What would happen to bitcoin if all bitcoin-related stuff on GitHub got banned?

[aliashraf]

But the forged attacker's keys don't match the real dev's key signature. If you don't compare that the obtained key is actually the proper key, you miss an important step.

But, the attacker carries both the developers' public keys, the binaries / source code, and finally the signatures. Therefore, they have everything needed to alter the software effectively, without notice. For example, I can change Electrum's source code, replace Thomas' key with mine, replace the Thomas' signature with mine, and give it to you. How can you know I've compromised it?

Everyone in the world who has imported ThomasV's PGP key (assuming his email is verified), can retrieve the key from a keyserver, attempt to verify your binary, and notice that it fails because of wrong signature.

So the keyserver plays a very important role (I just wish GPG shipped with a default keyserver that actually works! )

Although you are right, I need to reiterate:
This is the trivial approach, relying on external data and human decision-making, in the scheme I proposed we use a more sophisticated approach though:
Once a repository is initialized, it comes with a built-in authentication metadata that includes a root public key which is committed by the fingerprint of the whole repository, hence immune to forgery. It allows Distributed Git nodes to distinguish forked versions from the authentic ones, as the legitimate commits are checked for their authenticity, failing this check is considered a fork.

[1715187373]

1715187373

[1715187373]

1715187373

[1715187373]

1715187373

[1715187373]

1715187373

[1715187373]

1715187373

[n0nce]

Everyone in the world who has imported ThomasV's PGP key (assuming his email is verified), can retrieve the key from a keyserver, attempt to verify your binary, and notice that it fails because of wrong signature.

So the keyserver plays a very important role (I just wish GPG shipped with a default keyserver that actually works! )

Depending on a keyserver again means depending on a centralized entity, which is what aliashraf is trying to avoid.

Except if you define 'people have a local copy of it' as decentralized, which is how I called Git's current state ('somewhat decentralized' as in: anyone that has a copy of the bitcoin/bitcoin repo can push it to a new remote if GitHub remote server goes down).

[pooya87]

When it comes to violating human rights, defending the rich, suppressing the poor, preserving the corrupt fiat based monetary system, etc.,  there is only one jurisdiction across the globe, it is the US jurisdiction nowadays. Mirroring doesn't work, decentralization does.

I agree that the only true option is decentralization but not with the other part specially nowadays that the world is slowly becoming a multipolar one as opposed to being unipolar for decades.

But, the attacker carries both the developers' public keys, the binaries / source code, and finally the signatures. Therefore, they have everything needed to alter the software effectively, without notice. For example, I can change Electrum's source code, replace Thomas' key with mine, replace the Thomas' signature with mine, and give it to you. How can you know I've compromised it?

You are forgetting about an essential part of PGP which is called Web of Trust, you don't just trust any key that signs a binary. You have to first spend time finding the correct key that you can trust then import that and verify the signature that it created.

[BlackHatCoiner]

Once a repository is initialized, it comes with a built-in authentication metadata that includes a root public key which is committed by the fingerprint of the whole repository, hence immune to forgery.

This root public key. How can you make sure it isn't altered effectively, since repository is distributed among nodes. For example, what forbids a node change it, and send the entire repository to other nodes?

You are forgetting about an essential part of PGP which is called Web of Trust, you don't just trust any key that signs a binary. You have to first spend time finding the correct key that you can trust then import that and verify the signature that it created.

What I'm saying is: You can't have a Web of Trust without a central point. I can trust you only after I've downloaded your key from a reliable source. This "distributed GitHub" can work, but public keys must not be transmitted that way. 

As a first step, I'd avoid surveillance by running a GitHub-like repository hosting service under Tor.

[NotATether]

You are forgetting about an essential part of PGP which is called Web of Trust, you don't just trust any key that signs a binary. You have to first spend time finding the correct key that you can trust then import that and verify the signature that it created.

The problem is that most people don't actually know how to use Web of Trust since most of the people they know do not reveal their emails, and those who do, probably do not have PGP key.

[aliashraf]

Once a repository is initialized, it comes with a built-in authentication metadata that includes a root public key which is committed by the fingerprint of the whole repository, hence immune to forgery.

This root public key. How can you make sure it isn't altered effectively, since repository is distributed among nodes. For example, what forbids a node change it, and send the entire repository to other nodes?

