If you used "bx seed" you probably already lost your bitcoins, but if...

[NotATether]

Yesterday a new release v.3.7.0 of libbitcoin-explorer has been published on their Github repo, effectively making bx seed an obsolete command and removing it. I'm not knowledgeable enough to sift through all the commits from previous release(s) to this one to identify if major improvements with entropy handling were done. My gutt feeling: I doubt it.

Don't bother. Most of the commits are for a new major version of libbitcoin explorer (v4), and I doubt that they just released this version with all those changes on a short notice since the master branch is non-buildable according to the README.

bx seed was already removed in the master branch a while ago, according to Milksad, which also says it was renamed to bx entropy. So I'd be concerned if they just cherry-picked that commit and made a new release out of it.

[ABCbits]

Yesterday a new release v.3.7.0 of libbitcoin-explorer has been published on their Github repo, effectively making bx seed an obsolete command and removing it.

--snip--

And today v.3.7.0 was removed[1] due to dependency problem.

bx seed was already removed in the master branch a while ago, according to Milksad, which also says it was renamed to bx entropy. So I'd be concerned if they just cherry-picked that commit and made a new release out of it.

On branch version3[2], there's only single commit which remove bx seed command[3] though.

[1] https://github.com/libbitcoin/libbitcoin-explorer/issues/730#issuecomment-1678516313
[2] https://github.com/libbitcoin/libbitcoin-explorer/commits/version3
[3] https://github.com/libbitcoin/libbitcoin-explorer/commit/aa46ce63ceced3d8e9e7a2992f404b4b0d494950

[NotATether]

And today v.3.7.0 was removed[1] due to dependency problem.

It looks like they need to push a 3.7.0 for all the other libbitcoin projects as well, so they are doing that, and according to the Github issue, they just finished doing that so I'd expect the release to be back up later today.

But this also highlights the dependency hell that is present when building the libbitcoin projects which pretty much affects all of them except for libbitcoin-system. At least the CI/CD system correctly detected the build failure.

Likely these other project releases will have no new commits themselves.

[gmaxwell]

I don't use github anymore but someone pinged me there, I loaded it-- only to see voskuil shitting on me: https://github.com/libbitcoin/libbitcoin-explorer/issues/728#issuecomment-1677195708  yet another reason to not use that site!

That kind of toxic deflection from his own errors using maliciously false personal attacks is exactly why development there gets zero review, and is probably the most direct causative reason for the vulnerability in the first place. Regardless of where you might land on how much the flaw was malice vs ignorance, in either case review would have caught it with very high probability had there been any.

As a request, please avoid invoking my name in discussions. I know people mean well but If I make an argument you find persuasive feel free to just restate it in your own words, without attribution.  I've had more credit than anyone needs in a lifetime, and invoking me just inspires asshole responses like the one there and I am really beyond tired of being shit on.

[Cricktor]

I fail to comprehend the reasoning of the authors of such a swiss-army-knife tool to cripple seeding and randomness and thus emit hackable entropy without explicitly throwing out big warnings on every use of bx seed and still promoting use cases at prominent spots like "Mastering Bitcoin". This is insanely irresponsible in my opinion to an extend that I'd call it malicious, this also fueled by the responses and denial of "a problem".

I can't see strong valid arguments to solely blame the users of bx seed and who knows which subcommand of bx which needs entropy or good randomness has severe issues, too.

This is far far from good.

[Carlton Banks]

...but, the pull request doesn't seem to make any changes that should alter threading behavior, if it does it's incredibly subtle (which I appreciate is often the case with thread-safety bugs)

It does, it makes the random number generator thread specific. See the code after "// Maintain thread static state space."

i must be blind, of course it does (maybe I ignored everything after the boost:: ns, I have an aversion to boost)

I don't use github anymore but someone pinged me there, I loaded it-- only to see voskuil shitting on me: https://github.com/libbitcoin/libbitcoin-explorer/issues/728#issuecomment-1677195708  yet another reason to not use that site!

hmmmm...

This is the reason people roll dice. Trusting the OS is unsecurable.

it's definitely hard to follow this kind of reasoning: because we should all be using dice rolls to seed the RNG, let's make an oblique error message in an obscure part of the repo, to guard against a default operating mode that's catastrophic to users (who apparently received recommendations from Bitcoin Jesus II: The Revenge in "Mastering Bitcoin", an ironic title as it turns out). would an above-average reader of that book even understand the warning message?

why not simply remove ANY insecure mode whatsoever, seeing as the developer was so security conscious? it seems the answer is "demos"

[gmaxwell]

it's definitely hard to follow this kind of reasoning: because we should all be using dice rolls to seed the RNG, let's make an oblique error message in an obscure part of the repo, to guard against a default operating mode that's catastrophic to users (who apparently received recommendations from Bitcoin Jesus II: The Revenge in "Mastering Bitcoin", an ironic title as it turns out). would an above-average reader of that book even understand the warning message?

why not simply remove ANY insecure mode whatsoever, seeing as the developer was so security conscious? it seems the answer is "demos"

And why not mention dice or any other alternative?  Will their randomness be decreased if you speak their name? lol.

I doubt there is any rationalizing of this... no more clarity is going to be forthcoming.

[Carlton Banks]

Will their randomness be decreased if you speak their name? lol.

nonono, the randomness only decreases if you say "Alan Turing" into a mirror 3 times with a hand covering one eye (hence summoning the actual eye of providence to the ceremony) and holding the dice you will use in the other

(accept my apologies, i agree that only good jokes belong on the Dev & Tech sub )