takuma sato (OP)
|
What is safer, to build directly from github including all most recent changes, or to get the source code from the Bitcoin Core website? (in this case, https://bitcoincore.org/bin/bitcoin-core-23.0/bitcoin-23.0.tar.gz) I see all these tutorials that teach people how to build the source are using the git clone https://github.com/bitcoin/bitcoin method which builds im assuming the most recent changes, so you get a version 23.0 followed by some alphanumeric string. Why use this and not just build the official release? Isn't this a more conservative way keep yourself updated?
|
|
|
|
|
|
|
The grue lurks in the darkest places of the earth. Its favorite diet is adventurers, but its insatiable appetite is tempered by its fear of light. No grue has ever been seen by the light of day, and few have survived its fearsome jaws to tell the tale.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
ranochigo
Legendary
Offline
Activity: 2968
Merit: 4168
|
|
May 19, 2022, 04:33:55 PM |
|
The official releases are meant to be stable and they are meant for people to use.
You can clone and compile from the master branch but they are work in progress so they are supposed to be used for testing and not for normal users. If not then, you can compile from the stable branch as well (ie. git checkout [version]). You can validate against the signature when you're compiling.
|
. .HUGE. | | | | | | █▀▀▀▀ █ █ █ █ █ █ █ █ █ █ █ █▄▄▄▄ | ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ . CASINO & SPORTSBOOK ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀█ █ █ █ █ █ █ █ █ █ █ █ ▄▄▄▄█ | | |
|
|
|
jackg
Copper Member
Legendary
Offline
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
|
|
May 20, 2022, 12:06:48 AM |
|
Why use this and not just build the official release? Isn't this a more conservative way keep yourself updated?
I think it's a case of doing it how they're used to doing it with other/most software. It's likely that broken parts of the code will be commented out/not compiled for most software that's expected to be downloaded a lot this way but it isn't the best way to do it and there is probably a greater chance of getting bugs too.
|
|
|
|
NotATether
Legendary
Offline
Activity: 1596
Merit: 6730
bitcoincleanup.com / bitmixlist.org
|
You actually do not want to clone the code from Github and use it verbatim because if you build that, you will get a debug build.
In particular, it will include commits from a few hours ago that are not tested fully and can compromise the stability of Core and could even have regressions.
Checking out the tree to a known working version e.g. 23.0 is identical to downloading the corresponding source code from bitcoincore.org (and the Github Releases page), and is absolutely necessary to do if you want a stable Core.
|
. .BLACKJACK ♠ FUN. | | | ███▄██████ ██████████████▀ ████████████ █████████████████ ████████████████▄▄ ░█████████████▀░▀▀ ██████████████████ ░██████████████ █████████████████▄ ░██████████████▀ ████████████ ███████████████░██ ██████████ | | CRYPTO CASINO & SPORTS BETTING | | │ | | │ | ▄▄███████▄▄ ▄███████████████▄ ███████████████████ █████████████████████ ███████████████████████ █████████████████████████ █████████████████████████ █████████████████████████ ███████████████████████ █████████████████████ ███████████████████ ▀███████████████▀ ███████████████████ | | .
|
|
|
|
|
PawGo
Legendary
Offline
Activity: 952
Merit: 1367
|
|
May 20, 2022, 11:53:49 AM |
|
You actually do not want to clone the code from Github and use it verbatim because if you build that, you will get a debug build.
In particular, it will include commits from a few hours ago that are not tested fully and can compromise the stability of Core and could even have regressions.
Checking out the tree to a known working version e.g. 23.0 is identical to downloading the corresponding source code from bitcoincore.org (and the Github Releases page), and is absolutely necessary to do if you want a stable Core.
