Delivery-date: Sun, 21 Jul 2024 11:04:11 -0700 Received: from mail-yw1-f185.google.com ([209.85.128.185]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sVauo-00028P-RV for bitcoindev@gnusha.org; Sun, 21 Jul 2024 11:04:11 -0700 Received: by mail-yw1-f185.google.com with SMTP id 00721157ae682-66890dbb7b8sf89947627b3.0 for ; Sun, 21 Jul 2024 11:04:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1721585044; x=1722189844; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=PF7fWPsD3knLSy+K4vCix/lGnKn6K1o1KEG/SG7vN2o=; b=BCWRtLapzU/lHT4kSt9tD4FE3XTenzB4Qf78qQB+iacwD6bKASxfpo+cP7UidZR7nz ud2oi4Whqo/76r44ICTCTYRWsklsX8zM9WxwG0/zeZJGGrVRLrzCruYWD31pxnqN2+Pu u8gYWPedqreem3Tj3UUk6BIshwW1UL1YPDdCQURm0bTw66kMXuiJTeJpTgw6Bu6RFGjc AC8RPOWpOc+fO/P1gd9HKvNINHnEHOFUT3h6x9ciP5bUkEuZYQeW9iWwNvY2OIINwBi8 B5sIKiAiEhxwxWyuOp6NBQnNevBOkzk3geewia6Mi6AberCqiXBzgl5LuJbjqpGg9Jh1 c8gg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721585044; x=1722189844; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=PF7fWPsD3knLSy+K4vCix/lGnKn6K1o1KEG/SG7vN2o=; b=SQkAoM02sRTooVJPLUeH3FElQQE7SiGJpoOHYOUG63eiOIeaEOsn/9OYvpfq2YqEgv Hslf6q20Gci/Mmw7VoPUHCVosnCbl7evYoemZr0irFtUNcScg3Ga2R3p9RGoDSIvTjGw E6bNImVT5hiGZ88OSCDdmsGuncnBdky6YYTxeGj4GeYnhEvXon1vD0tXYGmrxcc0mask f0XBYZ+9IIVh+/XBZdtRQCI6M/bzo3uvTpw4Zcbrdsz3tquk0bG6Qd9iqRvmDUPleeP6 W6zMCdUgHnuGgSFKvuzbfF2CfpFL93hNV2urhCFeeV5Ret2MCn1RNpfVS5e+NAZ5+R1R wCOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721585044; x=1722189844; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=PF7fWPsD3knLSy+K4vCix/lGnKn6K1o1KEG/SG7vN2o=; b=FKOTmghm5axE5xTrsDG9ykJi1Ue6XnJsKdrOv6VcpyfPX0yCBHQxmrWSMljQGcGvrO 9oZcs8lSm8dlYvnPiQvRJPZsmXvXsAbFjIRpLFIJoVdPNXOHnrBO4yfsXCX1kB1L8L0E IJMjjCUU0/pdA5Mvq1/ioNVm8HJ5pdGeEZ5A3T6HJZkR6qaic6kAvL8NfHB4sbmUmOix KgDlkTOrQddaaQfmTQZBc8AF8iLl5p0nf9A8IpsJakDJLjzTc/L93zO90ZdYk0kdqPXw eErHo0wAZBgHIwaE5/Zot08A0MMEfRlygxwUfvvmz9YJ3T+sqN4XOMAQJ0nJoSIrYp4r 2zwA== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=1; AJvYcCUUmToFqkH6kNF5iHb9MNK9y5l1EXdPFbHnEXqwLtbJ+/MggfUATLy7/QAdPm+L7U1wlSDqzmcKQcQUCJBA0QuiUkOYfPU= X-Gm-Message-State: AOJu0Yzus1BcWM4UbSahybrXrvz1vOXB33E8WOWIe81wzlTa4mALpZVr +KUxscFz6Ff8U+/xVqVSYmY8DVXEI7AxHBltoRFpe96VTNxdV0t7 X-Google-Smtp-Source: AGHT+IHnnfL6rGNwyF7F6FDa43taKcN1TZIQqyqDRpzKsTv7k6N8MfJW4E7qsuUwjFgAyLCvvAh1zA== X-Received: by 2002:a05:6902:2e0a:b0:e03:b14e:350f with SMTP id 3f1490d57ef6-e08706add65mr5871711276.50.1721585044484; Sun, 21 Jul 2024 11:04:04 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:a25:d805:0:b0:e02:c978:fc29 with SMTP id 3f1490d57ef6-e05fd8d76ccls6226901276.0.-pod-prod-01-us; Sun, 21 Jul 2024 11:04:03 -0700 (PDT) X-Received: by 2002:a05:690c:389:b0:62a:4932:68de with SMTP id 00721157ae682-66a65c72308mr4446427b3.8.1721585043124; Sun, 21 Jul 2024 11:04:03 -0700 (PDT) Received: by 2002:a05:690c:2e0a:b0:64a:6fb4:b878 with SMTP id 00721157ae682-669195b3414ms7b3; Sat, 20 Jul 2024 19:13:43 -0700 (PDT) X-Received: by 2002:a05:690c:d81:b0:647:def5:ccac with SMTP id 00721157ae682-66a63857876mr3268237b3.3.1721528022199; Sat, 20 Jul 2024 19:13:42 -0700 (PDT) Date: Sat, 20 Jul 2024 19:13:41 -0700 (PDT) From: Antoine Riard To: Bitcoin Development Mailing List Message-Id: In-Reply-To: References: <18a5e5a2-92b3-4345-853d-5a63b71d848bn@googlegroups.com> <9c4c2a65-2c87-47f1-85d1-137c32099fb7n@googlegroups.com> Subject: Re: [bitcoindev] Re: A "Free" Relay Attack Taking Advantage of The Lack of Full-RBF In Core MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_465518_340395740.1721528021988" X-Original-Sender: antoine.riard@gmail.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) ------=_Part_465518_340395740.1721528021988 Content-Type: multipart/alternative; boundary="----=_Part_465519_1930144663.1721528021988" ------=_Part_465519_1930144663.1721528021988 Content-Type: text/plain; charset="UTF-8" Hi Peter, > It's quite bizzare to use "off topic comments" as an excuse to close a pull-req > fixing a specific security vulnerability, assuming you actually care about that > vulnerability. Do not assign to malovelence what can be assigned to genuine incompentence or willful laziness. In the present case, it's all to bet that the moderators close the PRs, without being aware of your reported security issue on the mailing list. This what you expect in a open-source community managing sensitive security information, where it is formally segregated between actors. I'm certainly not trusting will-ark with bitcoin security information, at least anything beyond begnign issues. > As I've said elsewhere, Core could have easily and quietly > merged that pull-req as-is, possibly by having a few people write some obvious > ACK rationals. I think this is the kind of issues, given the plausibility we still have laggards of when `mempoolfullrbf` was introduced almost 2 years ago to reconsider their bitcoin infrastructure deployment, or 0conf acceptance flow. It's always polite and it can only help building strong cultural norms in an ecosystem where the economic traffic is deal with more and more by codebase which are not bitcoin core. > The only good explanation for closing it is to further delay merging the > pull-req, as well as disclosing the vulnerability. I think this is the issue where it is worhty to purse the conservation: https://github.com/bitcoin-core/meta/issues/5 All that said, I'll re-advocate your integration to the bitcoin security mailing list by re-opening an issue on the github repository ? Thanks to confirm you're okay with that (this can be done in private). Very pragmatically, I'm trusting you more than most of the folks on the list right now if I have issues to report. Best, Antoine ots hash: 6c6ab1f4264c63245063a35da7f29f9e874a152a68e521b7f2ca2a972584a95d -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/a7ae8eee-11c8-48ea-80f8-4411741c3d3en%40googlegroups.com. ------=_Part_465519_1930144663.1721528021988 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Peter,

