI6+tG95FCGCGNZq0seqw9wW4ZyGCoc VueY51q4hcn23405oLD/QGK2lDxxywWY8XtFYVPqAzXTq6zRzgpNJkjoRtOAUOP7 3PrRkimYYyj0KrqFg+cEvZDT27dkeX+5PXM6Ua0o7h/TlhR2RJPhej5DI8cNLXgA f0t+mES4Apb6zLgnEYYlPp22FR9vuFcJO3z1akhVL4DLUMqr58NYHLVnH1FH0Jhn hVuld159QtCjQ5Qyn19cn86akTQJVi+ikCXqaKriCc2jBFX7TCI8WTDc6aSZpsQ= =oX5d -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [Bitcoin-development] Linux packaging letter 2013-07-23 20:01 [Bitcoin-development] Linux packaging letter Mike Hearn 2013-07-23 20:14 ` Gregory Maxwell @ 2013-07-23 22:02 ` Scott Howard 2013-07-23 22:26 ` Luke-Jr 2013-07-24 1:45 ` Douglas Huff 2013-07-23 22:33 ` [Bitcoin-development] Linux packaging letter Pieter Wuille 2013-07-23 23:23 ` Greg Troxel 3 siblings, 2 replies; 27+ messages in thread From: Scott Howard @ 2013-07-23 22:02 UTC (permalink / raw) To: Debian Bitcoin Packaging Team; +Cc: Bitcoin Dev On Tue, Jul 23, 2013 at 4:01 PM, Mike Hearn <mike@plan99.net> wrote: > Hi, > > Some of us have put together an open letter to the Linux packaging > community, outlining why Bitcoin is different to other programs and asking > them to not patch or modify the upstream sources. > > Please consider signing it if you agree (I think the wording by now is fine, > so don't edit the contents - use the comment feature if you want to though). > > https://docs.google.com/document/d/1naenR6N6fMWSpHM0f4jpQhYBEkCEQDbLBs8AXC19Y-o/edit#heading=h.i7tz3gqh65mi > > The trigger for this is the discovery that Debian bitcoind's got split out > of the consensus some time in April, for reasons that nobody yet figured out > but is presumably related to a patch (eg it uses system leveldb). Hi Mike, Debian's bitcoin is maintained on an open and archived mailing list and git repo: Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org> If there is a problem or question, getting an answer should be really easy. It would be good to include them in the discussion there (I CC:ed the list). If the upstream developers have a consensus that distribution packaging is not in the best interest of the project, then I personally would defer to their judgement and request removal. I'm leaving this open for other opinions from the Debian side. That said, let me summarize the arguments and see if we can figure out a permanent solution: 1) It appears that the consensus of upstream developers is that any distributed binary should only be linked against libraries that the bitcoin developers have tested and audited since any compatibility bug is a risk to both the user and the network. Response: Is there a way to "certify" the Debian libraries? Debian bitcoind/bitcoin-qt runs the compile test during all architectures. MIPS has been failing recently, but no one has looked into it yet. Perhaps it's not worth developers efforts yet, but at some point the technology should reach a point it can be redistributed. 2) Bitcoin is new technology, so any patches have the ability of harming both the network and user. Response: I, and I'm sure everyone else working on it, totally agrees. All patches are public [1], you can see that the patches are only to the build system (except for one adding a debug message). Is there a specific patch or bug that is problematic? This seems to be reiterating (1) above: don't patch the build system to use libraries that were not audited by the developers. The two solutions are: (1) no one besides the upstream developers compiles and distributes binaries, ever, or (2) upstream comes up with a system where someone besides them can compile working binaries for distribution. Most likely the best solution is to do (1) until upstream sets up a system to allow (2). I'm curious as to other's opinions. Thanks, Scott [1] http://anonscm.debian.org/gitweb/?p=collab-maint/bitcoin.git;a=tree;f=debian/patches;h=ba576f9f3ddad47a2f85dcbfb7a0b3482834f19f;hb=HEAD ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [Bitcoin-development] Linux packaging letter 2013-07-23 22:02 ` Scott Howard @ 2013-07-23 22:26 ` Luke-Jr 2013-07-24 3:00 ` Scott Howard 2013-07-24 1:45 ` Douglas Huff 1 sibling, 1 reply; 27+ messages in thread From: Luke-Jr @ 2013-07-23 22:26 UTC (permalink / raw) To: bitcoin-development; +Cc: Debian Bitcoin Packaging Team [-- Attachment #1: Type: Text/Plain, Size: 3667 bytes --] On Tuesday, July 23, 2013 10:02:28 PM Scott Howard wrote: > 1) It appears that the consensus of upstream developers is that any > distributed binary should only be linked against libraries that the > bitcoin developers have tested and audited since any compatibility bug > is a risk to both the user and the network. > > Response: Is there a way to "certify" the Debian libraries? Debian > bitcoind/bitcoin-qt runs the compile test during all architectures. It doesn't need to be audited by any given person or team, just someone who understands the issues and can dedicate the time to doing a competent audit. Testing bitcoind/bitcoin-qt is not sufficient: you must guarantee that your libraries (especially LevelDB) are bug-for-bug compatible with the ones used by everyone else. And not only the current versions, but every future version to ever hit the repository. This means a lot of additional work for the maintainers of the library packages, and the security team; for example, the security team must understand that they *cannot* deploy a critical security bugfix to LevelDB until someone competent has reviewed that it is behaviourally (including bug behaviours!) compatible with the versions in use everywhere else/previously. I think it is likely all this additional work/delays will be considered unacceptable to your library/security teams, thus using the bundled/embedded LevelDB is probably the best solution. > MIPS has been failing recently, but no one has looked into it yet. > Perhaps it's not worth developers efforts yet, but at some point the > technology should reach a point it can be redistributed. MIPS (and any other big endian architecture) has *always* failed on the Satoshi codebase, and will not be supported until someone has time to dedicate to fixing the numerous little-endian assumptions in the code. I have an incomplete port, but it isn't very high on my priority list to figure out what else it's missing. > 2) Bitcoin is new technology, so any patches have the ability of > harming both the network and user. > > Response: I, and I'm sure everyone else working on it, totally agrees. > All patches are public [1], you can see that the patches are only to > the build system (except for one adding a debug message). Is there a > specific patch or bug that is problematic? This seems to be > reiterating (1) above: don't patch the build system to use libraries > that were not audited by the developers. > > The two solutions are: (1) no one besides the upstream developers > compiles and distributes binaries, ever, or (2) upstream comes up with > a system where someone besides them can compile working binaries for > distribution. Most likely the best solution is to do (1) until > upstream sets up a system to allow (2). Debian could probably get away with packaging Bitcoin-Qt and bitcoind as-is with no modifications, and not have any problems. It's only when you begin making modifications that it becomes a problem. There are also some concerns that it puts a much larger price on