v2.0.8.7

OFF v2.0.8.7 - in-wallet Codex reader

Adds Phase B of the on-chain Codex reader to the Qt wallet. The Codex
tab now displays the Lovecraft canon being inscribed into chain history
post-Restoration: a Table of Contents on the left, paginated reader in
the center (matching the website e-reader at https://23skidoo.info/codex/),
and a Frontier panel on the right that tails new fragments live as
blocks are mined.

Carries forward all v2.0.8.6 fixes (OFFSIG self-validate, pool-coinbase
wiring). v2.0.8.5 users with gen=1 still need to upgrade — the wallet
crash on sync past block 999999 is fixed here.

No consensus / net compat changes since v2.0.8.5. PROTOCOL_VERSION 90003.
Same depends/ stack.

OFF v2.0.8.5 — relay-floor wallet fee (PR #30 by 9019x)

OFF v2.0.8.5 - relay-floor wallet fee (PR #30 by 9019x)

Supersedes v2.0.8.4. Adopts PR #30's relay-floor enforcement in
CWallet::CreateTransaction() and CoinControlDialog::updateLabels(),
reverting v2.0.8.4's nMinTxFee constant bump. Net effect on the
'large coin-control TXs rejected for fees' bug is the same fix,
but with no 10x overpayment on 1-49 KB mid-size TXs.

Also removes the pre-0.9 sub-cent change-bump (unreachable dead
code, tagged for removal in its own comments) and corrects four
coin-control tooltips to cite nMinRelayTxFee.

Reported and fixed by 9019x. Diagnosis credit:
https://github.com/SubGeniusFinance/Offerings-to-Cthulhu/pull/30

No consensus / net / RPC / init / miner change. Same depends/
stack and PROTOCOL_VERSION (90003) as v2.0.8.3/.4.

OFF v2.0.8.3 — restore UPnP in shipped binaries

depends/ + CI: drop NO_UPNP=1 from both Linux-Qt5 and Windows workflows
so miniupnpc 2.2.2 builds and links into the binaries. USE_UPNP defined
at compile time, Options->Network 'Map port using UPnP' checkbox
functional. No source/consensus/net change.

Same depends/ stack as v2.0.8.2 plus libminiupnpc-2.2.2.a. Same
PROTOCOL_VERSION (90003). Same network behavior absent a user explicitly
ticking the UPnP box.

v2.0.8.2

v2.0.8.2 — Cthulhu GUI refresh + pnSeed[] inclusion criteria

GUI refresh (Cthulhu tile background, popup-dialog dark fills, grey
menubar/statusbar with wallet border, Worship menubar promotion,
OptionsDialog tab dark fills) plus a docs-only update to chainparams.cpp
codifying pnSeed[] inclusion criteria for any future seed additions.

Net-side IsReachable() backport for fresh-NAT'd-client peer discovery
landed separately as #29 in the v2.0.8.2 ride.

Co-authored with @9019x (#27 diagnosis + #29 fix + probe tooling) and
Eyemaginative (OFF community, background art).

Release artifacts: Linux daemon (tar.gz), Linux Qt5 wallet (tar.gz),
Windows Qt5 wallet (zip). All built reproducibly via GitHub Actions
from this tag.

v2.0.8.1

OFF v2.0.8.1 — fontconfig sysconfdir hotfix

v2.0.7's static fontconfig 2.12.6 was compiled with autoconf's default
--sysconfdir=$prefix/etc, where $prefix is the depends/ build path. At
runtime the binary looked for /etc/fonts/fonts.conf relative to a path
that doesn't exist on user machines and Qt's font database init aborted
with "Fontconfig error: Cannot load default config file" before drawing
any window. v2.0.7 Linux Qt5 wallets appeared to do nothing on launch.

Fix in depends/packages/fontconfig.mk:

  $(package)_config_opts += --sysconfdir=/etc --datadir=/usr/share \
                            --localstatedir=/var

Static fontconfig now reads /etc/fonts/fonts.conf and /usr/share/fonts/
from the target system. Verified on Debian 13 without any FONTCONFIG_FILE
env-var workaround.

This is a Linux Qt5 hotfix only; the daemon and the Windows Qt5 wallet
are unaffected by the fontconfig path (Windows doesn't use fontconfig).

