Raoul Duke (OP)
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
August 17, 2011, 10:08:00 AM |
|
It has come to my attention that Sourceforge only does what the U.S.A. government wants, so it isn't the right place to host the Bitcoin client nor the bitcoin.org website. You can see what i mean here: http://sourceforge.net/apps/trac/sitelegal/wiki/Terms_of_Use#ProhibitedPersonsIt came to my knowledge because of this thread: https://bitcointalk.org/index.php?topic=37402.0Probably you guys chosen the wrong place to host such a project. Free hosting is good, allright, but not when it comes with this price tag If they let the US government tell them what to do, i ask: What's next? Giving the authorities access to repositories so they can install backdoors? I think this is a very serious issue and I bet a lot of people will agree with me. Let the discussion begin! PS: Sorry for not being eloquent enough but I guess you all understand what I want to say.
|
|
|
|
N.Z.
|
|
August 17, 2011, 10:17:15 AM |
|
Why "remove"? It`s not a Bitcoin way Add some mirrors, diversification will solve the problem.
|
|
|
|
Raoul Duke (OP)
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
August 17, 2011, 10:23:15 AM |
|
Why "remove"? It`s not a Bitcoin way Add some mirrors, diversification will solve the problem. Do you think it's a good idea to take the risk? I'm fully aware that the source code is hosted on github, but I'm also aware that 90% or more of Bitcoin installs come from the exe's on sourceforge. I know I'm not trusting SourceForge anymore... If they are willing to punish people that live under oppressive regimes just for fear of US law i wonder what else will they do when said law "asks"* them... * forces them to
|
|
|
|
captainteemo
|
|
August 17, 2011, 12:37:56 PM |
|
It has come to my attention that Sourceforge only does what the U.S.A. government wants, so it isn't the right place to host the Bitcoin client nor the bitcoin.org website. You can see what i mean here: http://sourceforge.net/apps/trac/sitelegal/wiki/Terms_of_Use#ProhibitedPersonsIt came to my knowledge because of this thread: https://bitcointalk.org/index.php?topic=37402.0Probably you guys chosen the wrong place to host such a project. Free hosting is good, allright, but not when it comes with this price tag If they let the US government tell them what to do, i ask: What's next? Giving the authorities access to repositories so they can install backdoors? I think this is a very serious issue and I bet a lot of people will agree with me. Let the discussion begin! PS: Sorry for not being eloquent enough but I guess you all understand what I want to say. This is a requirement by all US based companies. No exceptions, this includes github, googlecode, et alCryptographic software is subject to the US government export control and economic sanctions laws (“US export laws”) including the US Department of Commerce Bureau of Industry and Security’s (“BIS”) Export Administration Regulations (“EAR”, 15 CFR 730 et seq., http://www.bis.doc.gov/). You may also be subject to US export laws, including the requirements of license exception TSU in accordance with part 740.13(e) of the EAR. Software and/or technical data subject to the US export laws may not be directly or indirectly exported, reexported, transferred, or released (“exported”) to US embargoed or sanctioned destinations currently including Cuba, Iran, North Korea, Sudan, or Syria, but any amendments to this list shall apply. In addition, software and/or technical data may not be exported to any entity barred by the US government from participating in export activities. Denied persons or entities include those listed on BIS’s Denied Persons and Entities Lists, and the US Department of Treasury’s Office of Foreign Assets Control’s Specially Designated Nationals List. The country in which you are currently located may have restrictions on the import, possession, use of encryption software. You are responsible for compliance with the laws where You are located.
|
|
|
|
Raoul Duke (OP)
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
August 17, 2011, 12:44:56 PM |
|
This is a requirement by all US based companies. No exceptions, this includes github, googlecode, et al
Yes, yes, but... does it make it right? Or is Bitcoin also bending over and let the US government do as he pleases? EDIT: Why doesn't Bitcoin have it's own servers in a less restrictive country and hosts all the code themselves instead of relying in companies that have to follow US rulings, no matter how unfair they are? Or will they just kill the project as soon as the US government says Bitcoin should die?
|
|
|
|
captainteemo
|
|
August 17, 2011, 12:47:12 PM |
|
This is a requirement by all US based companies. No exceptions, this includes github, googlecode, et al
Yes, yes, but... does it make it right? Or is Bitcoin also bending over and let the US government do as he pleases? No, but your thing about getting it off sourceforge is pointless because it makes no difference. In any case, the source is out there, so it doesn't matter. SF is just a mirror at this point.
|
|
|
|
Raoul Duke (OP)
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
August 17, 2011, 12:49:04 PM |
|
SF is just a mirror at this point.
No it isn't... It's the only official place from where people can get compiled binaries.
|
|
|
|
captainteemo
|
|
August 17, 2011, 12:50:34 PM |
|
SF is just a mirror at this point.
