1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
|
Delivery-date: Sun, 21 Jul 2024 11:04:11 -0700
Received: from mail-yw1-f185.google.com ([209.85.128.185])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBC3PT7FYWAMRBE436W2AMGQEUYZ5QUY@googlegroups.com>)
id 1sVauo-00028P-RV
for bitcoindev@gnusha.org; Sun, 21 Jul 2024 11:04:11 -0700
Received: by mail-yw1-f185.google.com with SMTP id 00721157ae682-66890dbb7b8sf89947627b3.0
for <bitcoindev@gnusha.org>; Sun, 21 Jul 2024 11:04:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1721585044; x=1722189844; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:sender:from
:to:cc:subject:date:message-id:reply-to;
bh=PF7fWPsD3knLSy+K4vCix/lGnKn6K1o1KEG/SG7vN2o=;
b=BCWRtLapzU/lHT4kSt9tD4FE3XTenzB4Qf78qQB+iacwD6bKASxfpo+cP7UidZR7nz
ud2oi4Whqo/76r44ICTCTYRWsklsX8zM9WxwG0/zeZJGGrVRLrzCruYWD31pxnqN2+Pu
u8gYWPedqreem3Tj3UUk6BIshwW1UL1YPDdCQURm0bTw66kMXuiJTeJpTgw6Bu6RFGjc
AC8RPOWpOc+fO/P1gd9HKvNINHnEHOFUT3h6x9ciP5bUkEuZYQeW9iWwNvY2OIINwBi8
B5sIKiAiEhxwxWyuOp6NBQnNevBOkzk3geewia6Mi6AberCqiXBzgl5LuJbjqpGg9Jh1
c8gg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1721585044; x=1722189844; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:from:to:cc
:subject:date:message-id:reply-to;
bh=PF7fWPsD3knLSy+K4vCix/lGnKn6K1o1KEG/SG7vN2o=;
b=SQkAoM02sRTooVJPLUeH3FElQQE7SiGJpoOHYOUG63eiOIeaEOsn/9OYvpfq2YqEgv
Hslf6q20Gci/Mmw7VoPUHCVosnCbl7evYoemZr0irFtUNcScg3Ga2R3p9RGoDSIvTjGw
E6bNImVT5hiGZ88OSCDdmsGuncnBdky6YYTxeGj4GeYnhEvXon1vD0tXYGmrxcc0mask
f0XBYZ+9IIVh+/XBZdtRQCI6M/bzo3uvTpw4Zcbrdsz3tquk0bG6Qd9iqRvmDUPleeP6
W6zMCdUgHnuGgSFKvuzbfF2CfpFL93hNV2urhCFeeV5Ret2MCn1RNpfVS5e+NAZ5+R1R
wCOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1721585044; x=1722189844;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:x-beenthere
:x-gm-message-state:sender:from:to:cc:subject:date:message-id
:reply-to;
bh=PF7fWPsD3knLSy+K4vCix/lGnKn6K1o1KEG/SG7vN2o=;
b=FKOTmghm5axE5xTrsDG9ykJi1Ue6XnJsKdrOv6VcpyfPX0yCBHQxmrWSMljQGcGvrO
9oZcs8lSm8dlYvnPiQvRJPZsmXvXsAbFjIRpLFIJoVdPNXOHnrBO4yfsXCX1kB1L8L0E
IJMjjCUU0/pdA5Mvq1/ioNVm8HJ5pdGeEZ5A3T6HJZkR6qaic6kAvL8NfHB4sbmUmOix
KgDlkTOrQddaaQfmTQZBc8AF8iLl5p0nf9A8IpsJakDJLjzTc/L93zO90ZdYk0kdqPXw
eErHo0wAZBgHIwaE5/Zot08A0MMEfRlygxwUfvvmz9YJ3T+sqN4XOMAQJ0nJoSIrYp4r
2zwA==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=1; AJvYcCUUmToFqkH6kNF5iHb9MNK9y5l1EXdPFbHnEXqwLtbJ+/MggfUATLy7/QAdPm+L7U1wlSDqzmcKQcQUCJBA0QuiUkOYfPU=
X-Gm-Message-State: AOJu0Yzus1BcWM4UbSahybrXrvz1vOXB33E8WOWIe81wzlTa4mALpZVr
+KUxscFz6Ff8U+/xVqVSYmY8DVXEI7AxHBltoRFpe96VTNxdV0t7
X-Google-Smtp-Source: AGHT+IHnnfL6rGNwyF7F6FDa43taKcN1TZIQqyqDRpzKsTv7k6N8MfJW4E7qsuUwjFgAyLCvvAh1zA==
X-Received: by 2002:a05:6902:2e0a:b0:e03:b14e:350f with SMTP id 3f1490d57ef6-e08706add65mr5871711276.50.1721585044484;
Sun, 21 Jul 2024 11:04:04 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a25:d805:0:b0:e02:c978:fc29 with SMTP id 3f1490d57ef6-e05fd8d76ccls6226901276.0.-pod-prod-01-us;
Sun, 21 Jul 2024 11:04:03 -0700 (PDT)
X-Received: by 2002:a05:690c:389:b0:62a:4932:68de with SMTP id 00721157ae682-66a65c72308mr4446427b3.8.1721585043124;
Sun, 21 Jul 2024 11:04:03 -0700 (PDT)
Received: by 2002:a05:690c:2e0a:b0:64a:6fb4:b878 with SMTP id 00721157ae682-669195b3414ms7b3;
Sat, 20 Jul 2024 19:13:43 -0700 (PDT)
X-Received: by 2002:a05:690c:d81:b0:647:def5:ccac with SMTP id 00721157ae682-66a63857876mr3268237b3.3.1721528022199;
Sat, 20 Jul 2024 19:13:42 -0700 (PDT)
Date: Sat, 20 Jul 2024 19:13:41 -0700 (PDT)
From: Antoine Riard <antoine.riard@gmail.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <a7ae8eee-11c8-48ea-80f8-4411741c3d3en@googlegroups.com>
In-Reply-To: <ZpvS2haduzUQiojV@petertodd.org>
References: <Zpk7EYgmlgPP3Y9D@petertodd.org>
<18a5e5a2-92b3-4345-853d-5a63b71d848bn@googlegroups.com>
<9c4c2a65-2c87-47f1-85d1-137c32099fb7n@googlegroups.com>
<fd1e1dd3-ffda-416b-9bc8-900d0b69c8c1n@googlegroups.com>
<ZpvS2haduzUQiojV@petertodd.org>
Subject: Re: [bitcoindev] Re: A "Free" Relay Attack Taking Advantage of The
Lack of Full-RBF In Core
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_465518_340395740.1721528021988"
X-Original-Sender: antoine.riard@gmail.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.5 (/)
------=_Part_465518_340395740.1721528021988
Content-Type: multipart/alternative;
boundary="----=_Part_465519_1930144663.1721528021988"
------=_Part_465519_1930144663.1721528021988
Content-Type: text/plain; charset="UTF-8"
Hi Peter,
> It's quite bizzare to use "off topic comments" as an excuse to close a
pull-req
> fixing a specific security vulnerability, assuming you actually care
about that
> vulnerability.