In the scheme, authenticity of a repository is hard-coded to its genesis and is not forgeable ever, though the genesis itself is a different story:

Once a repository is introduced to the blockchain for the first time (the genesis) its metadata provides a rich set of information including a title and a public key that are used to generate a unique ID, unlike other parts of the repository, downloading and maintaining the metadata is mandatory for all nodes. The authorization scheme built into the metadata is used subsequently for integrity assessment of incoming commit requests (CRs).

Repositories change version as a result of authorized commits, and they fork by unauthorized commits. The head of a versioned repository is identified by its original ID and its latest (legitimate) commit, this rule is also applicable to a forked repository, noting that its ID is changed and generated using the commit that caused the fork.

Maintaining forks, (and repositories generally), comes with very little costs because actual downloads are not part of the scheme, it is the node operator/owner's job to decide and execute downloads accordingly, it is done using Tor as of what is available now.

That said, I'm working on a project for implementing an overlay network above bitcoin P2P for a more general purpose networking, the main challenge here is incentivizing bitcoin full nodes to participate, whether maintaining their own software repository is enough incentive or not is subject to further assessments.
Note that it is inappropriate if not impossible to maintain a single repository with my scheme, once you decide to support forks, you have opened doors to other repositories to join, almost infinitely. Thanks to no-downloads policy, it is not a DoS backdoor.

[pooya87]

That said, I'm working on a project for implementing an overlay network above bitcoin P2P for a more general purpose networking, the main challenge here is incentivizing bitcoin full nodes to participate, whether maintaining their own software repository is enough incentive or not is subject to further assessments.

That would be interesting if the full nodes (or even SPV clients) could also keep a copy of the repository and be able to share it with other clients. The repository sizes aren't that high to need a very high incentive. For example repository sizes:
bitcoin core = 218 MB
Electrum = 50 MB
Gocoin = 17 MB

[n0nce]

Once a repository is initialized, it comes with a built-in authentication metadata that includes a root public key which is committed by the fingerprint of the whole repository, hence immune to forgery.

This root public key. How can you make sure it isn't altered effectively, since repository is distributed among nodes. For example, what forbids a node change it, and send the entire repository to other nodes?

In the scheme, authenticity of a repository is hard-coded to its genesis and is not forgeable ever, though the genesis itself is a different story:
[...]

What I like about your idea is that a Git commit history is one of the few data structures that slightly resemble - and because of that might actually make sense to implement as - a blockchain.

I see 2 issues:
[1] Embedding developer keys in the 'genesis commit' means they can't revoke them, add new ones or add new developers to the project down the road.
[2] You need a consensus mechanism, and as so often discussed on the forum, nothing works as well as PoW (if at all). So either it's built on top of a PoW cryptocurrency like Bitcoin, or you need to incentivize people to 'mine commits' using real-world energy resources.

[aliashraf]

Once a repository is initialized, it comes with a built-in authentication metadata that includes a root public key which is committed by the fingerprint of the whole repository, hence immune to forgery.

This root public key. How can you make sure it isn't altered effectively, since repository is distributed among nodes. For example, what forbids a node change it, and send the entire repository to other nodes?

In the scheme, authenticity of a repository is hard-coded to its genesis and is not forgeable ever, though the genesis itself is a different story:
[...]

What I like about your idea is that a Git commit history is one of the few data structures that slightly resemble - and because of that might actually make sense to implement as - a blockchain.

Kudos, you nailed it.  

I see 2 issues:
[1] Embedding developer keys in the 'genesis commit' means they can't revoke them, add new ones or add new developers to the project down the road.

I've already addressed it above thread:
The authorization scheme is hierarchical resembling a pki infrastructure. As long as the root is not compromised, it is possible to grant/revoke authority to new/old keys, it would be possible for root to delegate its authority, share it, and so fort, all happening on-chain and without being considered as a fork. It is done by conventional commits (metadata is part of the repository after all), though downloading and processing of commits to metadata is mandatory for nodes, to check for potential tempering attempts by devs with lower/incompatible authority.

[2] You need a consensus mechanism, and as so often discussed on the forum, nothing works as well as PoW (if at all). So either it's built on top of a PoW cryptocurrency like Bitcoin, or you need to incentivize people to 'mine commits' using real-world energy resources.

Yes, it is the biggest issue, the only serious issue to be clear, other aspects of the scheme have been explored and addressed as much as it is possible for a lone ranger but the incentive mechanism? It is complicated.

Firs and foremost, it is important to understand how deeply different is the case with a blockchain that supports the scheme I'm proposing for a truly decentralized Git, with bitcoin that is designed basically for solving double-spending of digital cash. Noticeably what bitcoin solves is a threat posed by the potential owners of the asset, whereas for repository owners it is the contrary, they have full incentive to keep their asset intact.

