Bitcoin Forum
November 13, 2024, 07:59:57 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 4 »  All
  Print  
Author Topic: What would happen to bitcoin if all bitcoin-related stuff on GitHub got banned?  (Read 1195 times)
PrimeNumber7
Copper Member
Legendary
*
Offline Offline

Activity: 1666
Merit: 1901

Amazon Prime Member #7


View Profile
August 10, 2022, 07:29:09 AM
 #21

I'm not familiar with tornado cash whatsoever, and I'm pretty ignorant about smart contracts too, but I did take a look at the article and I think what needs to happen is for this action to be challenged via the legal system, lest it set a precedent that might put into motion all of those github removals and negative actions against bitcoin that you suggested could happen.

I am not a lawyer myself but haven't we already had such a precedent[1] where the US Government tried to prohibit the distribution of open-source code and where the court ruled out that code is speech and therefore protected by the First Amendment? In this case, the US Government also attempts to censor free speech expressed via computer language, thereby violating the said amendment.

https://www.eff.org/ru/deeplinks/2015/04/remembering-case-established-code-speech

Based on the article you cited, the case in question was never appealed, and only cases at the appellate level or higher are actually case law. However, I do believe that the US Supreme Court would likely agree with the district court ruling.

The problem is that a third party has a long hill to climb if GitHub removes content and is unwilling to fight back. GitHub has its own free speech rights, which would include its right to not publish something. In this case, Tornado Cash developers would likely need to prove that GitHub was acting as an arm of the government when they took down their repo.
n0nce
Hero Member
*****
Offline Offline

Activity: 882
Merit: 5918


not your keys, not your coins!


View Profile WWW
August 12, 2022, 09:31:19 AM
Merited by witcher_sense (1)
 #22

The beauty of Git is that it's decentralized. Not in the traditional way, maybe, but anyone who clones a GitHub repo, holds the entire repository on their hard drive, including full commit history back to the very first commit.

Anyone who followed one of my guides, like the ones below, already has such full copies of various pieces of Bitcoin software on their machine.
[Guide] FULL NODE OpenSUSE 15.3: bitcoind + electrs + c-lightning + RTL
[Guide] Futurebit Apollo BTC Custom Linux Install - Node

If anything were to happen with GitHub / Microsoft where they categorically remove such projects, even if it was without prior notice to the developers, thousands of people are going to have more or less recent versions of the repositories on their own computers and can push those to new Git remotes; either self-hosted or from other centralized service providers.

Of course, whichever developer created the last commit pushed to the GitHub remote, will be able to do this in the least destructive fashion (no loss of commits), but e.g. in case they tried to abuse this position to include malicious commits or anything like that, everyone with a recent pull would notice.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
casinotester0001
Member
**
Offline Offline

Activity: 196
Merit: 67


View Profile
August 12, 2022, 10:00:59 AM
 #23

What would happen to bitcoin if all bitcoin-related stuff on GitHub got banned?

Someone would create "HitGub" what would be a copy of GitHub, set it up in eg Malta and we would go on as usual.
n0nce
Hero Member
*****
Offline Offline

Activity: 882
Merit: 5918


not your keys, not your coins!


View Profile WWW
August 12, 2022, 09:49:25 PM
 #24

What would happen to bitcoin if all bitcoin-related stuff on GitHub got banned?

Someone would create "HitGub" what would be a copy of GitHub, set it up in eg Malta and we would go on as usual.
That exists already.

https://gitlab.com/
https://bitbucket.org/
https://sourceforge.net/
https://aws.amazon.com/codecommit/

Just to name a few. It's also easy to set up your very own Git server.
Here's a guide for anyone interested, directly from the actual Linux Foundation's blog: https://linuxfoundation.org/blog/classic-sysadmin-how-to-run-your-own-git-server/

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
NotATether
Legendary
*
Offline Offline

Activity: 1778
Merit: 7374


Top Crypto Casino


View Profile WWW
August 13, 2022, 03:48:14 AM
 #25

Here's a guide for anyone interested, directly from the actual Linux Foundation's blog: https://linuxfoundation.org/blog/classic-sysadmin-how-to-run-your-own-git-server/

Christ, why do they make it so complicated? In the case of Gitea (which is still using actual Git), you just have to make a Git working dir, copy the binaries to /bin and copy the supplied systemd service to the respective systemd folder. There's even a Docker container to avoid all this hassle.