compromising Debian's build servers and/or repositories (suddenly the attacker can steal a LOT of money). The official binaries are not simply built by upstream developers: using Gitian, *anyone* can produce bit-for-bit identical binaries. Official releases are only published after 3 or more people have done an independent compile and signed the output. It would be excellent if the whole of Debian could work toward achieving this level of security eventually, which would make distributing Bitcoin node software much safer as well. Luke [-- Attachment #2: This is a digitally signed message part. --] [-- Type: application/pgp-signature, Size: 1530 bytes --] ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [Bitcoin-development] Linux packaging letter 2013-07-23 22:26 ` Luke-Jr @ 2013-07-24 3:00 ` Scott Howard 0 siblings, 0 replies; 27+ messages in thread From: Scott Howard @ 2013-07-24 3:00 UTC (permalink / raw) To: Luke-Jr; +Cc: Bitcoin Dev, Debian Bitcoin Packaging Team On Tue, Jul 23, 2013 at 6:26 PM, Luke-Jr <luke@dashjr.org> wrote: > This means a lot of additional work for the > maintainers of the library packages, and the security team; for example, the > security team must understand that they *cannot* deploy a critical security > bugfix to LevelDB until someone competent has reviewed that it is > behaviourally (including bug behaviours!) compatible with the versions in use > everywhere else/previously. I think it is likely all this additional > work/delays will be considered unacceptable to your library/security teams, > thus using the bundled/embedded LevelDB is probably the best solution. The above is a key point, lukejr addressed it well "I think it is likely all this additional work/delays will be considered unacceptable to your library/security teams, thus using the bundled/embedded LevelDB is probably the best solution." >> MIPS has been failing recently, but no one has looked into it yet. >> Perhaps it's not worth developers efforts yet, but at some point the >> technology should reach a point it can be redistributed. > > MIPS (and any other big endian architecture) has *always* failed on the > Satoshi codebase, and will not be supported until someone has time to dedicate > to fixing the numerous little-endian assumptions in the code. I have an > incomplete port, but it isn't very high on my priority list to figure out what > else it's missing. To be clear, bitcoind/bitcoin-qt is only built on little endian machines https://buildd.debian.org/status/package.php?p=bitcoin > Debian could probably get away with packaging Bitcoin-Qt and bitcoind as-is > with no modifications, and not have any problems. It's only when you begin > making modifications that it becomes a problem. There are also some concerns > that it puts a much larger price on compromising Debian's build servers and/or > repositories (suddenly the attacker can steal a LOT of money). The only current modification is to use system leveldb instead of the packaged leveldb. (There is also a patch porting libmemenv.a to several other architectures, but that is only used in test suites - so it shouldn't pose a risk to users). > > The official binaries are not simply built by upstream developers: using > Gitian, *anyone* can produce bit-for-bit identical binaries. Official releases > are only published after 3 or more people have done an independent compile and > signed the output. It would be excellent if the whole of Debian could work > toward achieving this level of security eventually, which would make > distributing Bitcoin node software much safer as well. Ironically, debian (in general) doesn't trust upstream security maintenance of third part libraries - that's why they typically get dropped in favor of use system libraries. In this case, upstream doesn't trust (rightfully) that some future debian security team bug fix to a stable library won't be tested properly against bitcoin, causing problems for users (since bitcoin might expect buggy library behavior). I'm not the original packager or maintainer - I just came across the package in really bad shape and helped bring it to something reasonable and have done the most recent uploads (since 0.8, I believe). Since updated libraries could pose a security risk because bitcoin may expect buggy behavior, I think that is a good argument for debian to use the included library. However, I'm just a recent helper - I still want to hear what people who have been doing this for longer think. ~Scott ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [Bitcoin-development] Linux packaging letter 2013-07-23 22:02 ` Scott Howard 2013-07-23 22:26 ` Luke-Jr @ 2013-07-24 1:45 ` Douglas Huff 2013-07-24 2:27 ` Scott Howard 2013-07-24 3:54 ` [Bitcoin-development] Endianness (was: Linux packaging letter) Wendell 1 sibling, 2 replies; 27+ messages in thread From: Douglas Huff @ 2013-07-24 1:45 UTC (permalink / raw) To: Scott Howard; +Cc: Bitcoin Dev, Debian Bitcoin Packaging Team Honestly, until I read the quoted part of your response, I actually wasn't in favor of this whole thing since in general the types of issues being mentioned are, in large part, the types of issues that maintainers deal with all the time. On Jul 23, 2013, at 3:02 PM, Scott Howard <showard314@gmail.com> wrote: > Response: Is there a way to "certify" the Debian libraries? Debian > bitcoind/bitcoin-qt runs the compile test during all architectures. > MIPS has been failing recently, but no one has looked into it yet. > Perhaps it's not worth developers efforts yet, but at some point the > technology should reach a point it can be redistributed. The fact that you're even trying to package and/or at some point have packaged and shipped big endian binaries is straight up *NEGLIGENT.* Stop that. Now. It won't work. Thanks for showing that this *is* necessary, I guess. ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [Bitcoin-development] Linux packaging letter 2013-07-24 1:45 ` Douglas Huff @ 2013-07-24 2:27 ` Scott Howard 2013-07-24 3:54 ` [Bitcoin-development] Endianness (was: Linux packaging letter) Wendell 1 sibling, 0 replies; 27+ messages in thread From: Scott Howard @ 2013-07-24 2:27 UTC (permalink / raw) To: Douglas Huff; +Cc: Bitcoin Dev, Debian Bitcoin Packaging Team On Tue, Jul 23, 2013 at 9:45 PM, Douglas Huff <dhuff@jrbobdobbs.org> wrote: > Honestly, until I read the quoted part of your response, I actually wasn't in favor of this whole thing since in general the types of issues being mentioned are, in large part, the types of issues that maintainers deal with all the time. > > On Jul 23, 2013, at 3:02 PM, Scott Howard <showard314@gmail.com> wrote: > >> Response: Is there a way to "certify" the Debian libraries? Debian >> bitcoind/bitcoin-qt runs the compile test during all architectures. >> MIPS has been failing recently, but no one has looked into it yet. >> Perhaps it's not worth developers efforts yet, but at some point the >> technology should reach a point it can be redistributed. > > > The fact that you're even trying to package and/or at some point have packaged and shipped big endian binaries is straight up *NEGLIGENT.* > > Stop that. Now. It won't work. > > Thanks for showing that this *is* necessary, I guess. before people get too upset, I'm talking about little-endian MIPS (debian-mipsel) http://www.debian.org/ports/mips/ ^ permalink raw reply [flat|nested] 27+ messages in thread