No it isn't... It's the only official place from where people can get compiled binaries. Why would people be dumb enough to trust compiled binaries? Compile from source, audit the source.
|
|
|
|
jackjack
Legendary
Offline
Activity: 1176
Merit: 1257
May Bitcoin be touched by his Noodly Appendage
|
|
August 17, 2011, 12:55:21 PM |
|
I'm sure 60+% of bitcoiners are dumb enough to use these binaries
I'm about to post a poll in the discussion forum, we'll see
|
Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2 Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
|
|
|
Xephan
Newbie
Offline
Activity: 42
Merit: 0
|
|
August 17, 2011, 01:37:56 PM |
|
SF is just a mirror at this point.
No it isn't... It's the only official place from where people can get compiled binaries. Why would people be dumb enough to trust compiled binaries? Compile from source, audit the source. You obviously live in your own personal fantasy world. If bitcoin is ever going to be successful, the _vast_ of folks who are going to end up running the client won't have the first clue about compiling anything (as a matter of fact, that's probably already the case). Of those actually capable of compiling a client, very few have the expertise to read C++ code (and the client is non trivial code, to say the least). A quick search through these forums for clamors of "please provide latest binary release of XXX" should be have been your first clue. Finally of the very tiny minority of peoplecapable of both compiling and reading C++ code, who the @&%$@ has the time to check every new commit against the code base ? Puh-lease. I would tend to agree with the OP: hosting the official clients on a site that abides by US rules is unhealthy. I'd pick a place like a site hosted in sweden for official, checksummed new releases and just mirror the stuff wherever. +1 for this post. There are still too many Bitcoiners who don't realize that in order for Bitcoin to succeed, it MUST be accessible to the general public whose experience with new software is simply download and click-click-click.
|
|
|
|
kjj
Legendary
Offline
Activity: 1302
Merit: 1026
|
|
August 17, 2011, 03:34:05 PM |
|
SF is just a mirror at this point.
No it isn't... It's the only official place from where people can get compiled binaries today. Fixed that for ya. Do you really think it will be hard to put binaries up on a different mirror some day if we need to?
|
17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8 I routinely ignore posters with paid advertising in their sigs. You should too.
|
|
|
Raoul Duke (OP)
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
August 17, 2011, 03:40:11 PM Last edit: August 17, 2011, 03:57:04 PM by psy |
|
Do you really think it will be hard for the US gov to make sourceforge put backdoored binaries up on the only mirror we have today?
Fixed that for ya Now on a serious note: Usually I'm not the ultra-paranoid freak type, but do you think Satoshi never came forward with his identity just because? The invention of Bitcoin would be a great thing in anybodys' resume, but he chose to hide because he knew about the powerful enemies he would face if he didn't. Now, you are giving the power to a US controlled institution to f*** us without us even knowing about it. Leave the binaries there if you think it's the right thing to do. Move them in a hurry after the trouble comes if you think that's the best thing to do. Just don't say you weren't warned or that you didn't knew about it when it happens. For a project that is all about decentralization i see it too much centralized in the US, even worse, the source code is hosted in servers under the power of US law. Let's see how it rolls. After all Bitcoin was like that from the start. Too bad that the only person who seemed to ever think about the dangers of this was the creator, and he's gone.
|
|
|
|
twobits
|
|
August 17, 2011, 03:54:03 PM |
|
Sometimes you have to pick your battles. There are enough other ones looming on the horizon to not give the government this one as an easy excuse to go after the devs based in the USA.
I do think the distribution is a bit lax. They should at least be being signed. This would allow mirrors to be made and a way to still check that what you get was ok. Once this is done, the issue should be solvable by people that want to solve it. If that issue is providing more global access to the bitcoin binaries anyway. Are there any bridge counties? Like could someone in China download it, then provide it to N Koreans?
|
█████ █████ ███████ █████ ███ █████████████ █████ ██ █████████████████ █████ █ ██████ ██████ █████ ████ ████ █████████████ █████ ████ █████████████ █████ ████ █████████████ █████ ████ █████ █████ █████ █ ██████ ███████ █████ ██ ███████████ █████ █████ ███ █████████ ████ █████ █████ ███████ ██ | | | ███ ███ ███ ███ ███ ███ ███ ███ ███ | | | | | | ███ ███ ███ ███ ███ ███ ███ ███ ███ | | ►WhitePaper ►One-Pager | ███ ███ ███ ███ ███ ███ ███ ███ ███ | | | | ███ ███ ███ ███ ███ ███ ███ ███ ███ | | ███ ███ ███ ███ ███ ███ ███ ███ ███ | █████ █████ ███████ █████ ███ █████████████ █████ ██ █████████████████ █████ █ ██████ ██████ █████ ████ ████ █████████████ █████ ████ █████████████ █████ ████ █████████████ █████ ████ █████ █████ █████ █ ██████ ███████ █████ ██ ███████████ █████ █████ ███ █████████ ████ █████ █████ ███████ ██ |
|
|
|
|
Maged
Legendary
Offline
Activity: 1204
Merit: 1015
|
|
August 17, 2011, 03:54:41 PM |
|
Do you really think it will be hard for the US gov to make sourceforge put backdoored binaries up on the only mirror we have today?