Do not assign to malovelence what can be assigned to genuine incompentence
or willful laziness.
In the present case, it's all to bet that the moderators close the PRs,
without being
aware of your reported security issue on the mailing list. This what you
expect in
a open-source community managing sensitive security information, where it
is formally
segregated between actors. I'm certainly not trusting will-ark with bitcoin
security
information, at least anything beyond begnign issues.
> As I've said elsewhere, Core could have easily and quietly
> merged that pull-req as-is, possibly by having a few people write some
obvious
> ACK rationals.
I think this is the kind of issues, given the plausibility we still have
laggards
of when `mempoolfullrbf` was introduced almost 2 years ago to reconsider
their
bitcoin infrastructure deployment, or 0conf acceptance flow. It's always
polite
and it can only help building strong cultural norms in an ecosystem where
the economic
traffic is deal with more and more by codebase which are not bitcoin core.
> The only good explanation for closing it is to further delay merging the
> pull-req, as well as disclosing the vulnerability.
I think this is the issue where it is worhty to purse the conservation:
https://github.com/bitcoin-core/meta/issues/5
All that said, I'll re-advocate your integration to the bitcoin security
mailing list by re-opening an issue on the github repository ?
Thanks to confirm you're okay with that (this can be done in private).
Very pragmatically, I'm trusting you more than most of the folks on the
list right now if I have issues to report.
Best,
Antoine
ots hash: 6c6ab1f4264c63245063a35da7f29f9e874a152a68e521b7f2ca2a972584a95d
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/a7ae8eee-11c8-48ea-80f8-4411741c3d3en%40googlegroups.com.
------=_Part_465519_1930144663.1721528021988
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Peter,<br /><br />> It's quite bizzare to use "off topic comments" as=
an excuse to close a pull-req<br />> fixing a specific security vulnera=
bility, assuming you actually care about that<br />> vulnerability. <br =
/><br />Do not assign to malovelence what can be assigned to genuine incomp=
entence or willful laziness.<br /><br />In the present case, it's all to be=
t that the moderators close the PRs, without being<br />aware of your repor=
ted security issue on the mailing list. This what you expect in<br />a open=
-source community managing sensitive security information, where it is form=
ally<br />segregated between actors. I'm certainly not trusting will-ark wi=
th bitcoin security<br />information, at least anything beyond begnign issu=
es. <br /><br />> As I've said elsewhere, Core could have easily and qui=
etly<br />> merged that pull-req as-is, possibly by having a few people =
write some obvious<br />> ACK rationals.<br /><br />I think this is the =
kind of issues, given the plausibility we still have laggards<br />of when =
`mempoolfullrbf` was introduced almost 2 years ago to reconsider their <br =
/>bitcoin infrastructure deployment, or 0conf acceptance flow. It's always =
polite<br />and it can only help building strong cultural norms in an ecosy=
stem where the economic<br />traffic is deal with more and more by codebase=
which are not bitcoin core.<br /><br />> The only good explanation for =
closing it is to further delay merging the<br />> pull-req, as well as d=
isclosing the vulnerability.<br /><br />I think this is the issue where it =
is worhty to purse the conservation:<br />https://github.com/bitcoin-core/m=
eta/issues/5<br /><br />All that said, I'll re-advocate your integration to=
the bitcoin security<br />mailing list by re-opening an issue on the githu=
b repository ?<br /><br />Thanks to confirm you're okay with that (this can=
be done in private).<br />Very pragmatically, I'm trusting you more than m=
ost of the folks on the<br />list right now if I have issues to report.<br =
/><br />Best,<br />Antoine<br />ots hash: 6c6ab1f4264c63245063a35da7f29f9e8=
74a152a68e521b7f2ca2a972584a95d<br />
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List" group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion on the web visit <a href=3D"https://groups.google.c=
om/d/msgid/bitcoindev/a7ae8eee-11c8-48ea-80f8-4411741c3d3en%40googlegroups.=
com?utm_medium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msg=
id/bitcoindev/a7ae8eee-11c8-48ea-80f8-4411741c3d3en%40googlegroups.com</a>.=
<br />
------=_Part_465519_1930144663.1721528021988--
------=_Part_465518_340395740.1721528021988--
|
