Re: [bitcoin-dev] Mock introducing vulnerability in important Bitcoin projects

2022-08-18 Thread Anthony Towns via bitcoin-dev
On Thu, Nov 18, 2021 at 09:29:24PM +0100, Prayank via bitcoin-dev wrote: > After reading all the emails, personally experiencing review process > especially on important issues like privacy and security, re-evaluating > everything and considering the time I can spend on this, I have decided to do

Re: [bitcoin-dev] Mock introducing vulnerability in important Bitcoin projects

2021-11-19 Thread Prayank via bitcoin-dev
Good morning ZmnSCPxj, > Indeed, I believe we should take the position that "review process is as much > a part of the code as the code itself, and should be tested regularly". Agree. Review process is an important part of open source Bitcoin projects. We should test and verify if everything is

Re: [bitcoin-dev] Mock introducing vulnerability in important Bitcoin projects

2021-10-03 Thread ZmnSCPxj via bitcoin-dev
Good morning Luke, > All attempts are harmful, no matter the intent, in that they waste > contributors' time that could be better spent on actual development. > > However, I do also see the value in studying and improving the review process > to harden it against such inevitable attacks. The fac

Re: [bitcoin-dev] Mock introducing vulnerability in important Bitcoin projects

2021-10-03 Thread Luke Dashjr via bitcoin-dev
All attempts are harmful, no matter the intent, in that they waste contributors' time that could be better spent on actual development. However, I do also see the value in studying and improving the review process to harden it against such inevitable attacks. The fact that we know the NSA engag

Re: [bitcoin-dev] Mock introducing vulnerability in important Bitcoin projects

2021-10-03 Thread Manuel Costa via bitcoin-dev
Good morning everyone, Just wanted to point out a few things for discussion which may or may not be obvious: 1) A simple scheme as described by ZmnSCPxj first can lead way for a standardized process where people can excuse their legitimate attempts to actually introduce vulnerabilities, where the

Re: [bitcoin-dev] Mock introducing vulnerability in important Bitcoin projects

2021-10-02 Thread Prayank via bitcoin-dev
This looks interesting although I don't understand few things: > The scheme should include public precommitments collected at ceremonial > intervals. How would this work? Can you explain with an example please. > Upon assignment, the dev would have community approval to opportunistically > ins

Re: [bitcoin-dev] Mock introducing vulnerability in important Bitcoin projects

2021-10-01 Thread Ryan Grant via bitcoin-dev
Due to the uneven reputation factor of various devs, and uneven review attention for new pull requests, this exercise would work best as a secret sortition. Sortition would encourage everyone to always be on their toes rather than only when dealing with new github accounts or declared Red Team dev

Re: [bitcoin-dev] Mock introducing vulnerability in important Bitcoin projects

2021-10-01 Thread Prayank via bitcoin-dev
Good morning ZmnSCPxj, Although its evening here and time zones feel irrelevant since I got involved in Bitcoin few years back. Initially I tried everything a tech enthusiast does after finding such thing online. Had a startup in 2017 which was a website that can be used to buy flight tickets u

Re: [bitcoin-dev] Mock introducing vulnerability in important Bitcoin projects

2021-10-01 Thread ZmnSCPxj via bitcoin-dev
Good morning Prayank, I think this is still good to do, controversial or no, but then I am permanently under a pseudonym anyway, for what that is worth. > Few questions for everyone reading this email: > > 1.What is better for Security? Trusting authors and their claims in PRs or a > good revie

Re: [bitcoin-dev] Mock introducing vulnerability in important Bitcoin projects

2021-10-01 Thread Prayank via bitcoin-dev
Hi Ruben, > encouraging an environment of increased mistrust I have always tried to review pull requests based on what PR does, code, my tests etc. and it was never based on author of pull request or what author is trying to claim. So there is no trust involved. I am assuming others follow the

Re: [bitcoin-dev] Mock introducing vulnerability in important Bitcoin projects

2021-09-30 Thread Ruben Somsen via bitcoin-dev
Hi Prayank, While I can see how this can come from a place of good intentions, I’d strongly advise you to tread carefully because what you are suggesting is quite controversial. A related event occurred in the Linux community and it did not go over well. See https://lkml.org/lkml/2021/5/5/1244 and

Re: [bitcoin-dev] Mock introducing vulnerability in important Bitcoin projects

2021-09-28 Thread Prayank via bitcoin-dev
Hi ZmnSCPxj, Thanks for suggestion about sha256sum. I will share 10 in next few weeks. This exercise will be done for below projects: 1.Two Bitcoin full node implementations (one will be Core) 2.One Lightning implementation 3.Bisq 4.Two Bitcoin libraries 5.Two Bitcoin wallets 6.On

Re: [bitcoin-dev] Mock introducing vulnerability in important Bitcoin projects

2021-09-27 Thread ZmnSCPxj via bitcoin-dev
Good morning Prayank, > Good morning Bitcoin devs, > > In one of the answers on Bitcoin Stackexchange it was mentioned that some > companies may hire you to introduce backdoors in Bitcoin Core: > https://bitcoin.stackexchange.com/a/108016/ > > While this looked crazy when I first read it, I thin

[bitcoin-dev] Mock introducing vulnerability in important Bitcoin projects

2021-09-27 Thread Prayank via bitcoin-dev
Good morning Bitcoin devs, In one of the answers on Bitcoin Stackexchange it was mentioned that some companies may hire you to introduce backdoors in Bitcoin Core: https://bitcoin.stackexchange.com/a/108016/ While this looked crazy when I first read it, I think preparing for such things should