Bitcoin Forum
December 07, 2016, 12:50:41 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Auto update  (Read 1710 times)
ilovebitcoin
Newbie
*
Offline Offline

Activity: 9


View Profile
August 20, 2010, 03:23:00 PM
 #1

Since there can be important security updates and a lot of people don't check the site, the Bitcoin client should have an optional auto-updater (on by default), with "how often?" options ranging from each five minutes to each day and an option to install without asking (only security updates or all updates?)

15ucPt61t2uhiH5G3THkreYainZ47UHst8
1481115041
Hero Member
*
Offline Offline

Posts: 1481115041

View Profile Personal Message (Offline)

Ignore
1481115041
Reply with quote  #2

1481115041
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481115041
Hero Member
*
Offline Offline

Posts: 1481115041

View Profile Personal Message (Offline)

Ignore
1481115041
Reply with quote  #2

1481115041
Report to moderator
1481115041
Hero Member
*
Offline Offline

Posts: 1481115041

View Profile Personal Message (Offline)

Ignore
1481115041
Reply with quote  #2

1481115041
Report to moderator
1481115041
Hero Member
*
Offline Offline

Posts: 1481115041

View Profile Personal Message (Offline)

Ignore
1481115041
Reply with quote  #2

1481115041
Report to moderator
jgarzik
Legendary
*
Offline Offline

Activity: 1470


View Profile
August 20, 2010, 06:59:03 PM
 #2


+1, updating from existing clients would be a useful feature.


Jeff Garzik, bitcoin core dev team and BitPay engineer; opinions are my own, not my employer.
Donations / tip jar: 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj
MoonShadow
Legendary
*
Offline Offline

Activity: 1666



View Profile
August 20, 2010, 07:24:14 PM
 #3

Since there can be important security updates and a lot of people don't check the site, the Bitcoin client should have an optional auto-updater (on by default), with "how often?" options ranging from each five minutes to each day and an option to install without asking (only security updates or all updates?)

I can see this as a security risk if the updater were able to be set to automatic.  Invariablely, some users will disregard the risks in the ongoing absolute trust of a particular server, and enough might be able to break the system if some cracker were to be able to compromise that trusted server and replace the client download with a compromised client with malware.  Even if that only lasted for a short time.  If the client were to ever include an update notification function, I disagree that it should *ever* update without user verification.  Even a normal client modified to send a copy of your wallet.dat file to a particular email address would screw a lot of people over in a hurry.

"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."

- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
aceat64
Full Member
***
Offline Offline

Activity: 127



View Profile
August 20, 2010, 07:47:18 PM
 #4

I agree with creighto, I think at most the client should give a notification that there is a new version available, but I don't like the idea of auto-updating.

ilovebitcoin
Newbie
*
Offline Offline

Activity: 9


View Profile
August 20, 2010, 07:49:47 PM
 #5

I was thinking of automatic updating being off by default (but checking being on by default). Update user verification is useless for me because I always click yes -  It's rare that the update server is being played with, but even if it were, I would not be able to tell.

How about using TLS for authenticating the update server?

15ucPt61t2uhiH5G3THkreYainZ47UHst8
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
August 20, 2010, 07:51:53 PM
 #6

I agree with creighto, I think at most the client should give a notification that there is a new version available, but I don't like the idea of auto-updating.

People who don't download and install update is at a security risk. There will be many more security risk incurred from outdated clients than there are in an unlikely hacking attack. It's a tradeoff.

jgarzik
Legendary
*
Offline Offline

Activity: 1470


View Profile
August 20, 2010, 08:25:11 PM
 #7

I can see this as a security risk if the updater were able to be set to automatic.  Invariablely, some users will disregard the risks in the ongoing absolute trust of a particular server, and enough might be able to break the system if some cracker were to be able to compromise that trusted server and replace the client download with a compromised client with malware.  Even if that only lasted for a short time.

That's why crypto-signed updates have existed in software systems for over a decade.  You don't need to trust the server, if you have a public key stored locally.  Fedora, Ubuntu, Debian etc. sign all their binary software packages with GPG, as an example.

Eventually bitcoin will catch up with the times Smiley  Even without auto-updates, this is a serious vulnerability with the packages on bitcoin.org.  Posting SHA1 sums is useless without a cryptographic signature of some sort.


Jeff Garzik, bitcoin core dev team and BitPay engineer; opinions are my own, not my employer.
Donations / tip jar: 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj
ilovebitcoin
Newbie
*
Offline Offline

Activity: 9


View Profile
August 20, 2010, 08:56:36 PM
 #8

Also, if someone maintained a package and submitted it to distributions, it would already be auto-updated without the need to build it into the client.

15ucPt61t2uhiH5G3THkreYainZ47UHst8
Insti
Sr. Member
****
Offline Offline

Activity: 294


Firstbits: 1duzy


View Profile
August 20, 2010, 09:22:22 PM
 #9

Also, if someone maintained a package and submitted it to distributions, it would already be auto-updated without the need to build it into the client.

Unless you run Windows.
MoonShadow
Legendary
*
Offline Offline

Activity: 1666



View Profile
August 20, 2010, 09:31:12 PM
 #10

Also, if someone maintained a package and submitted it to distributions, it would already be auto-updated without the need to build it into the client.

Not without the user's permission.  Some packages are not updated automaticly for similar reasons.

"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."

- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
ilovebitcoin
Newbie
*
Offline Offline

Activity: 9


View Profile
August 20, 2010, 09:40:17 PM
 #11

Not without the user's permission.  Some packages are not updated automaticly for similar reasons.

That's easy - just make Bitcoin come with a Debian VM.

15ucPt61t2uhiH5G3THkreYainZ47UHst8
LZ
Staff
Legendary
*
Offline Offline

Activity: 1456


Satoshi everywhere!


View Profile WWW
September 02, 2010, 11:15:43 PM
 #12

What about storing the update hash in the bitcoin journal?

"Never invest unless you can afford to lose your entire investment." © S3052
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!