███████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████

███████████████████████
.
BC.GAME
▄▄▀▀▀▀▀▀▀▄▄
▄▀▀░▄██▀░▀██▄░▀▀▄
▄▀░▐▀▄░▀░░▀░░▀░▄▀▌░▀▄
▄▀▄█▐░▀▄▀▀▀▀▀▄▀░▌█▄▀▄
▄▀░▀░░█░▄███████▄░█░░▀░▀▄
█░█░▀░█████████████░▀░█░█
█░██░▀█▀▀█▄▄█▀▀█▀░██░█
█░█▀██░█▀▀██▀▀█░██▀█░█
▀▄▀██░░░▀▀▄▌▐▄▀▀░░░██▀▄▀
▀▄▀██░░▄░▀▄█▄▀░▄░░██▀▄▀
▀▄░▀█░▄▄▄░▀░▄▄▄░█▀░▄▀
▀▄▄▀▀███▄███▀▀▄▄▀
██████▄▄▄▄▄▄▄██████
.
..CASINO....SPORTS....RACING..


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
aliashraf
Legendary
*
Offline Offline

Activity: 1456
Merit: 1175

Always remember the cause!


View Profile WWW
August 13, 2022, 05:44:49 AM
 #26

GitHub is not Git! The latter is just an engine, but GitHub goes far beyond that.

It is very disappointing to see so many posts in this thread, touting Git as an alternative.

Anyway, I just read something about a dev being arrested by Dutch police, accused of writing the smart contract behind Tornado Cash, they are now going after devs. They weirdly sanctioned a smart contract, for the first time in the history, now some stupid judge approves arresting a 30 years old programmer who coded the contract.  Angry
n0nce
Hero Member
*****
Offline Offline

Activity: 882
Merit: 5918


not your keys, not your coins!


View Profile WWW
August 13, 2022, 09:55:05 PM
 #27

GitHub is not Git! The latter is just an engine, but GitHub goes far beyond that.

It is very disappointing to see so many posts in this thread, touting Git as an alternative.
GitHub is just a Git hosting service. What are you doing when working with GitHub? You're actually working with Git, and pushing to GitHub.

That's what makes the last quoted sentence sound a little hilarious.. Cheesy You can use any other hosting service, such as one you run yourself.

Here's a guide for anyone interested, directly from the actual Linux Foundation's blog: https://linuxfoundation.org/blog/classic-sysadmin-how-to-run-your-own-git-server/
Christ, why do they make it so complicated? In the case of Gitea (which is still using actual Git), you just have to make a Git working dir, copy the binaries to /bin and copy the supplied systemd service to the respective systemd folder. There's even a Docker container to avoid all this hassle.
It's actually not really complicated at all; most of the steps are general Git usage information.
As far as I know, if you want the GitHub web frontend: that's closed-source, last I checked. But GitLab and indeed Gitea, are open source and can be hosted anywhere.

If anyone's interested in running an 'archival' / redundant GitHub mirror of various important Bitcoin projects, it would be a piece of cake auto-pulling those repos and pushing to a self-hosted Git server by the minute.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
scoumoune
Newbie
*
Offline Offline

Activity: 2
Merit: 0


View Profile
August 14, 2022, 01:47:00 AM
 #28

It would be really hard for them to ban BTC code unless there was some "National Security" label attached to it.

Given that, I'm sure dozens of private Gitlabs would start springing up with the source code (mine included).

Ultimately, even in the most extreme of worst cases, a Gitlab (or any other code versioning tool, such as Google's in-house created Gerrit) would spring up over VPN and TOR and BTC would go on just fine.
pooya87
Legendary
*
Offline Offline

Activity: 3626
Merit: 11029


Crypto Swap Exchange


View Profile
August 14, 2022, 02:40:38 AM
 #29

Self hosting is not that easy, the biggest challenge is providing security. You don't want someone modifying the code by gaining access to accounts and merging pull requests, etc. I think this is what @aliashraf means by "github goes beyond that".

It would be really hard for them to ban BTC code unless there was some "National Security" label attached to it.
Good thing that bitcoin is international not national...