That's why it is better to rely on TAGs provided by authors. Usually tag x = release x, that way you are (almost) sure that final product will be the same as released binary. For example for the latest version you look for that state: https://github.com/bitcoin/bitcoin/tree/v23.0The same zipped sources which you see under /releases/ have the same content you find using tags.
|
|
|
|
BlackHatCoiner
Legendary
Online
Activity: 1512
Merit: 7357
Farewell, Leo
|
|
May 20, 2022, 04:18:36 PM |
|
Don't know if that's what you're asking, but:
Theoretically, it's safer to download the source code outside GitHub and then verify the signature of it, by downloading the public keys from GitHub. If you download both the signature, the public key(s) and the source code from GitHub, it's easier for an attacker, or from GitHub itself, to screw you. On the other hand, if you do the former, the attacker needs to compromise both sites at the same time.
|
. .HUGE. | | | | | | █▀▀▀▀ █ █ █ █ █ █ █ █ █ █ █ █▄▄▄▄ | ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ . CASINO & SPORTSBOOK ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀█ █ █ █ █ █ █ █ █ █ █ █ ▄▄▄▄█ | | |
|
|
|
|
ranochigo
Legendary
Offline
Activity: 2968
Merit: 4168
|
|
May 28, 2022, 03:01:33 PM |
|
Actually, both the source from that Github release and the release provided by bitcoincore.org are the same. There used to be an issue with how the tarball generated with the Github release and it resulted in the autogenerated tarball not being deterministic. It is fixed however, I think the warning (or advisory, I would say) is just in case the autogenerated tarball isn't reproducible. Checked it again and it works fine.
|
. .HUGE. | | | | | | █▀▀▀▀ █ █ █ █ █ █ █ █ █ █ █ █▄▄▄▄ | ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ . CASINO & SPORTSBOOK ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀█ █ █ █ █ █ █ █ █ █ █ █ ▄▄▄▄█ | | |
|
|
|
nc50lc
Legendary
Offline
Activity: 2408
Merit: 5591
Self-proclaimed Genius
|
|
May 29, 2022, 03:33:02 AM |
|
I see all these tutorials that teach people how to build the source are using the git clone https://github.com/bitcoin/bitcoin method which builds im assuming the most recent changes, -snip-For the record, the " official" documentation in Bitcoin's GitHub repository instructs to build using the git clone. These for example: github.com/bitcoin/bitcoin/blob/master/doc/build-windows.md and /doc/build-unix.mdFrom: github.com/bitcoin/bitcoin/tree/master/docIt makes sense since it's in GitHub where you can assume that the readers have audited the code. However, 'all those tutorials' might have just imitated what's written there.
|
. .HUGE. | | | | | | █▀▀▀▀ █ █ █ █ █ █ █ █ █ █ █ █▄▄▄▄ | ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ . CASINO & SPORTSBOOK ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀█ █ █ █ █ █ █ █ █ █ █ █ ▄▄▄▄█ | | |
|
|
|
NotATether
Legendary
Offline
Activity: 1596
Merit: 6730
bitcoincleanup.com / bitmixlist.org
|
|
May 29, 2022, 05:38:21 AM |
|
For the record, the "official" documentation in Bitcoin's GitHub repository instructs to build using the git clone. ~ It makes sense since it's in GitHub where you can assume that the readers have audited the code. However, 'all those tutorials' might have just imitated what's written there.
That's because the build documentation on Github is intended for developers, that's why it tells them to use git clone. Like the download notice says, users should be using the deterministicly signed binaries from bitcoincore.org.
|
. .BLACKJACK ♠ FUN. | | | ███▄██████ ██████████████▀ ████████████ █████████████████ ████████████████▄▄ ░█████████████▀░▀▀ ██████████████████ ░██████████████ █████████████████▄ ░██████████████▀ ████████████ ███████████████░██ ██████████ | | CRYPTO CASINO & SPORTS BETTING | | │ | | │ | ▄▄███████▄▄ ▄███████████████▄ ███████████████████ █████████████████████ ███████████████████████ █████████████████████████ █████████████████████████ █████████████████████████ ███████████████████████ █████████████████████ ███████████████████ ▀███████████████▀ ███████████████████ | | .
|
|
|
|
takuma sato (OP)
|
|
August 23, 2022, 03:00:34 PM |
|
There should be more tutorials on YT showing you how to download latest code, sign it and build it. I've looked on YT and most are just downloading from GitHub. Most people nowadays use YT has a SERP since it's more intuitive to look at a video and hear it than read for most folks.
|
|
|
|
|