It would be a good analogy that repositories in my scheme are better understood as evolving NFTs, their ownership can be delegated though it is neither common practice nor subject to ordinary double-spending by re-org attempts.

Finally, and most critically, blocks in this scheme are rather batches of commits, they are signed and don't compete with forks or other repositories.

That all said, there is still the incentive problem remained in gray zone. I've been mulling this for a long time, not a conclusive result, just a few ideas:

1- I think, in this context, participating in an ultimately decentralized repository network, the altruistic factor should not be underestimated.

2- As I've said before, the actual download takes place on demand and is not part of the protocol which is only concerned about versioning and forks, it implies that the costs of participation are considerably low if not negligible.

3- Theoretically once a node supports one repository, as long as it tracks forks, it is open to multiple repositories, still in practice it is possible, though not encouraged, for nodes to “choose” a subset of the whole universal  repository space to track, or even sticking with just the main branch. The drawback would be the potential obsoleting of less famous repositories/forks.

4-We have bitcoin p2p and full nodes as potential participant.

Spamming is another issue that I found as being important, interestingly it looks to be resolved by a game theoretic equilibrium, where spammers are suspected to lose support from nodes because of point (3) where nodes are free to restrict each repository they wish from their list.

[garlonicon]

[2] You need a consensus mechanism, and as so often discussed on the forum, nothing works as well as PoW (if at all). So either it's built on top of a PoW cryptocurrency like Bitcoin, or you need to incentivize people to 'mine commits' using real-world energy resources.

It can be solved by using commitments. Each ECDSA-based signature or Schnorr signature is a pair of <r,s> values. That means, R-value is a "signature public key". It is possible to get a random key, and form a Taproot-based commitment, by creating a TapScript spending path, where the real R-value is revealed, and when there is a TapScript tree with new commits, stored as "OP_RETURN <commitHash>". It could even be "OP_RETURN OP_SHA1 <commitHash>" to indicate that the commit was hashed with SHA-1. And then, by having R-value of the signature as a random key, and a non-random TapScript with all commits, it is enough to form commitments, with no additional on-chain bytes.

And then, there are two options:
1) Anyone, any developer, user, just anyone, can make a transaction every sometimes, and store as many commitments as needed.
2) Miners can do this, if commitments are standardized, all that is needed is attaching a TapScript in the form of "OP_RETURN <allCommitmentsHash>" to the miner's Taproot address in the coinbase transaction, then the miner only needs a hash, and every user can attach an SPV proof to such commitment on its own.

Edit: Also note that even if you want to mine commits, then you can do that by using properly done Merged Mining: just mine regular Bitcoin 80-byte headers, and attach them to your commits. Then, your work will normally only protect commits from being overwritten, but sometimes you may be lucky and mine a real block. Also, in the same way you can run any test network you want, there is no need to mine a separate chain just for testing: you can have a full node, producing 80-byte headers, and you can include them in any test chain by using Merged Mining. And if you need to use any coin amounts, then they should be proportional to the heaviest chain of Proof of Work, then it should be also tracked, no matter if this chain is valid or not, then if only 1% of nodes are honest, and the block reward is 1 BTC, they will get 0.01 BTC, and the rest will be locked for the future. But here, for commits, no amounts are needed, just Merged Mining 80-byte headers with proper Taproot-based commitments is sufficient.

[Fivestar4everMVP]

So, the question that bothers me is could the same happen to Bitcoin?

Like several other users have said,  I still want to add that I don't think this can ever happen to Bitcoin,  atleast,  bitcoin has grown past the stage where we could ever imagine such kind of ban happening.
Atleast,  not while we have countries that have already adopted bitcoin as a legal tender,  and many other countries in the process to,  alot of quite powerful people, companies,  governments, institutions have invested heavily in bitcoin,  any government rising up to do something that hurts Bitcoin simply means hurting all this entities, and I personally believe that this kind of ban can not happen without this entities fighting back.

[n0nce]

I personally believe that this kind of ban can not happen without this entities fighting back.

Honestly, betting on El Salvador to fight against the U.S. and EU wanting to ban Bitcoin-related projects from GitHub is one of the worse bets I've seen.
They don't have a lot to work with / to leverage. It's a tiny nation and their adoption of Bitcoin as legal tender is mostly symbolic; it shows what's possible, but it doesn't give Bitcoin more value, more legitimacy or protection from large states' attacks.

