Bitcoin Forum
November 05, 2024, 12:45:24 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Auto update  (Read 8302 times)
ilovebitcoin (OP)
Newbie
*
Offline Offline

Activity: 9
Merit: 0


View Profile
August 20, 2010, 03:23:00 PM
 #1

Since there can be important security updates and a lot of people don't check the site, the Bitcoin client should have an optional auto-updater (on by default), with "how often?" options ranging from each five minutes to each day and an option to install without asking (only security updates or all updates?)
jgarzik
Legendary
*
Offline Offline

Activity: 1596
Merit: 1100


View Profile
August 20, 2010, 06:59:03 PM
 #2


+1, updating from existing clients would be a useful feature.


Jeff Garzik, Bloq CEO, former bitcoin core dev team; opinions are my own.
Visit bloq.com / metronome.io
Donations / tip jar: 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj
MoonShadow
Legendary
*
Offline Offline

Activity: 1708
Merit: 1010



View Profile
August 20, 2010, 07:24:14 PM
 #3

Since there can be important security updates and a lot of people don't check the site, the Bitcoin client should have an optional auto-updater (on by default), with "how often?" options ranging from each five minutes to each day and an option to install without asking (only security updates or all updates?)

I can see this as a security risk if the updater were able to be set to automatic.  Invariablely, some users will disregard the risks in the ongoing absolute trust of a particular server, and enough might be able to break the system if some cracker were to be able to compromise that trusted server and replace the client download with a compromised client with malware.  Even if that only lasted for a short time.  If the client were to ever include an update notification function, I disagree that it should *ever* update without user verification.  Even a normal client modified to send a copy of your wallet.dat file to a particular email address would screw a lot of people over in a hurry.

"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."

- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
aceat64
Full Member
***
Offline Offline

Activity: 307
Merit: 102



View Profile
August 20, 2010, 07:47:18 PM
 #4

I agree with creighto, I think at most the client should give a notification that there is a new version available, but I don't like the idea of auto-updating.
ilovebitcoin (OP)
Newbie
*
Offline Offline

Activity: 9
Merit: 0


View Profile
August 20, 2010, 07:49:47 PM
 #5

I was thinking of automatic updating being off by default (but checking being on by default). Update user verification is useless for me because I always click yes -  It's rare that the update server is being played with, but even if it were, I would not be able to tell.

How about using TLS for authenticating the update server?
kiba
Legendary
*
Offline Offline

Activity: 980
Merit: 1020


View Profile
August 20, 2010, 07:51:53 PM
 #6

I agree with creighto, I think at most the client should give a notification that there is a new version available, but I don't like the idea of auto-updating.

People who don't download and install update is at a security risk. There will be many more security risk incurred from outdated clients than there are in an unlikely hacking attack. It's a tradeoff.

jgarzik
Legendary
*
Offline Offline

Activity: 1596
Merit: 1100


View Profile
August 20, 2010, 08:25:11 PM
 #7

I can see this as a security risk if the updater were able to be set to automatic.  Invariablely, some users will disregard the risks in the ongoing absolute trust of a particular server, and enough might be able to break the system if some cracker were to be able to compromise that trusted server and replace the client download with a compromised client with malware.  Even if that only lasted for a short time.

That's why crypto-signed updates have existed in software systems for over a decade.  You don't need to trust the server, if you have a public key stored locally.  Fedora, Ubuntu, Debian etc. sign all their binary software packages with GPG, as an example.

Eventually bitcoin will catch up with the times Smiley  Even without auto-updates, this is a serious vulnerability with the packages on bitcoin.org.  Posting SHA1 sums is useless without a cryptographic signature of some sort.


Jeff Garzik, Bloq CEO, former bitcoin core dev team; opinions are my own.
Visit bloq.com / metronome.io
Donations / tip jar: 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj
ilovebitcoin (OP)
Newbie
*
Offline Offline

Activity: 9
Merit: 0


View Profile
August 20, 2010, 08:56:36 PM
 #8

Also, if someone maintained a package and submitted it to distributions, it would already be auto-updated without the need to build it into the client.
Insti
Sr. Member
****
Offline Offline

Activity: 294
Merit: 252


Firstbits: 1duzy


View Profile
August 20, 2010, 09:22:22 PM
 #9

Also, if someone maintained a package and submitted it to distributions, it would already be auto-updated without the need to build it into the client.

Unless you run Windows.
MoonShadow
Legendary
*
Offline Offline

Activity: 1708
Merit: 1010



View Profile
August 20, 2010, 09:31:12 PM
 #10

Also, if someone maintained a package and submitted it to distributions, it would already be auto-updated without the need to build it into the client.

Not without the user's permission.  Some packages are not updated automaticly for similar reasons.

"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."

- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
ilovebitcoin (OP)
Newbie
*
Offline Offline

Activity: 9
Merit: 0


View Profile
August 20, 2010, 09:40:17 PM
 #11

Not without the user's permission.  Some packages are not updated automaticly for similar reasons.

That's easy - just make Bitcoin come with a Debian VM.
LZ
Legendary
*
Offline Offline

Activity: 1722
Merit: 1072


P2P Cryptocurrency


View Profile
September 02, 2010, 11:15:43 PM
 #12

What about storing the update hash in the bitcoin journal?

My OpenPGP fingerprint: 5099EB8C0F2E68C63B4ECBB9A9D0993E04143362
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!