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
BlackHatCoiner
Legendary
*
Offline Offline

Activity: 1694
Merit: 8336


Fiatheist


View Profile WWW
August 14, 2022, 11:52:58 AM
 #30

It would be really hard for them to ban BTC code unless there was some "National Security" label attached to it.
It makes more sense to ban free speech, than code. What is code to be banned? How can you ban, forbid, criminalize something that's free, and can be ran by anyone, at any country, anytime, with little effort? Remove the repository, and be sure that a wave of decentralized Git network will appear. You can't ban restriction-resistant software. You can only prove it's more vital for a free society.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
aliashraf
Legendary
*
Offline Offline

Activity: 1456
Merit: 1175

Always remember the cause!


View Profile WWW
August 14, 2022, 09:19:27 PM
Merited by ABCbits (1)
 #31

GitHub is not Git! The latter is just an engine, but GitHub goes far beyond that.

It is very disappointing to see so many posts in this thread, touting Git as an alternative.
GitHub is just a Git hosting service. What are you doing when working with GitHub? You're actually working with Git, and pushing to GitHub.
It is the technical sub of the bloody original bitcoin forum, we are all supposed to avoid spreading misinformation.

Github is a web application that uses Git, the latter is a Version Control System, CVS. When you work with Github you are offered dozens of features and utilities that are not part of a CVS.

Git is open source and free, while Github is a multibillion $  property of Microsoft that provides a sophisticated user interface for versioning, it is not hosting in the exact sense of the word. Hosts are infrastructure providers, they host your own or third party software for you.

Github doesn't abstract users from Git, because typically the user is a software engineer/programmer, the one who abstracts but doesn't like to be abstracted8), it is a matter of design and requirements.


As much as it is needed, it is hard to replace Github, but not impossible. The alternative is neither bare Git, nor another Github-like centralized service. What we need ( and it is inevitable, imo), is a decentralized network of Git repositories behind a decentralized web application.

There are decent technologies that are available, and as I mentioned above thread I've done some research about it years ago, only missing factors, as usual, money and commitment.





PrimeNumber7
Copper Member
Legendary
*
Offline Offline

Activity: 1666
Merit: 1901

Amazon Prime Member #7


View Profile
August 14, 2022, 09:36:43 PM
 #32

The beauty of Git is that it's decentralized. Not in the traditional way, maybe, but anyone who clones a GitHub repo, holds the entire repository on their hard drive, including full commit history back to the very first commit.
Git is not decentralized. It just makes it more difficult to "delete" something if it is part of a git-based repo. This is why if there is ever any kind of private key or "secret" committed to a GitHub (or other git-based) repo, the "secret" needs to be invalidated, and no longer be used.

If a repo is removed from GitHub (by the owner of the repo, or by GitHub), if you do not already have a local copy of the repo, it is not possible to obtain a copy, and authoritatively know you have the same code as was on the repo.
n0nce
Hero Member
*****
Offline Offline

Activity: 882
Merit: 5918


not your keys, not your coins!


View Profile WWW
August 14, 2022, 10:27:52 PM
Merited by ABCbits (1)
 #33

GitHub is not Git! The latter is just an engine, but GitHub goes far beyond that.

It is very disappointing to see so many posts in this thread, touting Git as an alternative.
GitHub is just a Git hosting service. What are you doing when working with GitHub? You're actually working with Git, and pushing to GitHub.
It is the technical sub of the bloody original bitcoin forum, we are all supposed to avoid spreading misinformation.

Github is a web application that uses Git, the latter is a Version Control System, CVS. When you work with Github you are offered dozens of features and utilities that are not part of a CVS.
I know that GitHub comes with a lot of extra bells and whistles; but fundamentally, it's a Git remote.
If it comes down to protecting against deletion of the https://github.com/bitcoin/bitcoin repo, any simple Git remote will suffice in keeping the whole commit history.

GitHub, Inc., is an Internet hosting service for software development and version control using Git. It provides the distributed version control of Git[emphasis mine] plus access control, bug tracking, software feature requests, task management, continuous integration, and wikis for every project.

I don't think I'm spreading misinformation; just sharing ways to save the repo in case 'all bitcoin-related stuff on GitHub got banned' (original question title).