CLIENT_VERSION_BUILD bumped to 1 (.1 marks this as the first hotfix past
the intended .0). Tag-suffix sync rule applied: tag is plain v2.0.8.1,
so CLIENT_VERSION_SUFFIX is empty (was "-Triune" on v2.0.7,
grandfathered). Binary self-reports v2.0.8.1.

v2.0.7

OFF v2.0.7 — depends/ modernization + CVE refresh

Bumps the depends/ tree's bundled libraries to their newest releases that
still build with the existing autotools recipe, closing a large security
gap on the libs that actually share the binary's attack surface (libpng,
freetype for PNG/font/QR rendering; protobuf for BIP70 payment-request
parsing).

  libpng       1.6.43  -> 1.6.58   (10 CVEs, several High)
  expat        2.1.0   -> 2.4.8    (~15 CVEs across the gap)
  freetype     2.7.1   -> 2.13.3   (incl. CVE-2020-15999 exploited ITW)
  fontconfig   2.12.1  -> 2.12.6   (+ static, gperf header-regen patch)
  protobuf     2.6.1   -> 3.21.12  (BIP70 attack surface; CVE-2022-1941)
  dbus         1.8.6   -> 1.14.10  (libdbus auth + msg-parse fixes)
  libxcb       1.10    -> 1.17.0
  xcb_proto    1.10.0  -> 1.17.0
  libXau       1.0.8   -> 1.0.9
  xproto       7.0.26  -> 7.0.31
  native_ccache 3.1.9  -> 3.7.12
  + new util-macros package (build-time only)

Qt switched from -qt-libpng to -system-libpng so the bumped libpng is used
in the wallet's PNG/QR rendering. libxcb made static (--enable-static),
which slightly changes Linux Qt font rendering vs prior releases: the
binary now relies on fontconfig's built-in fallback list rather than the
host's /etc/fonts/fonts.conf, so the wallet renders consistently across
Linux distros instead of inheriting the system theme font.

No consensus, wire-format, or wallet-format change. PROTOCOL_VERSION
stays at 90003. Cluster nodes on v2.0.6 do not need to upgrade for
chain participation; this is a security refresh for new wallet installs.

PR #24 by @9019x (skifdni) — first external contributor to the
Restoration since 2018. Rebased + bumped + force-pushed by the
maintainer per maintainer_can_modify; substantive depends/ work is
all his.

v2.0.6

v2.0.6 — wire-visible Restoration daemon

First release where Restoration daemons distinguish themselves from
pre-attack (v1.6.2, 2015) daemons in the P2P handshake. No consensus
rule change — the consensus stack shipped in v2.0.4-Triune (LWMA-3
+ MAX_REORG_DEPTH=100 + emergency-difficulty escape + Conclave-signed
window 999,991→1,050,666 + h=980,000 checkpoint) remains in force
unchanged. v2.0.6 makes that stack visible at the network layer too.

Headline change

  * PROTOCOL_VERSION bumped 80001 -> 90003. Tagged binaries through
    v2.0.5-Triune still advertised 80001 — indistinguishable on the
    wire from a 2015 v1.6.2 daemon. v2.0.6 daemons advertise 90003.
    No behavioral change beyond the version number itself; the
    inbound floor MIN_PEER_PROTO_VERSION remains 209 in this release.

Network hygiene

  * PR #14: UPnP disabled by default
  * PR  #9 port: drop third-party IP detection
  * PR #11: pnSeed array refresh + generation tools
  * Operator-fingerprint hostnames scrubbed from public artifacts

Operator UX (Qt — Text Based Worship)

  * Issue #13: Peers sub-tab
  * Issue #15: NetNodeId column + Copy Address right-click on Peers
  * Issue #16: Disconnect Node right-click action on Peers

Build / CI

  * PR #22: depends cross-compile fix
  * PR #23: pull_request triggers for linux+windows depends workflows

Verification after upgrade

  Offerings-cli getnetworkinfo | grep protocolversion
    → expect 90003

  Offerings-cli getpeerinfo
    → transitional mix of 80001 and 90003 as the network upgrades

Upgrade urgency

  HIGH for any operator still on v2.0.5-Triune or earlier. The
  feature-freeze cliff for the Codex inscription window engages at
  block 998,000 (~6 days from this tag, per issue #20); no daemon
  changes will ship between block 998,000 and 1,050,667.