> It's quite bizzare to use "off topic comments" as= an excuse to close a pull-req
> fixing a specific security vulnera= bility, assuming you actually care about that
> vulnerability.

Do not assign to malovelence what can be assigned to genuine incomp= entence or willful laziness.

In the present case, it's all to be= t that the moderators close the PRs, without being
aware of your repor= ted security issue on the mailing list. This what you expect in
a open= -source community managing sensitive security information, where it is form= ally
segregated between actors. I'm certainly not trusting will-ark wi= th bitcoin security
information, at least anything beyond begnign issu= es.

> As I've said elsewhere, Core could have easily and qui= etly
> merged that pull-req as-is, possibly by having a few people = write some obvious
> ACK rationals.

I think this is the = kind of issues, given the plausibility we still have laggards
of when = `mempoolfullrbf` was introduced almost 2 years ago to reconsider their
bitcoin infrastructure deployment, or 0conf acceptance flow. It's always = polite
and it can only help building strong cultural norms in an ecosy= stem where the economic
traffic is deal with more and more by codebase= which are not bitcoin core.

> The only good explanation for = closing it is to further delay merging the
> pull-req, as well as d= isclosing the vulnerability.

I think this is the issue where it = is worhty to purse the conservation:
https://github.com/bitcoin-core/m= eta/issues/5

All that said, I'll re-advocate your integration to= the bitcoin security
mailing list by re-opening an issue on the githu= b repository ?

Thanks to confirm you're okay with that (this can= be done in private).
Very pragmatically, I'm trusting you more than m= ost of the folks on the
list right now if I have issues to report.

Best,
Antoine
ots hash: 6c6ab1f4264c63245063a35da7f29f9e8= 74a152a68e521b7f2ca2a972584a95d

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg= id/bitcoindev/a7ae8eee-11c8-48ea-80f8-4411741c3d3en%40googlegroups.com.=
------=_Part_465519_1930144663.1721528021988-- ------=_Part_465518_340395740.1721528021988--