Github build vs downloading source

[takuma sato]

What is safer, to build directly from github including all most recent changes, or to get the source code from the Bitcoin Core website? (in this case, https://bitcoincore.org/bin/bitcoin-core-23.0/bitcoin-23.0.tar.gz)

I see all these tutorials that teach people how to build the source are using the git clone https://github.com/bitcoin/bitcoin method which builds im assuming the most recent changes, so you get a version 23.0 followed by some alphanumeric string. Why use this and not just build the official release? Isn't this a more conservative way keep yourself updated?

[1715107914]

1715107914

[ranochigo]

The official releases are meant to be stable and they are meant for people to use.

You can clone and compile from the master branch but they are work in progress so they are supposed to be used for testing and not for normal users. If not then, you can compile from the stable branch as well (ie. git checkout [version]). You can validate against the signature when you're compiling.

[jackg]

Why use this and not just build the official release? Isn't this a more conservative way keep yourself updated?

I think it's a case of doing it how they're used to doing it with other/most software. It's likely that broken parts of the code will be commented out/not compiled for most software that's expected to be downloaded a lot this way but it isn't the best way to do it and there is probably a greater chance of getting bugs too.

[NotATether]

You actually do not want to clone the code from Github and use it verbatim because if you build that, you will get a debug build.

In particular, it will include commits from a few hours ago that are not tested fully and can compromise the stability of Core and could even have regressions.

Checking out the tree to a known working version e.g.  23.0 is identical to downloading the corresponding source code from bitcoincore.org (and the Github Releases page), and is absolutely necessary to do if you want a stable Core.

[ABCbits]

I see all these tutorials that teach people how to build the source are using the git clone https://github.com/bitcoin/bitcoin method which builds im assuming the most recent changes, so you get a version 23.0 followed by some alphanumeric string. Why use this and not just build the official release? Isn't this a more conservative way keep yourself updated?

Not all tutorials use latest commit, i managed to find few which checkout to specific tag[1-2] before compiling. If you find tutorial which use latest commit, it's likely the tutorial only show you how to compile Bitcoin Core without consideration for production system or managing real money.

[1] https://medium.com/coinmonks/how-to-compile-bitcoin-core-from-source-5539ff9fbce5
[2] https://github.com/jonatack/bitcoin-development/blob/master/how-to-compile-bitcoin-core-from-source-on-linux-and-macOS.md

[PawGo]

You actually do not want to clone the code from Github and use it verbatim because if you build that, you will get a debug build.

In particular, it will include commits from a few hours ago that are not tested fully and can compromise the stability of Core and could even have regressions.

Checking out the tree to a known working version e.g.  23.0 is identical to downloading the corresponding source code from bitcoincore.org (and the Github Releases page), and is absolutely necessary to do if you want a stable Core.

That's why it is better to rely on TAGs provided by authors. Usually tag x = release x, that way you are (almost) sure that final product will be the same as released binary.
For example for the latest version you look for that state: https://github.com/bitcoin/bitcoin/tree/v23.0
The same zipped sources which you see under /releases/ have the same content you find using tags.

[BlackHatCoiner]

Don't know if that's what you're asking, but:

Theoretically, it's safer to download the source code outside GitHub and then verify the signature of it, by downloading the public keys from GitHub. If you download both the signature, the public key(s) and the source code from GitHub, it's easier for an attacker, or from GitHub itself, to screw you. On the other hand, if you do the former, the attacker needs to compromise both sites at the same time.

[nullama]

Based on the information provided in the github repo:

Do not use the links provided by GitHub, rather use the above download links, they are guaranteed to be generated deterministically and signed.

So basically that means that you should download https://bitcoincore.org/bin/bitcoin-core-23.0/bitcoin-23.0.tar.gz in this case as you mentioned.

But more importantly, you need to verify the downloaded source code, like this for example: https://bitcoin.stackexchange.com/questions/565/how-can-one-download-the-bitcoin-client-securely

[ranochigo]

Based on the information provided in the github repo:

Do not use the links provided by GitHub, rather use the above download links, they are guaranteed to be generated deterministically and signed.

So basically that means that you should download https://bitcoincore.org/bin/bitcoin-core-23.0/bitcoin-23.0.tar.gz in this case as you mentioned.

But more importantly, you need to verify the downloaded source code, like this for example: https://bitcoin.stackexchange.com/questions/565/how-can-one-download-the-bitcoin-client-securely

Actually, both the source from that Github release and the release provided by bitcoincore.org are the same. There used to be an issue with how the tarball generated with the Github release and it resulted in the autogenerated tarball not being deterministic. It is fixed however, I think the warning (or advisory, I would say) is just in case the autogenerated tarball isn't reproducible. Checked it again and it works fine.

[nc50lc]

I see all these tutorials that teach people how to build the source are using the git clone https://github.com/bitcoin/bitcoin method which builds im assuming the most recent changes, -snip-

For the record, the "official" documentation in Bitcoin's GitHub repository instructs to build using the git clone.

These for example: github.com/bitcoin/bitcoin/blob/master/doc/build-windows.md and /doc/build-unix.md
From: github.com/bitcoin/bitcoin/tree/master/doc

It makes sense since it's in GitHub where you can assume that the readers have audited the code.
However, 'all those tutorials' might have just imitated what's written there.

[NotATether]

For the record, the "official" documentation in Bitcoin's GitHub repository instructs to build using the git clone.
~
It makes sense since it's in GitHub where you can assume that the readers have audited the code.
However, 'all those tutorials' might have just imitated what's written there.

That's because the build documentation on Github is intended for developers, that's why it tells them to use git clone.

Like the download notice says, users should be using the deterministicly signed binaries from bitcoincore.org.

[takuma sato]

I see all these tutorials that teach people how to build the source are using the git clone https://github.com/bitcoin/bitcoin method which builds im assuming the most recent changes, so you get a version 23.0 followed by some alphanumeric string. Why use this and not just build the official release? Isn't this a more conservative way keep yourself updated?

Not all tutorials use latest commit, i managed to find few which checkout to specific tag[1-2] before compiling. If you find tutorial which use latest commit, it's likely the tutorial only show you how to compile Bitcoin Core without consideration for production system or managing real money.

[1] https://medium.com/coinmonks/how-to-compile-bitcoin-core-from-source-5539ff9fbce5
[2] https://github.com/jonatack/bitcoin-development/blob/master/how-to-compile-bitcoin-core-from-source-on-linux-and-macOS.md

There should be more tutorials on YT showing you how to download latest code, sign it and build it. I've looked on YT and most are just downloading from GitHub. Most people nowadays use YT has a SERP since it's more intuitive to look at a video and hear it than read for most folks.