* [Bitcoin-development] Endianness (was: Linux packaging letter) 2013-07-24 1:45 ` Douglas Huff 2013-07-24 2:27 ` Scott Howard @ 2013-07-24 3:54 ` Wendell 2013-07-24 4:03 ` Luke-Jr 2013-07-24 4:07 ` Gregory Maxwell 1 sibling, 2 replies; 27+ messages in thread From: Wendell @ 2013-07-24 3:54 UTC (permalink / raw) To: Bitcoin Dev Forking for curiosity's sake: Is there a substantial barrier to endian independence in the Bitcoin codebase? -wendell grabhive.com | twitter.com/grabhive On Jul 24, 2013, at 3:45 AM, Douglas Huff wrote: > The fact that you're even trying to package and/or at some point have packaged and shipped big endian binaries is straight up *NEGLIGENT.* ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [Bitcoin-development] Endianness (was: Linux packaging letter) 2013-07-24 3:54 ` [Bitcoin-development] Endianness (was: Linux packaging letter) Wendell @ 2013-07-24 4:03 ` Luke-Jr 2013-07-24 4:07 ` Gregory Maxwell 1 sibling, 0 replies; 27+ messages in thread From: Luke-Jr @ 2013-07-24 4:03 UTC (permalink / raw) To: bitcoin-development On Wednesday, July 24, 2013 3:54:25 AM Wendell wrote: > Is there a substantial barrier to endian independence in the Bitcoin > codebase? I got the obvious stuff ('endian' branch in my repo), but it still didn't work when I moved on. I haven't had time to try to figure out why not yet. Luke ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [Bitcoin-development] Endianness (was: Linux packaging letter) 2013-07-24 3:54 ` [Bitcoin-development] Endianness (was: Linux packaging letter) Wendell 2013-07-24 4:03 ` Luke-Jr @ 2013-07-24 4:07 ` Gregory Maxwell 2013-07-24 4:09 ` Gregory Maxwell 1 sibling, 1 reply; 27+ messages in thread From: Gregory Maxwell @ 2013-07-24 4:07 UTC (permalink / raw) To: Wendell; +Cc: Bitcoin Dev On Tue, Jul 23, 2013 at 8:54 PM, Wendell <w@grabhive.com> wrote: > Forking for curiosity's sake: > Is there a substantial barrier to endian independence in the Bitcoin codebase? Not really. The software was originally written to write out memory order to and from the wire, which is part of why the protocol is LE everywhere, so fixing that much is pretty typical endianness fixes. There is an extra kink in that almost everything Bitcoin sends and receives is an authenticated data structure— the stuff gets hashed for authentication. So that simply swizzling the byte order on immediately on input isn't enough because sometimes you'll go on to hash that data and it can't be in memory order for that. Luke gave an initial crack at it a long time ago: http://gitorious.org/~Luke-Jr/bitcoin/luke-jr-bitcoin/commits/endian But it wasn't enough yet. Seems like its just enough of an undertaking that absent a really good reason to care about it no real progress in fixing it is happening. ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [Bitcoin-development] Endianness (was: Linux packaging letter) 2013-07-24 4:07 ` Gregory Maxwell @ 2013-07-24 4:09 ` Gregory Maxwell 0 siblings, 0 replies; 27+ messages in thread From: Gregory Maxwell @ 2013-07-24 4:09 UTC (permalink / raw) To: Wendell; +Cc: Bitcoin Dev On Tue, Jul 23, 2013 at 9:07 PM, Gregory Maxwell <gmaxwell@gmail.com> wrote: > order to and from the wire, which is part of why the protocol is LE > everywhere, *before someone corrects me, it's not LE everywhere (I meant "manywhere" :P)— there is just enough BE to keep you on your toes. :P ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [Bitcoin-development] Linux packaging letter 2013-07-23 20:01 [Bitcoin-development] Linux packaging letter Mike Hearn 2013-07-23 20:14 ` Gregory Maxwell 2013-07-23 22:02 ` Scott Howard @ 2013-07-23 22:33 ` Pieter Wuille 2013-07-23 23:23 ` Greg Troxel 3 siblings, 0 replies; 27+ messages in thread From: Pieter Wuille @ 2013-07-23 22:33 UTC (permalink / raw) To: Mike Hearn; +Cc: Bitcoin Dev On Tue, Jul 23, 2013 at 10:01:55PM +0200, Mike Hearn wrote: > The trigger for this is the discovery that Debian bitcoind's got split out > of the consensus some time in April, for reasons that nobody yet figured > out but is presumably related to a patch (eg it uses system leveldb). Just to make sure there are no misunderstandings, as far as I know there is no reason to assume the reported problem (comment on #2726) is: 1) a fork (it's an indeterministic and avoidable database corruption, it seems) 2) related to leveldb 3) reproducible by more than one person 4) debian's fault. That said, I think reaching out to packagers to educate them about the risks is a good idea - but let's not blame people before we understand our own problems. -- Pieter ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [Bitcoin-development] Linux packaging letter 2013-07-23 20:01 [Bitcoin-development] Linux packaging letter Mike Hearn ` (2 preceding siblings ...) 2013-07-23 22:33 ` [Bitcoin-development] Linux packaging letter Pieter Wuille @ 2013-07-23 23:23 ` Greg Troxel 2013-07-23 23:45 ` Luke-Jr 2013-07-24 0:50 ` Gregory Maxwell 3 siblings, 2 replies; 27+ messages in thread From: Greg Troxel @ 2013-07-23 23:23 UTC (permalink / raw) To: bitcoin-development I find it interesting that this is a "linux packaging letter". How much of this applies to pkgsrc, FreeBSD ports, OpenBSD ports, and other non-Linux packaging systems (pkgsrc supports Linux as on of 20 operating systems, but is not a "Linux packaging system")? Is the repeatable build infrastructure portable (to any reasonable mostly-POSIX-compliant system, with gcc or clang)? I have the vague impression it's Ubuntu only, but I am very unclear on this point. How does this repeatableness interact with building for multiple operating systems and cpu types (say 20 OS, with typically 3 versions of the OS for each, with 1-20 cpu types per OS, for a cross-product of perhaps 200 combinations)? Requiring precise library depdendencies is quite awkward. Certainly requiring new enough to avoid known bugs is understandable, but that should be caught at configure time and fail. Synchronous updates of multiple packages is difficult, and runs into A wants only n of C, while B wants only m. So if you are talking about running regression tests with the set of versions of a dependency that are considered reasonable, and there's therefore a solution to the multiple-package constraint problem, that seems ok. It seems like a bug that the package will build on BE systems and then fail tests. If it's known not to be ok, it seems that absent some configure-time flag the build should fail. Asking people not to patch should mean willingnesss to make accomodation in the master sources for build issues for multiple packaging systems. I haven't gotten around to packaging this for pkgsrc - so far I only have the energy to lurk (due to too many things on the todo list). But I often find that some changes are needed. If you're willing (in theory) to add in configure flags to control build behavior (in a way that you can audit and decide is safe), that's great, and of course we can discuss an actual situation when one gets figured out. Greg ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [Bitcoin-development] Linux packaging letter 2013-07-23 23:23 ` Greg Troxel @ 2013-07-23 23:45 ` Luke-Jr 2013-07-24 