What v2.0.6 is NOT

  * Not a consensus rule change.
  * Not the MIN_PEER_PROTO_VERSION bump that would refuse handshake
    from pre-Restoration peers — that is planned for v2.0.7 post-
    freeze (block ≥ 1,050,667), height-gated to enforce only at
    block ≥ 1,000,000.

The Sleeper turns. The first ripple.

v2.0.5-Triune

Packaging-fix re-cut of v2.0.4-Triune. Consensus content identical.

v2.0.5 ships two corrections over v2.0.4:

1. CLIENT_VERSION_SUFFIX changed from -Bokrug (a v2.0.1 codename that leaked into the v2.0.4 build) to -Triune. The GUI About box now correctly reads v2.0.5.0-<sha>-Triune.
2. Windows archive is now a single versioned .zip (Offerings-v2.0.5-Triune-win64.zip) instead of a generic .tar.gz. Both archives extract to a top-level versioned directory, matching the dobbscoin-vX.Y.Z-win64/ convention.

Anyone on v2.0.4-Triune is functionally fine on the chain — the upgrade is cosmetic. v2.0.5 is the recommended release for fresh downloads.

Same two consensus changes as v2.0.4-Triune

• Emergency-Difficulty escape valve (activates block 989,898, ~3.6 days at 60s): one-block relaxation of the strict nBits check when the chain has been stuck > 1h and the new block carries min-difficulty. Companion to LWMA-3 against Quark-hashrate-departure stalls. Hard-skipped during the Conclave signed-mining window.
• Triune Conclave (activates block 999,991, ~10.6 days): three independent signing keys in vConclaveKeys replacing the single-key arrangement. Any one valid OFFSIG passes; loss of two signers still keeps the chain advancing through the 35-day Codex inscription.

Upgrade deadlines

Block	Event	Old binary failure mode
989,898	ED valve activates	rejects ED-relaxed blocks as bad-diffbits
999,991	Codex window opens	rejects blocks signed by Conclave Key #2 or Key #3 as bad-conclave-sig

Any v2.0.3 or older binary forks off at 989,898. v2.0.4-Triune and v2.0.5-Triune are chain-compatible.

Source

• Tag v2.0.5-Triune at commit 1384c3a
• Consensus commits (unchanged from v2.0.4): b6d626f (ED valve) + a9859c5 (Triune Conclave)
• Packaging deltas: d2315b7 (suffix fix) + f4fe40e (zip + versioned dir)

---

Hardening recommendation: -upnp=0 for public-facing nodes

If you run a publicly-reachable OFFd, set -upnp=0 and configure -externalip=<your.real.ip> explicitly:

offerings.conf:
  upnp=0
  externalip=<your.real.ip>

Why. UPnP-IGD address discovery in miniupnpc trusts whatever device responds first to the SSDP multicast at 239.255.255.250:1900. A hostile device anywhere on your LAN — any guest-wifi user, any compromised IoT device, any unpatched roommate machine — can race the real router with a forged response, then return an arbitrary <NewExternalIPAddress> over SOAP. OFFd feeds that into AddLocal(addr, LOCAL_UPNP) and gossips the attacker-chosen IP to peers via addr and version messages. Attack primitive is eclipse-attack staging — the same protocol-level move the 2018 >80%-hash attacker used.

Who this affects. Hobbyist operators running OFFd at home behind a residential router. Operator-controlled cluster nodes are not affected — they already configure -externalip= (LOCAL_MANUAL), which outranks LOCAL_UPNP in the score table and silently ignores the UPnP-injected address.

Status. UPnP remains enabled by default in v2.0.x. The default flip to -upnp=0 is planned for v2.1.0, matching the precedent of bitcoin/bitcoin#20410 (Bitcoin Core, 2020). This is a hardening recommendation, not a forced behavior change.

Full threat model and phased mitigation plan: issue #10.

Companion to the HTTP-discovery-path removal in PR #9 (merge 24196aa), which closed the larger sister surface (cleartext-HTTP IP discovery against amazonaws.com / ipify / icanhazip). PR #9 will ship in the next point release; the UPnP recommendation above applies to anyone already on v2.0.4 or v2.0.5.

v2.0.4-Triune

What's new in v2.0.4-Triune

Tags the Restoration-prep work for the Codex window. Two consensus changes ride this release.

