BitcoinTalk

Implementation bug prior to 0.3.6

BitcoinTalk
#1
From:
Anonymous
Subject:
sg
Date:
adg
BitcoinTalk
#2
From:
knightmb
Subject:
Re: Implementation bug prior to 0.3.6
Date:
In this forum, I don't see why not. Basically, the implementation bug means that the client wasn't following it's own rules. Someone may have found a way to double-spend coin for example that the Client doesn't catch because of how it processes the rules to counter this kind of action.
BitcoinTalk
#3
From:
jgarzik
Subject:
Re: Implementation bug prior to 0.3.6
Date:
Is it too early to discuss what happened until more users upgrade?

I am interested in the meta-discussion, about security policy.

In other open source projects, representatives of "key parties" tend to gather on a "vendor security" mailing list that is closed to the public.  Vulnerabilities that might have real world consequences are discussed there, and then a coordinated release occurs, where all key players publish the security fixes at the same time.
BitcoinTalk
#4
From:
knightmb
Subject:
Re: Implementation bug prior to 0.3.6
Date:
Since we mostly communicate by forum here, the closest would be a member group that has access to a special forum here just for that issue that the public can't normally see. I'm fairly certain the simple machines forum supports that feature?
BitcoinTalk
#5
From:
knightmb
Subject:
Re: Implementation bug prior to 0.3.6
Date:
I'd support the idea. More trusted members and programmers could post security risks or exploits. Maybe the better way is just to message the developer if they are discovered.
Both can work, but a members forum would help to keep out the noise; otherwise everyone will end up messaging the lead developer with every possible thing they here in the news and end up taking his/her time to filter it out on whether it's really a risk or not.
BitcoinTalk
#6
From:
jgarzik
Subject:
Re: Implementation bug prior to 0.3.6
Date:

BTW, an important feature of these mailing lists is that anyone can post...  but only the "vendor security" group can read the posts.

Thus, it is easy for an outsider with a real security issue to provide detailed information to [email protected], while preventing unscrupulous people from reading the sensitive information.

I suppose a PM to <somebody>, plus discussion on a closed forum, is the best this forum software can handle.
BitcoinTalk
#7
From:
satoshi
Subject:
Re: Implementation bug prior to 0.3.6
Date:
Actually, it works well to just PM me.  I'm the one who's going to be fixing it.  If you find a security flaw, I would definitely like to hear from you privately to fix it before it goes public.