https://bugzilla.redhat.com/show_bug.cgi?id=1020292 --- Comment #38 from Warren Togami <wtogami@xxxxxxxxx> --- A few upstream developers were alarmed to hear how quickly Fedora releases are EOL'ed. This is of concern because it is hazardous for unmaintained versions of Bitcoin to continue running after EOL. There is a separate even bigger concern that it is very dangerous to have automatic updates of Bitcoin software. Does Fedora infrastructure have options to further lock down the ability of insiders or hackers to push a trojan through the update process? The scenario of a compromised auto-update leading to millions of dollars of losses is not a trivial risk when the incentive is very high. For reasons like this Ubuntu and Debian do not distribute Bitcoin at all. Upstream goes through extreme effort to build deterministic, bit-for-bit reproducible binaries that are verifiable as being identical to what others can build as added protection against the possibility of trojan distribution. They are now in favor of upstream adding both rpm and deb outputs to distribute their existing deterministic binary. So yes, upstream would strongly caution against Fedora distributing Bitcoin for the above reasons. If Fedora insists on shipping Bitcoin then let us discuss how to mitigate the risks in ways like: * Ship the upstream deterministic binary in an RPM. This is very much against Fedora policy but this is the safest and easiest to maintain option. * Make the build of Bitcoin within the Fedora build system deterministic and verifiable when compared to building it on an identical buildroot. * Add additional safeguards to the update process to require a much higher threshold of review including build determinism testing. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/package-review@xxxxxxxxxxxxxxxxxxxxxxx