As much as it is needed, it is hard to replace Github, but not impossible. The alternative is neither bare Git, nor another Github-like centralized service. What we need ( and it is inevitable, imo), is a decentralized network of Git repositories behind a decentralized web application.
What about just having mirrors on other Git 'hosting services' / Git remotes - self-hosted ones and popular, known ones? In case one remote is shut down, devs can just open a ticket on one of the mirrors, agree on which one becomes the new 'master' remote and the other remotes continue mirroring that?

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
pooya87
Legendary
*
Offline Offline

Activity: 3626
Merit: 11029


Crypto Swap Exchange


View Profile
August 15, 2022, 05:13:47 AM
Merited by n0nce (1)
 #34

What about just having mirrors on other Git 'hosting services' / Git remotes - self-hosted ones and popular, known ones?
Although this is not a full solution but it could significantly reduce the risks of disrupting development and access to code BUT only as long as the different mirrors are hosted in jurisdictions that are separate. For example if both are located in US or any country that follows US (UK, Japan, South Korea,...) then it will only create false sense of security.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
aliashraf
Legendary
*
Offline Offline

Activity: 1456
Merit: 1175

Always remember the cause!


View Profile WWW
August 17, 2022, 04:03:38 PM
Merited by BlackHatCoiner (2)
 #35

Quote
as long as the different mirrors are hosted in jurisdictions that are separate. For example if both are located in US or any country that follows US (UK, Japan, South Korea,...) then it will only create false sense of security.
When it comes to violating human rights, defending the rich, suppressing the poor, preserving the corrupt fiat based monetary system, etc.,  there is only one jurisdiction across the globe, it is the US jurisdiction nowadays. Mirroring doesn't work, decentralization does.

Unfortunately, Git abundantly resists decentralization, unlike what it looks like inthe first glance. The same basic approach that distinguishes Git from traditional "delta" based VCS, makes it hard to be truly distributed as you are dependent on a reference repository, a single point of failure. For an analogy, consider how we keep the ledger synced in bitcoin blockchain: there is no reference ledger, blocks change the ledger incrementally if they pass the consensus test, there is no "reference ledger" or "fetch" operation.

In my design, we abandon "reference repository", "fetch","pull", etc., altogether. To be more specific, we push them behind the scene using an abstraction layer, keeping the legacy Git intact. In this new world, pool requests are relayed by devs to their immediate peers in a p2p network, checking consensus rules (specific to the repository) peers decide to reject or forward the PR, in the latter case they keep it in "reqpool" waiting for commit requests, CR, that refer to (a set of) PRs. Devs who can produce PR, are eligible to issue CS, it is up to nodes to choose between forks or even support multiple forks which have unique identities generated by PRs that have been committed.

It would be just the infrastructure necessary for a truly decentralized Git ecosystem, resistant to any bullying practice and more importantly a fun adventure. I stopped developing it just because it is beyond my personal budget and time to do it in lone ranger fashion, in case anybody got enough support and motivation to follow, I'd be more than happy to share more, a lot more. Wink

BlackHatCoiner
Legendary
*
Offline Offline

Activity: 1694
Merit: 8336


Fiatheist


View Profile WWW
August 17, 2022, 04:26:17 PM
 #36

In my design, we abandon "reference repository", "fetch","pull", etc., altogether. To be more specific, we push them behind the scene using an abstraction layer, keeping the legacy Git intact.
So we don't abandon them. We just stop being dependent on Github.com for their maintenance. Decentralizing git (which isn't already accomplished with Gitea servers?) doesn't break the core idea of distributing and tracking software versions, which includes fetching and pulling requests.

One thing I don't understand is how you do ensure for the integrity of the software. For example, say you want to install Electrum. Normally, you should download the binaries (or the source code) with their respective signatures. These signatures correspond to public keys that are uploaded to some server, preferably to some trustworthy server (e.g., Github.com). On a p2p network, an attacker can replace the devs' keys with theirs.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Cricktor
Legendary
*
Offline Offline

Activity: 938
Merit: 1470


Crypto Swap Exchange


View Profile
August 17, 2022, 05:21:01 PM
 #37

On a p2p network, an attacker can replace the devs' keys with theirs.
But the forged attacker's keys don't match the real dev's key signature. If you don't compare that the obtained key is actually the proper key, you miss an important step.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
BlackHatCoiner
Legendary
*
Offline Offline

Activity: 1694
Merit: 8336


Fiatheist


View Profile WWW
August 17, 2022, 05:44:38 PM
 #38

But the forged attacker's keys don't match the real dev's key signature. If you don't compare that the obtained key is actually the proper key, you miss an important step.
But, the attacker carries both the developers' public keys, the binaries / source code, and finally the signatures. Therefore, they have everything needed to alter the software effectively, without notice. For example, I can change Electrum's source code, replace Thomas' key with mine, replace the Thomas' signature with mine, and give it to you. How can you know I've compromised it?

