The irony of a decentralized currency with a development team.

[TERA]

I think that fact that we have and rely on a development team is element of centralization and a weakness which somewhat defeats the purpose of a decentralized currency. Who is coordinating the efforts of the developers? How do you become a bitcoin developer? Who decides what versions of the code to release? Who reviews the code? I know it is open source but who is actually making sure that the code is reviewed and how do they go about approving and denying code? Who pushes the releases? Who controls the website where the majority of people download the releases and who controls what shows up in the app store of mobile devices? How do you trust anyone in this chain of people and how do you know that any one of them isn't going to become malicious? How do you know a government or some powerful powerful people aren't going to secretly blackmail, bribe, or capture these people and gain control of the system by having something malicious inserted into the code or by having the team unable to solve problems?

I know you, the bitcoin community, trust all of these people, and knows that somehow everything is going to work. But try to think from the perspective of a business looking to adopt bitcoin. They don't know any of these people. They don't trust any of these people. They didn't hire any of these people. How can I trust my business to a group of people that I don't know? Wait why am I trusting people when the whole purpose of this was supposed to be decentralization?

[Ibian]

The entire point of having it open source is that we don't rely on trust. Anyone with the proper skills can audit the code. And this is the internet, people love pointing out things others do wrong. Don't worry, the watchdogs will alert us if anything bad is happening.

[the joint]

Open...source...

It's the current choice of those who download the Satoshi client to download it.  If someone else releases something better, or if the current dev team releases a shoddy client, people can react accordingly.

There is no need to trust the people making the software if it's open-sourced.  If you want, you can learn to read code and examine it for yourself and reach your own conclusions.  That's why businesses hire auditors (who provide evidence of their qualifications, and thus they are the ones who need to be trusted) to examine code.

[TERA]

Not everyone who uses bitcoin is a developer or is going to audit the entire code source every time they download it. We are talking about mass adoption here. We are talking about every day people and businesses using bitcoin. Bitcoin is not just a hobbyist thing used by developers anymore.

[Ibian]

We are talking about all the code diggers in the entire world looking the devs over their shoulders. EVERY one of them in the WHOLE world. The more adoption we get, the more auditors, the less risk of anything shady getting passed. You worry over nothing.

[TERA]

But how do you control the means of distribution and what the public sees? I can imagine some type of zero-day attack such as where the wrong version of the code gets pushed out on mobile devices and steals everyone's private keys.

[Ibian]

MD5.

[Edward50]

TERA you have a good point there and I must say I saw first hand what the developers can do with a ALT COIN.

With one particular alt-coin they decided to upgrade it to change how the mining works after the coin was released. This caused the growth rate to go from around 700 coins a day to less than 50 coins a day.

I was betting on the coin price falling as it was way overvalued and I was right. Then they did this patch or upgrade and of course the value doubled. I was like WTF.

If I would have known they were going to do this I would have bought heavily because I knew the growth rate would slow up.

It wasn't long before the growth rate went back to normal and the price dropped. They just changed the code to not allow the difficulty to fluctuate so quickly.

I really did not like that they can change the rules when they wanted to.

[empoweoqwj]

But how do you control the means of distribution and what the public sees? I can imagine some type of zero-day attack such as where the wrong version of the code gets pushed out on mobile devices and steals everyone's private keys.

How else do you develop software without people developing it?

Open Source / GitHub works very well. Go and learn about it. Nobody can just infect the code and steal people's keys. That's what programs do that aren't open source 

[cr1776]

But how do you control the means of distribution and what the public sees? I can imagine some type of zero-day attack such as where the wrong version of the code gets pushed out on mobile devices and steals everyone's private keys.

Many people building, Checksums, gitian etc.

There is no "push" either for bitcoind or qt

[nanonano]

Not everyone who uses bitcoin is a developer or is going to audit the entire code source every time they download it. We are talking about mass adoption here. We are talking about every day people and businesses using bitcoin. Bitcoin is not just a hobbyist thing used by developers anymore.

You talk about this as if bitcoin was the first thing using open source code for something important... Billion-dollar businesses have been running on open source for a long, long time already (hell, just making open source software is a multi-billion dollar business). These same questions have been asked and answered many, many times before bitcoin even existed.

I know open source still sounds like "hobbyist stuff" to some people but rational folks soon realize the obvious: the _exact_ same problems are there for closed source software -- this goes for every single one of your questions. How do you make sure the release engineers you hired aren't putting malware in the software before uploading it to iTunes? Even if you can do it, how can third parties be sure those engineers aren't scamming them? How can your clients be sure that your developers are actually reviewing each others code, instead of just filling in the paper work that says they are?

For some people the answer to those questions is a big bureaucracy with very formal development, deployment and code review processes, expensive Black Duck scanner licenses and lots of rubber stamping  in release verification -- and I'm sure someone will make a nice business out of doing that to the bitcoin source code at some point. For someone else the answer might just be to employ a couple of bitcoin developers/release engineers and make security their #1 objective. For yet a third type, the answer is compiling all their clients in-house with an extremely conservative upgrade policy and extensive review.


Open source is just a way of developing software. Nothing more, nothing less.

[yatsey87]

What would be an alternative solution? I see the issue, but don't think it's a problem.

[zeetubes]

I'm not a huge proponent of open source. But stop with the dumb questions. Then again I remember how dumb I was before I exited puberty. Three degrees later and I'm still pretty dumb.

Open source creates the ability to have a relative amount of trust in something at the expense of a generic solution. The chip your phone runs on is custom, closed source. It screams. It is more powerful than most pc's. Lightning fast. The operating system your phone runs on is 45 years old. Android, ios, blackberry whatever. An antique like me. It is inefficient at the kernel level (although ios does have some nice tweaks) and slows the chip down to about one fifth of its possible performance. But it is fairly trustworthy and every man and his dog knows how to code it. The world is full of compromises.

[BittBurger]

I had a quick PM with Gavin about this a few weeks ago.  He said he is in full support of a decentralized development team, and has absolutely zero desire for he and his foundation buddies to be the end-all be-all of Bitcoin development.  He said he is actively pursuing ways to decentralize the development around the world, effort even further.  I think he is fully aware of the weaknesses of any form of centralization.  Especially in development.  He was responding to a question I asked him:  "What happens when powerful people come to you and try to force you to change the code, since you're the "go to" guy?"  

-B-

[Duane Vick]

I think you can ask the same questions about the US dollar. The major difference being that the US dollar was corrupted over 100 years ago and that doesn't seem to affect adoption rates by business.

[Skinnkavaj]

This is why it's good to have alternative clients like Armory.