1. Emergency-difficulty escape valve (b6d626f)

• Activates at block 989,898 (~3.5 days at 60s pacing from cut).
• Relaxes the strict nBits == GetNextWorkRequired check for a single block when there is a >1h gap since the prior block AND the new block carries nBits == ProofOfWorkLimit (min-diff).
• Companion to LWMA-3 — gives the chain a recovery path if Quark hashrate departs and leaves the difficulty target stuck high.
• Hard-skipped during the Conclave signed-mining window [999991..1050666] so Descent / Codex blocks stay pool-only even under stall.

2. Triune Conclave (a9859c5)

• Adds two additional signing pubkeys (Conclave Key #2 and Conclave Key #3) to vConclaveKeys alongside the original Conclave Key #1.
• Any one valid signature passes CheckConclaveSignature — loss of two of three signing boxes still permits the third to keep the chain advancing through the Codex window.
• Activation: block 999,991 (Codex window opens). Old binaries reject blocks signed by Conclave Key #2 or Key #3.

Operator action required

Deadline	Why
Block 989,898 (~3.5 days)	Otherwise you reject any ED-relaxed block as bad-diffbits.
Block 999,991 (~10.5 days)	Otherwise you reject any block signed by Conclave Key #2 or Key #3 as bad-conclave-sig once the Conclave window opens.

If you only run the legacy single-key binary today, you still need to upgrade — its chainparams must also know about the new signing keys to keep validating its peers' blocks.

Verifying downloads

sha256sum -c SHA256SUMS-linux.txt
sha256sum -c SHA256SUMS-windows.txt

Codename

Triune — three Conclave signers, the load-bearing change for redundancy during the 35-day Codex window.

---

Built via CI from commit 5b67855 (configure.ac bump on main). Linux x86_64 daemon + cli (glibc 2.35+, depends/ static). Windows x86_64 Qt5 wallet cross-compiled via mingw-w64 + depends/.

---

Hardening recommendation: -upnp=0 for public-facing nodes

If you run a publicly-reachable OFFd, set -upnp=0 and configure -externalip=<your.real.ip> explicitly:

offerings.conf:
  upnp=0
  externalip=<your.real.ip>

Why. UPnP-IGD address discovery in miniupnpc trusts whatever device responds first to the SSDP multicast at 239.255.255.250:1900. A hostile device anywhere on your LAN — any guest-wifi user, any compromised IoT device, any unpatched roommate machine — can race the real router with a forged response, then return an arbitrary <NewExternalIPAddress> over SOAP. OFFd feeds that into AddLocal(addr, LOCAL_UPNP) and gossips the attacker-chosen IP to peers via addr and version messages. Attack primitive is eclipse-attack staging — the same protocol-level move the 2018 >80%-hash attacker used.

Who this affects. Hobbyist operators running OFFd at home behind a residential router. Operator-controlled cluster nodes are not affected — they already configure -externalip= (LOCAL_MANUAL), which outranks LOCAL_UPNP in the score table and silently ignores the UPnP-injected address.

Status. UPnP remains enabled by default in v2.0.x. The default flip to -upnp=0 is planned for v2.1.0, matching the precedent of bitcoin/bitcoin#20410 (Bitcoin Core, 2020). This is a hardening recommendation, not a forced behavior change.

Full threat model and phased mitigation plan: issue #10.

Companion to the HTTP-discovery-path removal in PR #9 (merge 24196aa), which closed the larger sister surface (cleartext-HTTP IP discovery against amazonaws.com / ipify / icanhazip). PR #9 will ship in the next point release; the UPnP recommendation above applies to anyone already on v2.0.4 or v2.0.5.

v2.0.3

v2.0.3 — CI release-attach + Linux daemon depends/

No source / consensus changes since v2.0.2.

CI infrastructure only:
- Added linux-build-depends.yml: static-linked Linux x86_64 daemon
  via depends/ (no system Boost runtime dependency — fixes the
  libboost-version-mismatch complaint).
- Removed windows-build.yml (MSYS2 native): parallel-insurance Windows
  path was chasing MSYS2 toolchain drift with no shipping value.
  depends/ cross-compile (windows-build-depends.yml) remains canonical.
- Linux + Windows workflows now auto-attach their tarballs to the
  GitHub Releases page on tag push instead of requiring manual upload.
- Per-platform SHA256SUMS-{linux,windows}.txt files so the release
  page shows checksums for both platforms (single SHA256SUMS would
  collide).

This release validates the auto-attach pipeline. Binaries land in a
draft release; publish manually after verifying SHA256SUMS-*.txt.