From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1XLA9u-0001AM-HR for bitcoin-development@lists.sourceforge.net; Sat, 23 Aug 2014 12:11:02 +0000 Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of zikula.org designates 74.125.82.177 as permitted sender) client-ip=74.125.82.177; envelope-from=drak@zikula.org; helo=mail-we0-f177.google.com; Received: from mail-we0-f177.google.com ([74.125.82.177]) by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1XLA9i-0007nE-IE for bitcoin-development@lists.sourceforge.net; Sat, 23 Aug 2014 12:11:02 +0000 Received: by mail-we0-f177.google.com with SMTP id w62so11337667wes.8 for ; Sat, 23 Aug 2014 05:10:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=fvaAPpoqD6f3tzqJBBG8aou392R0RkmdNGTU8v/IdwQ=; b=jBtcPitjty+dbzazP9xu/JUwtH5K2tl4RAAblMTafi9xBRmw7eGto/5CqVHvnzLoz/ Mr3C+aoghrISLRx2FaVm7K8z8DDPQIjaSvcRCIF4YeQk+iyqjw6JSIofW0FrU6VibAzw HP1pWJDFrwMSSFuG8N7BHJuhyCgZ0lLMpQpOiK+hWiw/V1SDMJlAaBklGArfVu7MzaU6 oijxHiFNGTsl6I2XS/14xEcZuI0ubYTSyipCuTG0xQGi9vTL3H8E45v4iYQHri48evbZ jPO4eLU9ldjUGvHaeaEJ54G8cG1hY31OZmdfnLszBHeLXpCy6ghxtvKOr14ZeAvZIEX6 90hg== X-Gm-Message-State: ALoCoQm23zSjr/e8YZMUuvXVnNmHuOpeoKnghKSImsDc9IFPudzjUeauYxSk4B9vwPzRNB7GgMl9 X-Received: by 10.180.73.6 with SMTP id h6mr3732793wiv.65.1408795537237; Sat, 23 Aug 2014 05:05:37 -0700 (PDT) MIME-Version: 1.0 Received: by 10.194.87.70 with HTTP; Sat, 23 Aug 2014 05:05:17 -0700 (PDT) In-Reply-To: References: <2302927.fMx0I5lQth@1337h4x0r> <20140823061701.GQ22640@nl.grid.coop> From: Drak Date: Sat, 23 Aug 2014 13:05:17 +0100 Message-ID: To: Pieter Wuille Content-Type: multipart/alternative; boundary=f46d043c7f048f039205014ac553 X-Spam-Score: -0.5 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message X-Headers-End: 1XLA9i-0007nE-IE Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] Reconsidering github X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Aug 2014 12:11:02 -0000 --f46d043c7f048f039205014ac553 Content-Type: text/plain; charset=UTF-8 On 23 August 2014 12:38, Pieter Wuille wrote: > That allows using github as easy-access mechanism for people to > contribute and inspect, while having a higher security standard for > the actual changes done to master. I'd also like to point out the obvious: git uses the previous hash as part of the formula to generate the current commit hash thus tampering with history while possible would be instantly noticed because we all have copies of the repository. Tampering would be completely evident (pushes would fail for a start, and even simple merges would bork). It's just not possible to tamper with the repository without it being discovered, even with collusion (or strong arming) of github. The social benefits of github make it idea for open source projects that want community participation. The barrier to entry is low. The only "weak" spot of github is the releases section, but since we don't actually distribute Bitcoin from github the point is moot. I think github haters fail to see the vast benefits of a social hub like github. Their issue tracker may not be as sophisticated, it serves well and the project is extremely productive. Don't shoot yourself in the foot - a move away from github would be a disaster for the project. When you look at the attack surface of using github, it's pretty small and would not go unnoticed, thus nullifying concern. --f46d043c7f048f039205014ac553 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On 2= 3 August 2014 12:38, Pieter Wuille <pieter.wuille@gmail.com><= /span> wrote:
That allows using github as = easy-access mechanism for people to
contribute and inspect, while having a higher security standard for
the actual changes done to master.

I'd = also like to point out the obvious: git uses the previous hash as part of t= he formula to generate the current commit hash thus tampering with history = while possible would be instantly noticed because we all have copies of the= repository. Tampering would be completely evident (pushes would fail for a= start, and even simple merges would bork). It's just not possible to t= amper with the repository without it being discovered, even with collusion = (or strong arming) of github.

The social benefits of github make it idea for open sou= rce projects that want community participation. The barrier to entry is low= . The only "weak" spot of github is the releases section, but sin= ce we don't actually distribute Bitcoin from github the point is moot.<= /div>

I think github haters fail to see the vast benefits of = a social hub like github. Their issue tracker may not be as sophisticated, = it serves well and the project is extremely productive.=C2=A0
Don't shoot yourself in the foot - a move away from github w= ould be a disaster for the project.

When you look = at the attack surface of using github, it's pretty small and would not = go unnoticed, thus nullifying concern.
--f46d043c7f048f039205014ac553--