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
aliashraf
Legendary
*
Offline Offline

Activity: 1456
Merit: 1175

Always remember the cause!


View Profile WWW
August 17, 2022, 06:24:34 PM
Last edit: August 17, 2022, 06:40:32 PM by aliashraf
 #39

In my design, we abandon "reference repository", "fetch","pull", etc., altogether. To be more specific, we push them behind the scene using an abstraction layer, keeping the legacy Git intact.
So we don't abandon them. We just stop being dependent on Github.com for their maintenance.
As I said, we push them behind the scene. Consider how a file system hides the actual low level block I/O, applications read/write files as a continuous stream of bytes but behind the scene it is done with discrete blocks that are not guaranteed to be physically adjacent.


Decentralizing git (which isn't already accomplished with Gitea servers?) doesn't break the core idea of distributing and tracking software versions, which includes fetching and pulling requests.
Gitea has nothing to do with decentralization per se. It provides excellent, yet centralized Git self-hosting features as you have the reference repository concept and other related stuff as ordinary Git.

One thing I don't understand is how you do ensure for the integrity of the software.
It is both easy and hard. Trivially, one can always use its social knowledge (external data) to prune the invalid/unwanted  forks (@cricktor has already mentioned it above), unfortunately it is not applicable to automated synchronization process I'm suggesting.

For the latter purpose, my scheme imposes a well-defined authorization metadata that PRs which try to change it are considered forks as well as unauthorized PRs. For legitimate authorization update, the metadata is organized hierarchically, it is possible for a repository owner (with unique signature) to grant/revoke  commit access to other contributors, etc.


On a p2p network, an attacker can replace the devs' keys with theirs.
The original dev key is, analogically speaking, the Genesis, it can't be changed without kinda hard-forking the repository, it changes the identity of the repository and can't be done covertly.
NotATether
Legendary
*
Offline Offline

Activity: 1778
Merit: 7374


Top Crypto Casino


View Profile WWW
August 17, 2022, 08:26:36 PM
 #40

But the forged attacker's keys don't match the real dev's key signature. If you don't compare that the obtained key is actually the proper key, you miss an important step.
But, the attacker carries both the developers' public keys, the binaries / source code, and finally the signatures. Therefore, they have everything needed to alter the software effectively, without notice. For example, I can change Electrum's source code, replace Thomas' key with mine, replace the Thomas' signature with mine, and give it to you. How can you know I've compromised it?

Everyone in the world who has imported ThomasV's PGP key (assuming his email is verified), can retrieve the key from a keyserver, attempt to verify your binary, and notice that it fails because of wrong signature.

So the keyserver plays a very important role (I just wish GPG shipped with a default keyserver that actually works! Angry)

███████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████

███████████████████████
.
BC.GAME
▄▄▀▀▀▀▀▀▀▄▄
▄▀▀░▄██▀░▀██▄░▀▀▄
▄▀░▐▀▄░▀░░▀░░▀░▄▀▌░▀▄
▄▀▄█▐░▀▄▀▀▀▀▀▄▀░▌█▄▀▄
▄▀░▀░░█░▄███████▄░█░░▀░▀▄
█░█░▀░█████████████░▀░█░█
█░██░▀█▀▀█▄▄█▀▀█▀░██░█
█░█▀██░█▀▀██▀▀█░██▀█░█
▀▄▀██░░░▀▀▄▌▐▄▀▀░░░██▀▄▀
▀▄▀██░░▄░▀▄█▄▀░▄░░██▀▄▀
▀▄░▀█░▄▄▄░▀░▄▄▄░█▀░▄▀
▀▄▄▀▀███▄███▀▀▄▄▀
██████▄▄▄▄▄▄▄██████
.
..CASINO....SPORTS....RACING..


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
Pages: « 1 [2] 3 4 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!