BitcoinTalk

Implementation bug prior to 0.3.6

146

Satoshi-only

BitcoinTalk

From:

Anonymous

Subject:

Date:

29 luglio 2010 alle ore 20:03:07 UTC

adg

BitcoinTalk

From:

knightmb

Subject:

Re: Implementation bug prior to 0.3.6

Date:

29 luglio 2010 alle ore 20:12:02 UTC

In this forum, I don't see why not. Basically, the implementation bug means that the client wasn't following it's own rules. Someone may have found a way to double-spend coin for example that the Client doesn't catch because of how it processes the rules to counter this kind of action.

BitcoinTalk

From:

jgarzik

Subject:

Re: Implementation bug prior to 0.3.6

Date:

29 luglio 2010 alle ore 20:12:14 UTC

Quote from: davidonpda on July 29, 2010, 08:03:07 PM

Is it too early to discuss what happened until more users upgrade?

I am interested in the meta-discussion, about security policy.

In other open source projects, representatives of "key parties" tend to gather on a "vendor security" mailing list that is closed to the public. Vulnerabilities that might have real world consequences are discussed there, and then a coordinated release occurs, where all key players publish the security fixes at the same time.

BitcoinTalk

From:

knightmb

Subject:

Re: Implementation bug prior to 0.3.6

Date:

29 luglio 2010 alle ore 20:13:57 UTC

Since we mostly communicate by forum here, the closest would be a member group that has access to a special forum here just for that issue that the public can't normally see. I'm fairly certain the simple machines forum supports that feature?

BitcoinTalk

From:

knightmb

Subject:

Re: Implementation bug prior to 0.3.6

Date:

29 luglio 2010 alle ore 20:19:16 UTC

Quote from: davidonpda on July 29, 2010, 08:17:31 PM

I'd support the idea. More trusted members and programmers could post security risks or exploits. Maybe the better way is just to message the developer if they are discovered.

Both can work, but a members forum would help to keep out the noise; otherwise everyone will end up messaging the lead developer with every possible thing they here in the news and end up taking his/her time to filter it out on whether it's really a risk or not.

BitcoinTalk

From:

jgarzik

Subject:

Re: Implementation bug prior to 0.3.6

Date:

29 luglio 2010 alle ore 20:22:59 UTC

BTW, an important feature of these mailing lists is that anyone can post... but only the "vendor security" group can read the posts.

Thus, it is easy for an outsider with a real security issue to provide detailed information to [email protected], while preventing unscrupulous people from reading the sensitive information.

I suppose a PM to <somebody>, plus discussion on a closed forum, is the best this forum software can handle.

BitcoinTalk

From:

satoshi

Subject:

Re: Implementation bug prior to 0.3.6

Date:

29 luglio 2010 alle ore 22:04:15 UTC

Actually, it works well to just PM me. I'm the one who's going to be fixing it. If you find a security flaw, I would definitely like to hear from you privately to fix it before it goes public.