0:50 ` Gregory Maxwell 1 sibling, 0 replies; 27+ messages in thread From: Luke-Jr @ 2013-07-23 23:45 UTC (permalink / raw) To: bitcoin-development; +Cc: Greg Troxel [-- Attachment #1: Type: Text/Plain, Size: 2556 bytes --] On Tuesday, July 23, 2013 11:23:27 PM Greg Troxel wrote: > I find it interesting that this is a "linux packaging letter". How much > of this applies to pkgsrc, FreeBSD ports, OpenBSD ports, and other > non-Linux packaging systems (pkgsrc supports Linux as on of 20 operating > systems, but is not a "Linux packaging system")? It was written with bitcoind/Bitcoin-Qt in mind, which don't work on BSD. :p > Is the repeatable build infrastructure portable (to any reasonable > mostly-POSIX-compliant system, with gcc or clang)? I have the vague > impression it's Ubuntu only, but I am very unclear on this point. How > does this repeatableness interact with building for multiple operating > systems and cpu types (say 20 OS, with typically 3 versions of the OS > for each, with 1-20 cpu types per OS, for a cross-product of perhaps 200 > combinations)? It should be portable to other systems, though hasn't been done yet. Would be nice if the concepts it uses could be integrated into the package- building systems. > Requiring precise library depdendencies is quite awkward. Certainly > requiring new enough to avoid known bugs is understandable, but that > should be caught at configure time and fail. The problem is that we require bugs. That is, if your library has those bugs fixed, you have introduced a security vulnerability. > It seems like a bug that the package will build on BE systems and then > fail tests. If it's known not to be ok, it seems that absent some > configure-time flag the build should fail. There is no configure-time for this node software yet. The autoconf-based one in the works *does* make this check, however. > Asking people not to patch should mean willingnesss to make accomodation > in the master sources for build issues for multiple packaging systems. > I haven't gotten around to packaging this for pkgsrc - so far I only > have the energy to lurk (due to too many things on the todo list). But > I often find that some changes are needed. If you're willing (in > theory) to add in configure flags to control build behavior (in a way > that you can audit and decide is safe), that's great, and of course we > can discuss an actual situation when one gets figured out. The review process is very slow and strict, but that is because of the same reasons it isn't safe to distribute patched versions in general. Merging your patches to mainline is not only a good idea, but it helps to ensure they get the necessary testing needed to be safe. Luke [-- Attachment #2: This is a digitally signed message part. --] [-- Type: application/pgp-signature, Size: 1530 bytes --] ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [Bitcoin-development] Linux packaging letter 2013-07-23 23:23 ` Greg Troxel 2013-07-23 23:45 ` Luke-Jr @ 2013-07-24 0:50 ` Gregory Maxwell 2013-07-24 2:35 ` zooko 2013-07-27 0:43 ` Greg Troxel 1 sibling, 2 replies; 27+ messages in thread From: Gregory Maxwell @ 2013-07-24 0:50 UTC (permalink / raw) To: Greg Troxel; +Cc: bitcoin-development On Tue, Jul 23, 2013 at 4:23 PM, Greg Troxel <gdt@work.lexort.com> wrote: > Is the repeatable build infrastructure portable (to any reasonable > mostly-POSIX-compliant system, with gcc or clang)? I have the vague It's "portable" to anything that can run the relevant VMs. Uh provided you don't mind cross compiling everything from an unbuntu VM. It certainly would be nice if the trusted-computing-base for gitian were a bit smaller, thats an area for long term improvement for sure. It may need some massaging. The tor project is beginning to use the same infrastructure, so this could be usefully conserved work. Likewise expanding the supported output targets would be great— though in the case of Bitcoin this is bounded by resources to adequately QA builds on alternative targets. > Requiring precise library depdendencies is quite awkward. Certainly > requiring new enough to avoid known bugs is understandable, but that > should be caught at configure time and fail. In some cases packages solving bugs is problematic for Bitcoin. This is something that it seems to take a whiteboard to explain, so I apologize for the opacity of simple email here. From a technical perspective Bitcoin's whole purpose is getting a whole bunch of computers world wide to reach a bit identical agreement on the content of a database, subject to a whole pile of rules, in the face of potentially malicious input, without any trusted parties at all (even the guy you got the software from, assuming you have the resources to audit it). I'll walk through a simple example: Say Bitcoin used a backing database which had an unknown a bug where any item with a key that begins with 0xDEADBEEF returns not found when queried, even if its in the DB. Once discovered, any database library would want to fix that quickly and they'd fix it in a point release without reservation. They might not even release note that particular fix it if went along with some others, it could even be fixed accidentally. Now say that we have a state where half the Bitcoin network is running the old buggy version, and half is running the fixed version. Someone creates a transaction with ID 0xDEADBEEF... and then subsequently spends the output of that transaction. This could be by pure chance or it could be a malicious act. To half the network that spending transaction looks like someone spending coin from nowhere, a violation of the rules. The consensus would then fork, effectively partitioning the network. On each fork any coin could be spent twice, and the fork will only be resolvable by one side or the other abandoning their state (generally the more permissive side would need to be abandoned because the permissive one is tolerant of the restrictive one's behavior) by manually downgrading or patching software. As a result of this parties who believed some of their transactions were safely settled would find them reversed by people who exploited the inconsistent consensus. To deploy such a fix in Bitcoin without creating a risk for participants we need to make a staged revision of the network protocol rules: There would be a protocol update that fixed the database bug _and_ explicitly rejected 0xDEADBEEF transactions until either some far out future date or until triggered by quorum sensing (or both). The users of Bitcoin would all be advised that they had to apply fixes/workaround by the switchover point or be left out of service or vulnerable. At designated time / quorum nodes would simultaneously switch to the new behavior. (Or in some cases, we'd just move the 'bug' into the Bitcoin code so that it can be fixed in the database, and we'd then just keep it forever, depending on how harmful it was to Bitcoin, a one if 4 billion chance of having to rewrite a transaction wouldn't be a big deal) We've done these organized updates to solve problems (as various flaws in Bitcoin itself can present similar consensus risks) several times with great success, typical time horizons spanning for months to years. But it cannot work if the behavior is changed out from under the