[dkbit98]

Honestly, betting on El Salvador to fight against the U.S. and EU wanting to ban Bitcoin-related projects from GitHub is one of the worse bets I've seen.
They don't have a lot to work with / to leverage. It's a tiny nation and their adoption of Bitcoin as legal tender is mostly symbolic; it shows what's possible, but it doesn't give Bitcoin more value, more legitimacy or protection from large states' attacks.

Yeah it's silly, and we already have examples of some countries like China banning Bitcoin (several times) without much resistance.
I think that other countries won't ban Bitcoin directly yet, at least not until they release their own CBDC projects, but they can slowly start to increase pressure on exchanges, wallets, developers, miners, etc.
It's obvious they want to have full surveillance and tracking in near future, so anything related with privacy is now under attack.

[n0nce]

Honestly, betting on El Salvador to fight against the U.S. and EU wanting to ban Bitcoin-related projects from GitHub is one of the worse bets I've seen.
They don't have a lot to work with / to leverage. It's a tiny nation and their adoption of Bitcoin as legal tender is mostly symbolic; it shows what's possible, but it doesn't give Bitcoin more value, more legitimacy or protection from large states' attacks.

Yeah it's silly, and we already have examples of some countries like China banning Bitcoin (several times) without much resistance.
I think that other countries won't ban Bitcoin directly yet, at least not until they release their own CBDC projects, but they can slowly start to increase pressure on exchanges, wallets, developers, miners, etc.
It's obvious they want to have full surveillance and tracking in near future, so anything related with privacy is now under attack.

Hear me out: arrival of CBDCs, shutdown of centralized exchanges and simultaneously implementation of L1 privacy changes to the Bitcoin protocol. Bitcoin will be the obvious choice for... literally anyone.
And people will be incentivized to actually use it as a medium of exchange to escape the totalitarian nature of CBDC and avoid going through buying/selling 'hassle' on DEX's.

People will be incentivized to further get involved if (to get back on topic) centralized services were to start banning Bitcoin- and crypto-related stuff, by spinning up own nodes, own Git mirrors and whatever other tech we might have moved to until then.
More decentralized infrastructure is going to make Bitcoin stronger than ever, totally destroying the dreams of anyone attempting to shut it down by such measures.

[pooya87]

I think that other countries won't ban Bitcoin directly yet, at least not until they release their own CBDC projects, but they can slowly start to increase pressure on exchanges, wallets, developers, miners, etc.
It's obvious they want to have full surveillance and tracking in near future, so anything related with privacy is now under attack.

The only problem is that CBDC can not replace what bitcoin offers people and we and governments both know this so I really don't think they are going to start banning bitcoin after they released their govcoin. At least not all of them (maybe only the modern dictatorships aka democracies).

They already know they can't prevent people from using bitcoin but they still want to surveil. The solution was to force centralized services to implement KYC and report back. CBDCs fall under the same thing, they fill gap in the market that would help the government surveil. Right now what we have are stable shitcoins that are too shady and risky.

[BlackHatCoiner]

They already know they can't prevent people from using bitcoin but they still want to surveil. The solution was to force centralized services to implement KYC and report back.

The solution is much more cunning than you think. It's to convince the overwhelming majority that being unable for the state to control the money supply is bad; that privacy is bad; that using energy is bad; that freedom of choice, speech, thought is bad. Over all, they argue that censorship and surveillance are necessary.

Straight from the source: https://web.archive.org/web/20200919105141/https://www.weforum.org/agenda/2016/11/shopping-i-can-t-really-remember-what-that-is?utm_content=bufferadc5f&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

[takuma sato]

Honestly, betting on El Salvador to fight against the U.S. and EU wanting to ban Bitcoin-related projects from GitHub is one of the worse bets I've seen.
They don't have a lot to work with / to leverage. It's a tiny nation and their adoption of Bitcoin as legal tender is mostly symbolic; it shows what's possible, but it doesn't give Bitcoin more value, more legitimacy or protection from large states' attacks.

Yeah it's silly, and we already have examples of some countries like China banning Bitcoin (several times) without much resistance.
I think that other countries won't ban Bitcoin directly yet, at least not until they release their own CBDC projects, but they can slowly start to increase pressure on exchanges, wallets, developers, miners, etc.
It's obvious they want to have full surveillance and tracking in near future, so anything related with privacy is now under attack.

