Bitcoin Forum
December 04, 2016, 06:38:01 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: bitcoins open sourceness  (Read 1297 times)
yeponlyone
Hero Member
*****
Offline Offline

Activity: 504


I ❤ www.LuckyB.it!


View Profile WWW
May 14, 2011, 09:16:48 PM
 #1

Is it possible to view the code of the actual bitcoin.exe program available for download rather than trust that the open source code provided online is indeed the same as the download? if not, it seems that the one downloaded could potentially be a sort of a look-a-like program that actually holds a malicious timebomb of sorts. I'm sure there is an simple answer, I just have not found it yet.
1480876681
Hero Member
*
Offline Offline

Posts: 1480876681

View Profile Personal Message (Offline)

Ignore
1480876681
Reply with quote  #2

1480876681
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480876681
Hero Member
*
Offline Offline

Posts: 1480876681

View Profile Personal Message (Offline)

Ignore
1480876681
Reply with quote  #2

1480876681
Report to moderator
1480876681
Hero Member
*
Offline Offline

Posts: 1480876681

View Profile Personal Message (Offline)

Ignore
1480876681
Reply with quote  #2

1480876681
Report to moderator
1480876681
Hero Member
*
Offline Offline

Posts: 1480876681

View Profile Personal Message (Offline)

Ignore
1480876681
Reply with quote  #2

1480876681
Report to moderator
Enochian
Full Member
***
Offline Offline

Activity: 126


View Profile
May 14, 2011, 09:29:06 PM
 #2

Is it possible to view the code of the actual bitcoin.exe program available for download rather than trust that the open source code provided online is indeed the same as the download? if not, it seems that the one downloaded could potentially be a sort of a look-a-like program that actually holds a malicious timebomb of sorts. I'm sure there is an simple answer, I just have not found it yet.

The developers build the distribution you download, which comes with source.  It is highly unlikely they would distribute binaries with extra stuff in them which don't match the source they provide.

You are welcome to build the programs, as well as the libraries they use, completely from source, and run those.  Aside from things like date strings, they should verify against the provided binaries.

You are probably orders of magnitude more likely at risk from bugs than you are from a developer conspiracy.

Not to mention the 100 million lines of Windows source you don't have, that is also running on your machine.

Vasili Sviridov
Member
**
Offline Offline

Activity: 104


View Profile WWW
May 14, 2011, 09:29:28 PM
 #3

Simple answer would be to build it yourself if you want to.
But then you're still not guaranteed that the compiler you use is not generating something not in original code for you.

It's a pretty old issue, actually.

You can take it even further, say, if you bootstrap your own compiler and compile the source yourself, how can you be absolutely certain that there are no programmatic trapdoors left in your CPU microcode?

1JHYtsmsGq2McwGHmWayVjVtHds8rp1R5
bitlotto
Hero Member
*****
Offline Offline

Activity: 672


BitLotto - best odds + best payouts + cheat-proof


View Profile WWW
May 14, 2011, 09:43:04 PM
 #4

I've heard plans that one day there will be a generic build environment people can use to verify it. Then anyone can check the one already compiled against the one they just built to ensure it's ok. Not sure how far off that is though.

*Next Draw Feb 1*  BitLotto: monthly raffle (0.25 BTC per ticket) Completely transparent and impossible to manipulate who wins. TOR
TOR2WEB
Donations to: 1JQdiQsjhV2uJ4Y8HFtdqteJsZhv835a8J are appreciated.
Gavin Andresen
Legendary
*
qt
Offline Offline

Activity: 1652


Chief Scientist


View Profile WWW
May 15, 2011, 12:53:17 AM
 #5

I make the Amazon virtual machine images that I used to build the Windows and Linux binaries available... but Amazon recently took them down because they contain my ssh public key in the "allowed to login without a password" file. Removing the public key and then making the modified virtual machines public again is on my TODO list (Amazon doesn't want anybody to have a 'back door' into a public machine image, and bravo to them for checking-- I had no intention of logging into other's bitcoin-build-environment virtual machines, I just needed an easy way to login while I was putting together the releases).

If you have an EC2 account, you can run them and recreate the exact build environment and check to make sure you get exactly the same executable code  (the compilers may put timestamps inside the files which you'd have to ignore).

The plan for future releases is to use devrandom's 'gitian' build system, which is a spiffy way of creating a well-defined virtual machine image from signed and trusted repositories, fetching a specific version of the code from the git source tree, and compiling in a way that is completely reproducible.
 See: https://github.com/devrandom/gitian-builder


How often do you get the chance to work on a potentially world-changing project?
ArsenShnurkov
Legendary
*
Offline Offline

Activity: 1386



View Profile
May 17, 2011, 06:39:12 AM
 #6

I'm sure there is an simple answer, I just have not found it yet.

You can use gentoo operating system, like I do.
Everything here comes either from my own build server or compiled directly from source.
Nesetalis
Sr. Member
****
Offline Offline

Activity: 420



View Profile
May 17, 2011, 06:44:58 AM
 #7

most operating systems can use CMake.. utilize it....

ZOMG Moo!
Rage
Member
**
Offline Offline

Activity: 76



View Profile
May 17, 2011, 08:02:50 AM
 #8

Is it possible to view the code of the actual bitcoin.exe program available for download rather than trust that the open source code provided online is indeed the same as the download? if not, it seems that the one downloaded could potentially be a sort of a look-a-like program that actually holds a malicious timebomb of sorts. I'm sure there is an simple answer, I just have not found it yet.

Don't trust the binaries then. Compile the source yourself. That's the beauty of open source: you have no reason to trust a software developer but many ways  to check the source code :-)

Rage
Matt Corallo
Hero Member
*****
expert
Offline Offline

Activity: 751


View Profile
May 17, 2011, 11:01:15 AM
 #9

Well, could anyone create a tree with all the libraries pre-installed and setup so compiling would be EASY, for Christ sake?
If you are on Windows, well you are in luck, see http://bitcointalk.org/index.php?topic=4750.0 and http://bitcointalk.org/index.php?topic=5851.msg86700#msg86700.
If you are on Linux, the instructions really are quite easy, ask if you have questions.
If you are on Mac...well you are pretty much SOL, I might get around to writing some more build instructions for Mac, but I don't have the time atm...

Bitcoin Ubuntu PPA maintainer - donate to me personally: 1JBMattRztKDF2KRS3vhjJXA7h47NEsn2c
http://bitcoinrelaynetwork.org maintainer
PGP ID: 07DF 3E57 A548 CCFB 7530  7091 89BB B866 3E2E65CE
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!