software. Fortunately, if the number of users running with an uncontrolled consensus relevant inconsistent behavior is small the danger is only to themselves (and, perhaps, their customers). I'm not happy to see anyone get harmed, but it's better if its few people than many. This is part of the reason that it's a "linux packaging letter", since for Bitcoin the combination of uncoordinated patching and non-trivial userbases appears to be currently unique to GNU/Linux systems. Though indeed, the concerns do apply more broadly. > multiple packages is difficult, and runs into A wants only n of C, while > B wants only m. My understanding is that gentoo is actually able to handle this (and does, for Bitcoin)— and really I presume just about everything else could with enough effort. I certainly wouldn't ask anyone else to do that. If you're really getting into the rathole of building separate libraries just for Bitcoin the value of packaging it goes away. > So if you are talking about running regression tests > with the set of versions of a dependency that are considered reasonable, > and there's therefore a solution to the multiple-package constraint > problem, that seems ok. Running a complete set of tests is a start— though the unit tests are not and cannot be adequate. There is a full systems testing harnesses which should be used on new platforms. Even that though isn't really adequate, as it is currently infeasible to even achieve complete test coverage in things like cryptographic libraries and database environments. This is an area where both the Bitcoin software ecosystem and the greater art of large scale software validation need to mature. You won't hear anyone applauding the fact that harmless looking bugfixes in leveldb, boost, or openssl could be major doom event makers We're not crazy folks who insist on using formally undefined behavior and argue that it should never be changed out from under us. When there is a known risk we will boil the oceans to close it even if we think that the world would be more 'proper' some other way, but for known-unknowns and unknown-unknowns we can only adopt a conservative approach and try to do our best. One of the middle term things we did was internally integrated our validation database library (leveldb). Since we _know_ that its a consistency critical component, and a part of our system that is especially difficult to validate, integrating it meant removing a lot of risk and allowed it to be upgraded with an eye on the Bitcoin-specific consequences. Unfortunately distributions have been patching Bitcoin to unbundle it. Checking versions isn't adequate because, at least in other packages, some distributors frequently backport fixes or apply novel fixes which may not even be shared with upstream. Other considerations may drive us out of external dependencies for many of the consensus parts of Bitcoin. E.g. Pieter has writen an ECDSA library for our specific ECC curve which does signature validation >6x faster than OpenSSL (but it isn't obviously upstreamable due to some differing requirements for constant time operations), at some point we may need to adopt a backing database that is able to produce authentication proofs, etc. Certainly additional clever tests will make undiscovered surprising behavior less likely, though figuring out how to get the tests actually run if they take two hours and use 20GB of disk space is a challenge. ... but today we need to work with what we have, which is fragile in some atypical ways. Part of that is making an effort to make sure that anyone who might create a big footgun event has some idea of the concern space. > It seems like a bug that the package will build on BE systems and then > fail tests. If it's known not to be ok, it seems that absent some > configure-time flag the build should fail. Configure time? At the moment Bitcoin is built with a straight forward makefile (though there is a switch to autotools in the pipeline). BE isn't currently supported (and I believe this is well documented in the package). Fixing this would be nice, patches accepted. There was an amusing incident a while back where a distributor was refusing to take an update that added unit tests because they revealed failures on BE, nevermind that the application itself instantly failed on BE and never worked there. I believe that has since been resolved. > Asking people not to patch should mean willingnesss to make accomodation > in the master sources for build issues for multiple packaging systems. > I haven't gotten around to packaging this for pkgsrc - so far I only > have the energy to lurk (due to too many things on the todo list). But > I often find that some changes are needed. If you're willing (in > theory) to add in configure flags to control build behavior (in a way > that you can audit and decide is safe), that's great, and of course we > can discuss an actual situation when one gets figured out. I _believe_ (and hope) we've been very accommodating system specific fixes, even for systems we don't formally support. I personally believe that portable software is better software. Portability forces you to dust out nasty cobwebs, reveals dependency on dangerous undefined behavior, encourages intelligent abstractions and appropriate testing, and it invites contributions from more hands and eyes— I don't care if you use a weird OS: I just want you for your code and your bug-reports. So even if we don't consider a platform worth supporting in any rigorous way, we should still be open to fixes and build support. ... although we're typical very much resource bound on testing. Our upstreaming pipeline is often somewhat slow. But it's slow because we are serious about review, even of trivial changes. Being slow is no reason to not submit, even if you make a decision to not block on it (though, if you're doing that you should make the decision in full knowledge of the potential implications). Like all things stepping up and being willing to do the work goes a long way to getting things done. ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [Bitcoin-development] Linux packaging letter 2013-07-24 0:50 ` Gregory Maxwell @ 2013-07-24 2:35 ` zooko 2013-07-24 3:19 ` Gregory Maxwell 2013-07-27 0:43 ` Greg Troxel 1 sibling, 1 reply; 27+ messages in thread From: zooko @ 2013-07-24 2:35 UTC (permalink / raw) To: Gregory Maxwell; +Cc: bitcoin-development, Greg Troxel Folks: With all due respect, I think the letter as I see it at https://docs.google.com/document/d/1naenR6N6fMWSpHM0f4jpQhYBEkCEQDbLBs8AXC19Y-o/edit#heading=h.i7tz3gqh65mi should be changed before being shown to package maintainers. I think some package maintainers might perceive this version of the letter as high-handed -- telling someone else how to do their job -- and they might not notice the actual facts included in the letter explaining why Bitcoin really *is* different than a lot of software. You should understand that without a careful read, this letter sounds much like a cry that packagers have heard from hundreds of other authors who say things to the effect that "my software is different and more important and packager maintainers have to do things my way". Why not solicit the cooperation of a few package maintainers and write a joint letter with them signing