Hear me out: arrival of CBDCs, shutdown of centralized exchanges and simultaneously implementation of L1 privacy changes to the Bitcoin protocol. Bitcoin will be the obvious choice for... literally anyone.
And people will be incentivized to actually use it as a medium of exchange to escape the totalitarian nature of CBDC and avoid going through buying/selling 'hassle' on DEX's.

People will be incentivized to further get involved if (to get back on topic) centralized services were to start banning Bitcoin- and crypto-related stuff, by spinning up own nodes, own Git mirrors and whatever other tech we might have moved to until then.
More decentralized infrastructure is going to make Bitcoin stronger than ever, totally destroying the dreams of anyone attempting to shut it down by such measures.

I have considered the scenario in which CEXes are banned, it's possible, but think about it, there would be enormous backlash.

I believe the most realistic scenario, is the one where they keep the CEXes, keep adding KYC/AML restrictions, and keep getting all the taxed money from trading. There is no other way for them if they want to keep the facade of not being fully totalitarian, which is the key here. Western governments don't want to be perceived as totalitarian, as they do in totalitarian clusterfucks like China or Russia. I don't see a full ban on crypto unless BTC poses a massive systemic risk to the reign of the USD, which right now I don't see it, since it basically follows the SP500. If USD ever decouples from the SP500, and people start putting their savings on BTC more than they do on the stock market, that is where they may just fully ban the stuff.
At that point BTC will be used as cash, but forget about buying property or anything like that, they will not allow it. So your best bet would be moving somewhere where they get away with not banning it.

[Kakmakr]

I think the main problem will be the spreading of the information (URLs or links) to the new sources, without people pushing exploited repositories or trying to do it. (Now I know most binaries can be verified to make sure that it is a "legit" copy of the actual code, but it creates confusion and possible loopholes for exploitation )

Imagine all the forum posts pointing to the current GitHub and then when changes takes place.... to have legitimate links being distributed to the new repositories. 

The US are not the only country that are offering file hosting services, but they have a lot of influence to pressurize other countries to follow their actions, if these services are hosted in other countries.  I think we (Bitcoin) ...should have redundancy in place for every possible attack on Bitcoin.... even if it is forced to go underground. (DarkNet) 

[jvanname]

In related news, SourceHut recently announced that it is banning all cryptocurrencies starting on January 1, 2023. But then again SourceHut does not look very professional since the first page says "Welcome to sourcehut!" which is not capitalized. I have never used SourceHut, and I have no intention of using SourceHut since they are anti-innovative.

Codeberg is also considering banning all cryptocurrency projects (I have commented on Issue #794 about this https://codeberg.org/Codeberg/Community/issues/794). It seems like the anti-innovative people at these sites do not want anyone developing new technologies. They are not willing to reason with people who give solid reasons for developing cryptocurrency technologies. I doubt that they will be willing to understand what the people are doing. They do not want people to improve the situation.

With that being said, there are plenty of things that the cryptocurrency community could be doing much better. A lot of the bad reputation that cryptocurrencies have has been earned, but banning innovators who want to innovate is just asinine.

I trust that Github will remain innovative and that the anti-innovative hostile entities will simply stay away from Github (well, at least for now).

[ABCbits]

In related news, SourceHut recently announced that it is banning all cryptocurrencies starting on January 1, 2023. But then again SourceHut does not look very professional since the first page says "Welcome to sourcehut!" which is not capitalized. I have never used SourceHut, and I have no intention of using SourceHut since they are anti-innovative.

I have never heard this service, but at least they give 2 months before it's executed. I also checked hosted public projected[1] and it looks like there aren't too many project hosted there (only 388 pages where each page show 15 project).

Codeberg is also considering banning all cryptocurrency projects (I have commented on Issue #794 about this https://codeberg.org/Codeberg/Community/issues/794). It seems like the anti-innovative people at these sites do not want anyone developing new technologies. They are not willing to reason with people who give solid reasons for developing cryptocurrency technologies. I doubt that they will be willing to understand what the people are doing. They do not want people to improve the situation.

I don't know which user is employee at Codeberg. But it's a hypocrisy since Codeberg homepage emphasize freedom.

I trust that Github will remain innovative and that the anti-innovative hostile entities will simply stay away from Github (well, at least for now).

I have few doubt since they have history of banning several project including Tornado Cash[2]. Although on positive site, activity related with DMCA is transparent[3].


[1] https://sr.ht/projects
[2] https://www.theregister.com/2022/08/10/github_tornado_cookies/
[3] https://github.com/github/dmca