Fixed that for ya We would notice within hours if they did that. You see, the SHA-1 hashes of all official releases are PGP signed by a trusted developer, and people DO check them every now and then. It'd be great if we had a bot check them, though.
|
|
|
|
zellfaze
Full Member
Offline
Activity: 141
Merit: 101
Security Enthusiast
|
|
August 17, 2011, 03:58:21 PM |
|
I would suggest mirrors in the Netherlands and Sweden. Both are fairly nonrestrictive countries as far as I know.
Anyone want to volunteer to do this? I'm sure we could find a host that would accept Bitcoins even, or just do it for free.
|
A+, CCENT, CCNA Security Enthusiast PHP Coder
Not that I expect anyone to, but should you like my post, please donate: Donate: 1BRbfqii6Sm9tEUE8A16H7QeDmYFjyBZ7V
|
|
|
twobits
|
|
August 17, 2011, 04:03:38 PM |
|
Do you really think it will be hard for the US gov to make sourceforge put backdoored binaries up on the only mirror we have today?
Fixed that for ya We would notice within hours if they did that. You see, the SHA-1 hashes of all official releases are PGP signed by a trusted developer, and people DO check them every now and then. It'd be great if we had a bot check them, though. Thats good. I was surprised that it seemed like they are not. Would be good to use two different hashes or at least not sha-1 anymore. Also, it is not obvious at all from the bitcoin.org page. I just see link to downloads of the binaries, where are the links to the signatures?
|
█████ █████ ███████ █████ ███ █████████████ █████ ██ █████████████████ █████ █ ██████ ██████ █████ ████ ████ █████████████ █████ ████ █████████████ █████ ████ █████████████ █████ ████ █████ █████ █████ █ ██████ ███████ █████ ██ ███████████ █████ █████ ███ █████████ ████ █████ █████ ███████ ██ | | | ███ ███ ███ ███ ███ ███ ███ ███ ███ | | | | | | ███ ███ ███ ███ ███ ███ ███ ███ ███ | | ►WhitePaper ►One-Pager | ███ ███ ███ ███ ███ ███ ███ ███ ███ | | | | ███ ███ ███ ███ ███ ███ ███ ███ ███ | | ███ ███ ███ ███ ███ ███ ███ ███ ███ | █████ █████ ███████ █████ ███ █████████████ █████ ██ █████████████████ █████ █ ██████ ██████ █████ ████ ████ █████████████ █████ ████ █████████████ █████ ████ █████████████ █████ ████ █████ █████ █████ █ ██████ ███████ █████ ██ ███████████ █████ █████ ███ █████████ ████ █████ █████ ███████ ██ |
|
|
|
|
Raoul Duke (OP)
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
August 17, 2011, 04:05:45 PM Last edit: August 17, 2011, 10:49:46 PM by Maged |
|
We would notice within hours if they did that. You see, the SHA-1 hashes of all official releases are PGP signed by a trusted developer, and people DO check them every now and then. It'd be great if we had a bot check them, though.
Yes, I understand that. I also know that people like Dan Kaminsky review the source code or at least did it once and said it was a ugly like hell but very well thought-off and bug-free. But I also remember this and this
|
|
|
|
aq
|
|
August 17, 2011, 04:28:58 PM |
|
who the @&%$@ has the time to check every new commit against the code base ?
I think you guys have a wrong picture about the "development" of bitcoin. Basically, there is almost no development going on, I would at best call it maintenance. I don't believe that there are even 10 lines of *code* changes commited on average per day, so one could probably even teach his grandma to review those
|
|
|
|
zellfaze
Full Member
Offline
Activity: 141
Merit: 101
Security Enthusiast
|
|
August 17, 2011, 05:35:10 PM |
|
Perhaps in addition to moving off of SF a yearly audit of the code should be required.
We could make it a contest. Pay BTC to those who find the most severe security flaws, just like Google does. I would donate to doing that.
|
A+, CCENT, CCNA Security Enthusiast PHP Coder
Not that I expect anyone to, but should you like my post, please donate: Donate: 1BRbfqii6Sm9tEUE8A16H7QeDmYFjyBZ7V
|
|
|
pekv2
|
|
August 17, 2011, 06:30:30 PM |
|
Because people in iran "or any other country's listed" cannot access sourceforge, you want bitcoin not to be hosted on SF?
|
|
|
|
|