on? Instead of it being a one-sided lecture from Bitcoin devs to packagers, it would be a shared statement *and* packagers, and it would be phrased in language that would make it instantly clear to other packagers that this isn't just another whine from ignorant devs. If you're interested in that, there are lots of packagers who would be happy to help. Greg Troxel (pkgsrc) is one, who has already posted to this thread. I'd be happy to invite the ones that I've worked with to package the software that I am a dev on -- Tahoe-LAFS. What I'm proposing is that we contact some packagers and say "Here's this rough draft, and we'd like you to suggest edits that would make it into the kind of letter that you'd sign your name to.". At the very least, we'd learn something from the ensuing conversation. Regards, Zooko ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [Bitcoin-development] Linux packaging letter 2013-07-24 2:35 ` zooko @ 2013-07-24 3:19 ` Gregory Maxwell 2013-07-24 8:28 ` Mike Hearn 0 siblings, 1 reply; 27+ messages in thread From: Gregory Maxwell @ 2013-07-24 3:19 UTC (permalink / raw) To: zooko; +Cc: bitcoin-development, Greg Troxel On Tue, Jul 23, 2013 at 7:35 PM, zooko <zooko@zooko.com> wrote: > I think some > package maintainers might perceive this version of the letter as high-handed -- > telling someone else how to do their job -- and they might not notice the > actual facts included in the letter explaining why Bitcoin really *is* > different than a lot of software. Bummer, because this was a explicit consideration while writing it and a concern several people had with the initial draft Mike did. We're very much aware that upstreams frequently cry (wolf) at the mutilation of their unique and precious snowflake. The intention was that second paragraph acknowledging the many good motivations for the existing norms and the third paragraph talking about consensus systems would address these concerns— showing that we aren't totally clueless, and pointing out that we have an actually unusual situation. In intermediate drafts they were longer and more elaborate, but we were struggling against length and trying to avoid delving into a highly technical discussion which would lose anyone who wasn't already very interested. We also compromised on an initial approach of "please don't package this at all" to "please understand first", in part at the protest of our gentoo package (which also bundles leveldb but hard locks it to an exact version in the package system with exact build flags, which is a sophisticated compromise which might not generalize to other distributors) maintainer (uh, Luke-Jr, not exactly the most representative sample). As a first step it's at least important to know that there is a concern here shared by a bunch of people. Helping talk people through understanding it is part of the job here. I certainly didn't expect the discussion to stop with the letter but getting it out there is a way to start the discussion and make it more likely that we have it again with the next packager who comes around. I guess the first priority though is avoiding gratuitously offending people. Can anyone point out any specific tweaks that would reduce initial bristling? On Tue, Jul 23, 2013 at 6:45 PM, Douglas Huff <dhuff@jrbobdobbs.org> wrote: > Honestly, until I read the quoted part of your response, Oh be nice. If any of this were easy it would all be _done_ already. :) There is naturally some tension when people with different priorities and backgrounds interact, ... I've seen a lot of upstreams run into disagreements with packagers the result is usually better for everyone. ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [Bitcoin-development] Linux packaging letter 2013-07-24 3:19 ` Gregory Maxwell @ 2013-07-24 8:28 ` Mike Hearn 2013-07-24 13:52 ` Jeff Garzik ` (2 more replies) 0 siblings, 3 replies; 27+ messages in thread From: Mike Hearn @ 2013-07-24 8:28 UTC (permalink / raw) To: Gregory Maxwell; +Cc: Bitcoin Dev, Greg Troxel [-- Attachment #1: Type: text/plain, Size: 4295 bytes --] Yeah, if anyone wants to make the letter more digestable please do propose an alternative, although by this point it's probably not worth it as people have already signed. FWIW, Gregory is right that my original draft was much more brusque. The pain in the packaging relationship travels both ways. I have in the past wasted a lot of time due to bogus packaging applied by non-expert packagers that broke things. In fact the project I was a part of adopted a policy of automatically closing bug reports from people who were using distributor packages (any distro) because the quality was so inconsistent and so many subtle bugs were introduced. If packagers hear upstreams cry about packaging a lot, I think you should keep an open mind that some of them probably know what they're talking about. We really shouldn't have to beg and cajole here. Saying "we have our reasons and we want you to stop" should be enough. On Wed, Jul 24, 2013 at 5:19 AM, Gregory Maxwell <gmaxwell@gmail.com> wrote: > On Tue, Jul 23, 2013 at 7:35 PM, zooko <zooko@zooko.com> wrote: > > I think some > > package maintainers might perceive this version of the letter as > high-handed -- > > telling someone else how to do their job -- and they might not notice the > > actual facts included in the letter explaining why Bitcoin really *is* > > different than a lot of software. > > Bummer, because this was a explicit consideration while writing it and > a concern several people had with the initial draft Mike did. > > We're very much aware that upstreams frequently cry (wolf) at the > mutilation of their unique and precious snowflake. > > The intention was that second paragraph acknowledging the many good > motivations for the existing norms and the third paragraph talking > about consensus systems would address these concerns— showing that we > aren't totally clueless, and pointing out that we have an actually > unusual situation. In intermediate drafts they were longer and more > elaborate, but we were struggling against length and trying to avoid > delving into a highly technical discussion which would lose anyone who > wasn't already very interested. > > We also compromised on an initial approach of "please don't package > this at all" to "please understand first", in part at the protest of > our gentoo package (which also bundles leveldb but hard locks it to an > exact version in the package system with exact build flags, which is a > sophisticated compromise which might not generalize to other > distributors) maintainer (uh, Luke-Jr, not exactly the most > representative sample). > > As a first step it's at least important to know that there is a > concern here shared by a bunch of people. Helping talk people through > understanding it is part of the job here. I certainly didn't expect > the discussion to stop with the letter but getting it out there is a > way to start the discussion and make it more likely that we have it > again with the next packager who comes around. > > I guess the first priority though is avoiding gratuitously offending > people. Can anyone point out any specific tweaks that would reduce > initial bristling? > > On Tue, Jul 23, 2013 at 6:45 PM, Douglas Huff <dhuff@jrbobdobbs.org> > wrote: > > Honestly, until I read the quoted part of your response, > > Oh be nice. If any of this were easy it would all be _done_ already. :) > > There is naturally some tension when people with different priorities > and backgrounds interact, ... I've seen a lot of upstreams run into > disagreements with packagers the result is usually better for > everyone. > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > [-- Attachment #2: Type: text/html, Size: 5320 bytes --] ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [Bitcoin-development] Linux packaging letter 2013-07-24 8:28 ` Mike Hearn @ 2013-07-24 13:52 ` Jeff Garzik 2013-07-24 15:32 ` zooko 2013-07-24 16:01 ` zooko 2013-07-27 0:45 ` Greg Troxel 2 siblings, 1 reply; 27+ messages in thread From: Jeff Garzik @ 2013-07-24 13:52 UTC (permalink / raw) To: Mike Hearn; +Cc: Bitcoin Dev, Greg Troxel On Wed, Jul 24, 2013 at 4:28 AM, Mike Hearn <mike@plan99.net> wrote: > Yeah, if anyone wants to make the letter more digestable please do propose > an alternative, although by this point it's probably not worth it as people > have already signed. I'm working on a more digestable alternative: https://gist.github.com/jgarzik/6065679 Should be ready in another ~24 hours, as its obviously incomplete right now. Alas the publishing of the lame version (which yes, I did ACK) didn't give me time to finish my version. I worked on Fedora packaging while at Red Hat, so hopefully, I have a bit of insight here. Was also thinking about publishing this on opensource.com. -- Jeff Garzik Senior Software Engineer and open source evangelist BitPay, Inc. https://bitpay.com/ ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [Bitcoin-development] Linux packaging letter 2013-07-24 13:52 ` Jeff Garzik @ 2013-07-24 15:32 ` zooko 2013-07-24 19:35 ` Gregory Maxwell 0 siblings, 1 reply; 27+ messages in thread From: zooko @ 2013-07-24 15:32 UTC (permalink / raw) To: Jeff Garzik; +Cc: Bitcoin Dev, Greg Troxel On Wed, Jul 24, 2013 at 09:52:33AM -0400, Jeff Garzik wrote: > > I'm working on a more digestable alternative: > https://gist.github.com/jgarzik/6065679 Hi Jeff! Thanks for working on it. Even if that letter (https://gist.github.com/jgarzik/6065679) doesn't supplant https://docs.google.com/a/leastauthority.com/document/d/1naenR6N6fMWSpHM0f4jpQhYBEkCEQDbLBs8AXC19Y-o/edit#heading=h.i7tz3gqh65mi as a message-to-packagers, it looks like it will still turn out to be a useful text. My first question about it is this part: """ Make a mistake, lose $1 billion The consequences of bitcoin consensus failure are very high, comparable to avionics or medical device software. As of this writing, over $1 billion of value depends on bitcoin software being able to reliably achieve consensus over the worldwide Internet. This is the digital equivalent of Fort Knox: consensus must be achieved, or bitcoin has no value. """ This makes it sound like if, for example, Debian were to link bitcoind to the system leveldb, and then upgrade the system leveldb to fix a bug that affects bitcoind, that this would spell the end of Bitcoin. I hope that's not true! I'd like to try to be more specific about two things: 1. What is the behavior that a dependency or a patch could cause that would be problematic? I liked what Luke-Jr said earlier in this thread -- that in some cases a bitcoin node (i.e. a bitcoind process) needs certain bugs or limitations in order to maintain consensus with other bitcoin nodes. Maybe you could use a statement like that, without attempting to explain in *what* cases that applies. 2. What is the consequence if this goes wrong? This is something I don't understand as well. I think the answer is: 2.a. All bitcoin nodes which encounter one of these cases and are differently-buggy than the upstream bitcoind form their own consensus, causing a blockchain fork. 2.b. There is a risk of double-spending attacks. 2.c. The process for healing a blockchain fork is not very smooth or well-understood. Regards, Zooko ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [Bitcoin-development] Linux packaging letter 2013-07-24 15:32 ` zooko @ 2013-07-24 19:35 ` Gregory Maxwell 0 siblings, 0 replies; 27+ messages in thread From: Gregory Maxwell @ 2013-07-24 19:35 UTC (permalink / raw) To: zooko; +Cc: Bitcoin Dev, Greg Troxel On Wed, Jul 24, 2013 at 8:32 AM, zooko <zooko@zooko.com> wrote: > This makes it sound like if, for example, Debian were to link bitcoind to the > system leveldb, and then upgrade the system leveldb to fix a bug that affects > bitcoind, that this would spell the end of Bitcoin. Maybe! A widespread consensus failure causes people to lose money even absent malice. How much depends on a bunch of details, including the luck of attackers. The total ramifications are as much social as they are technical so it's hard to reason over the outcomes beyond "at a minimum, it's not good". A really bad splitting event could results in large amounts of Bitcoin being stolen through reversals. Obviously the system itself would keep on ticking once the issue was resolved... but if millions of dollars at recent prices in coins were stolen, would people want to keep using it? The most dire outcomes are (very?) unlikely, but they're not necessary to recognize that risk mitigation is important. It's good to be careful here just to avoid the bad outcomes we are sure will happen (because we've experienced them before): Hundreds of dollars worth of coin income 'lost' per minute to miners on the losing side of a 50/50 fork, hours long disruption of the lives of dozens of people in the Bitcoin technical ecosystem (many of whom are volunteer OSS developers), hours of disruption (no payments processed) to Bitcoin users and businesses. These are the best case outcomes in a substantial non-transient hard forking event. I think one of the challenges in talking about this stuff is correctly framing these risks. Bitcoin is a novel technology that lacks a lot of the recourse that other systems have— No Bitcoin central bank to create a bit of inflation to paper over a glitch, eliminating those kinds of centralized "fixes" is much of the point, after all— so with the idea of starry eyed people taking out second mortgages on their kids kidneys to buy up coin clearly in my mind I do think it's important to be clear about the full range of risk: It's _possible_ that due to some amazing sequences of technical screwups that by next week most everyone could consider Bitcoin worthless. I think it's important to be frank about those risks. ... but it's also not good to be chicken little, calling doom on anyone who wants to change the color of the GUI. :P Navigating it is hard, and generally I'd prefer that if there is any misunderstanding people overestimate the risks a little— so long as things stay in the realm of the possible— rather than underestimate them. ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [Bitcoin-development] Linux packaging letter 2013-07-24 8:28 ` Mike Hearn 2013-07-24 13:52 ` Jeff Garzik @ 2013-07-24 16:01 ` zooko 2013-07-27 0:45 ` Greg Troxel 2 siblings, 0 replies; 27+ messages in thread From: zooko @ 2013-07-24 16:01 UTC (permalink / raw) To: Mike Hearn; +Cc: Bitcoin Dev, Greg Troxel On Wed, Jul 24, 2013 at 10:28:16AM +0200, Mike Hearn wrote: > Yeah, if anyone wants to make the letter more digestable please do propose > an alternative, although by this point it's probably not worth it as people > have already signed. Okay, here's my attempt: https://docs.google.com/document/d/1m3wyBIjqwPQ3wxVT7P_wJtdWt9a9RXvt9NV7rggLAOs/edit# Please feel free to use any or all of it as you see fit. > FWIW, Gregory is right that my original draft was much more brusque. The > pain in the packaging relationship travels both ways. I have in the past > wasted a lot of time due to bogus packaging applied by non-expert packagers > that broke things. In fact the project I was a part of adopted a policy of > automatically closing bug reports from people who were using distributor > packages (any distro) because the quality was so inconsistent and so many > subtle bugs were introduced. > > If packagers hear upstreams cry about packaging a lot, I think you should > keep an open mind that some of them probably know what they're talking > about. We really shouldn't have to beg and cajole here. Saying "we have our > reasons and we want you to stop" should be enough. Yes, I know what you mean. Regards, Zooko ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [Bitcoin-development] Linux packaging letter 2013-07-24 8:28 ` Mike Hearn 2013-07-24 13:52 ` Jeff Garzik 2013-07-24 16:01 ` zooko @ 2013-07-27 0:45 ` Greg Troxel 2 siblings, 0 replies; 27+ messages in thread From: Greg Troxel @ 2013-07-27 0:45 UTC (permalink / raw) To: bitcoin-development Mike Hearn <mike@plan99.net> writes: > If packagers hear upstreams cry about packaging a lot, I think you should > keep an open mind that some of them probably know what they're talking > about. We really shouldn't have to beg and cajole here. Saying "we have our > reasons and we want you to stop" should be enough. Asserting without explaining isn't going to work; lots of people think their code is more special than it is, and most of these claims are unwarranted. But, there is a good explanation for the bitcoin case. ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [Bitcoin-development] Linux packaging letter 2013-07-24 0:50 ` Gregory Maxwell 2013-07-24 2:35 ` zooko @ 2013-07-27 0:43 ` Greg Troxel 1 sibling, 0 replies; 27+ messages in thread From: Greg Troxel @ 2013-07-27 0:43 UTC (permalink / raw) To: bitcoin-development Gregory Maxwell <gmaxwell@gmail.com> writes: > It's "portable" to anything that can run the relevant VMs. Uh > provided you don't mind cross compiling everything from an unbuntu VM. > It certainly would be nice if the trusted-computing-base for gitian > were a bit smaller, thats an area for long term improvement for sure. Thanks - I'll look forward to this being portable someday. Right now it sounds similar to "a windows binary but you can use wine" with substitution of variables :-) People may want to look at the NetBSD build system, which I think achieves bit-identical builds from different hosts (but I haven't really checked), by having the toolchain be part of the source and building cross-compilers from host to target and then using those to build the system. > Say Bitcoin used a backing database which had an unknown a bug where > any item with a key that begins with 0xDEADBEEF returns not found when > queried, even if its in the DB. Once discovered, any database library > would want to fix that quickly and they'd fix it in a point release > without reservation. They might not even release note that particular > fix it if went along with some others, it could even be fixed > accidentally. > > Now say that we have a state where half the Bitcoin network is running > the old buggy version, and half is running the fixed version. Someone > creates a transaction with ID 0xDEADBEEF... and then subsequently > spends the output of that transaction. This could be by pure chance or > it could be a malicious act. > > To half the network that spending transaction looks like someone > spending coin from nowhere, a violation of the rules. The consensus > would then fork, effectively partitioning the network. On each fork > any coin could be spent twice, and the fork will only be resolvable by > one side or the other abandoning their state (generally the more > permissive side would need to be abandoned because the permissive one > is tolerant of the restrictive one's behavior) by manually downgrading > or patching software. As a result of this parties who believed some > of their transactions were safely settled would find them reversed by > people who exploited the inconsistent consensus. Thanks for the explanation - that indeed makes sense. >> multiple packages is difficult, and runs into A wants only n of C, while >> B wants only m. > > My understanding is that gentoo is actually able to handle this (and > does, for Bitcoin)— and really I presume just about everything else > could with enough effort. I certainly wouldn't ask anyone else to do > that. If you're really getting into the rathole of building separate > libraries just for Bitcoin the value of packaging it goes away. Well, if you insist on not having updates and bugfixes, then either it's the included version or there's a special package just for you. Typically packaging systems don't like included versions because often a package will have a security bug fixed long before there are updates of packages that bundle that fixed version. But given bitcoin's special needs, that means you have to stay on top of these dependent included packages and re-release if there are security fixes (that don't break consensus). > Running a complete set of tests is a start— though the unit tests are > not and cannot be adequate. There is a full systems testing harnesses > which should be used on new platforms. Even that though isn't really > adequate, as it is currently infeasible to even achieve complete test > coverage in things like cryptographic libraries and database > environments. It would be nice if the regression tests were installed and it were normal culturallly for end-users to run them. Thanks again for the explanation; I understand where you are coming from now. ^ permalink raw reply [flat|nested] 27+ messages in thread
end of thread, other threads:[~2013-07-28 18:21 UTC | newest] Thread overview: 27+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2013-07-23 20:01 [Bitcoin-development] Linux packaging letter Mike Hearn 2013-07-23 20:14 ` Gregory Maxwell 2013-07-23 20:32 ` Mike Hearn 2013-07-23 20:50 ` Gregory Maxwell 2013-07-28 18:21 ` John Dillon 2013-07-23 22:02 ` Scott Howard 2013-07-23 22:26 ` Luke-Jr 2013-07-24 3:00 ` Scott Howard 2013-07-24 1:45 ` Douglas Huff 2013-07-24 2:27 ` Scott Howard 2013-07-24 3:54 ` [Bitcoin-development] Endianness (was: Linux packaging letter) Wendell 2013-07-24 4:03 ` Luke-Jr 2013-07-24 4:07 ` Gregory Maxwell 2013-07-24 4:09 ` Gregory Maxwell 2013-07-23 22:33 ` [Bitcoin-development] Linux packaging letter Pieter Wuille 2013-07-23 23:23 ` Greg Troxel 2013-07-23 23:45 ` Luke-Jr 2013-07-24 0:50 ` Gregory Maxwell 2013-07-24 2:35 ` zooko 2013-07-24 3:19 ` Gregory Maxwell 2013-07-24 8:28 ` Mike Hearn 2013-07-24 13:52 ` Jeff Garzik 2013-07-24 15:32 ` zooko 2013-07-24 19:35 ` Gregory Maxwell 2013-07-24 16:01 ` zooko 2013-07-27 0:45 ` Greg Troxel 2013-07-27 0:43 ` Greg Troxel
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox