Downloads #33
Comments
|
I think the plan was not to do this and regardless, it may not be possible due to the infrastructure of the current site. |
|
I agree with luke-jr that it'd be good if the binaries were hosted on this site if also on bitcoin.org. I'm not familiar with the hosting infrastructure here, but I'd venture to guess it's GitHub Pages. Is that right? In that case you're right that the infrastructure wouldn't support it as is. GitHub recently added support for large files but Pages doesn't support that yet. |
|
Bitcoin.org pays for its own dedicated server in a datacenter specializing in DDoS-resistant hosting. The funding so far has been paid for by the Bitcoin Foundation, and it's @saivann who actually pays the bills, so the server is not controlled by Theymos or Cøbra (since I know distancing yourselves from them was key to the genesis of this site). Saïvann is happy to have the Bitcoin Core site hosted on the same server, with the same DDoS protection, as Bitcoin.org. If that is done, the Bitcoin Core binaries folder can be conveniently shared by both sites. (Note, in the current Bitcoin.org design, the site is compiled on a separate VPS and uploaded as static HTML to prevent changes to the site content from being able to change the binaries.) In addition, leaving GitHub pages allows you to drop CloudFlare which puts up an annoying CAPTCHA for page loads through Tor. Funding for the Bitcoin.org server is currently pre-paid for a year in advance; after that, whatever sites are hosted on that server will have to figure out how to raise the current $590/month hosting expense. |
Side note: where I live, DDoS protected dedicated and managed servers cost around 150EUR/month. 590$ sounds very expansive. Isn't it just a website where super-script-performance is not required? |
|
@jonasschnelli I dunno, we haven't found credible non-Cloudflare DDoS options and good dedicated servers for less so far. But either way, the bills are paid so it's a bit late to consider alternatives. This server is yours if you want to use it for static website hosting including Bitcoin Core binaries. |
|
I'm not really sure a github issue is the place to discuss this. In any case I have some opinions regarding this topic. We don't have intentions of moving binary downloads from bitcoin.org and neither does it make sense because bitcoin.org has established itself as the one-stop-shop for all Bitcoin wallets and that alone is compelling enough. With regards to hosting of bitcoincore.org website on servers paid for by the Bitcoin Foundation, while the offer is very kind, the reputation and history of the Bitcoin Foundation is exceptionally poor and to be "sponsored by the BF" is the last thing we need right now. Our needs for the time being are pretty basic and Github Pages serves it well enough. We don't have to rely on anyone, nor do we have to concern with server upkeep and maintenance. I favour simplicity but I think we also have to be realistic and keep away from controversy as much as possible. |
|
@btcdrak Just to clarify, the sponsorship with the Foundation has ended and there is no need for the Bitcoin Core website to display any banner.
Well, currently Bitcoin Core relies on bitcoin.org for binary hosting. For the next 12 months it doesn't make much difference if you use bitcoin.org's servers with your domain, or bitcoin.org directly. In all cases, after that time, you either need to find your own hosting, or ask Theymos / Cobra-Bitcoin to see if they can provide something either for your domain or bitcoin.org . |
|
Bitcoin.org is not currently sponsored by the Bitcoin Foundation and has not been since Sept 2015. We used the last few months of sponsorship money to pay for server expenses in advance. No "Sponsored by" banner is required, and none would be required at all unless (1) you decided to stay for more than a year until we needed more money and (2) a sponsored by banner is how we chose to raise funds. In any case, the offer remains open. |
|
[Somewhat off topic:] @btcdrak Where would you have this discussion take place? This seems to me to be the right venue. If there's a non-GitHub communication channel for development of this site, it'd be good to mention it in the readme to make it easier for interested members of the community to participate. |
|
I think its time to revisit this issue. bitcoin.org switched their hosting to just a blind DO instance, which is likely worse than github pages + Cloudflare (which is shit, but...). |
|
@TheBlueMatt good idea to raise this issue, thank you. I forwarded your comment to the current Bitcoin.org infrastructure maintainers in case they want to comment as @saivann and myself are no longer involved with that part of the site. |
|
Hey, just wanted to comment here, I have commit access on Bitcoin.org but unfortunately don't have access to any of the hosting servers, etc. I agree that the security can be improved. |
|
Just to recap what happened - previously, Bitcoin.org was hosted with Black Lotus (Level 3) in a multiserver environment which included a build server along with GPG signature based deployments. The hosting contract came up for renewal, and the decision was made by the domain owner (Cobra) to migrate and consolidate everything onto DO. I offered to pay all hosting/infrastructure costs for the site to retain the previous hosting, as well as maintain said infrastructure (or set up something new/comparable somewhere else), however, that offer was declined (and the site was moved to DO) instead. If you all want to host the files elsewhere, I could update the links on the download page to point there. Bitcoin.org receives around a million unique visitors each month - last month, approximately 80,000 people visited the download page - I think it's important to have. Maybe the easiest thing to do if you all want to improve security would be to just not have the files hosted on Bitcoin.org (but still keep the downloads page). |
|
Binaries shouldn't be hosted in one place. Anyone can host the Bitcoin Core binaries. This actually is better since it makes one site much less of a target. Bitcoin.org already has the infrastructure, web pages, user trust, etc, so we don't really want to undermine that by directing users to alternative places, so we'll continue to distribute the Core binaries on our site (and store them locally). Anyone is free to replicate the binaries though, and host it on other places. Maybe in future releases, the binaries can be made available on many different mirrors, and users can pick from these. No need to have just one authoritative website that distributes the binaries! |
|
@Cobra-Bitcoin Ideally folks would be validating the binaries as well, we can only hope... :p. Indeed, for users downloading from bitcoin.org, it may make sense to have them hosted on bitcoin.org, as you point out, but we should have consistent messaging for "where the download page is". Previously "the download page" was kept on bitcoin.org as it had a much better security story (ie not cloudflare), but with that gone (I dont really trust DO either, let alone with it running jekyll on it), I think we should move the messaging around "where to go to download Bitcoin Core" to somewhere where we can maintain a better security story (which ideally we would have done with the introduction of bitcoincore.org, so no time like the present :p). It would be helpful if, even though the binaries will likely continue to be served off bitcoin.org, the bitcoin.org "Bitcoin Core download page" were to say "this page is moving to bitcoincore.org". That way the user isnt pushed to a link to go to another page immediately, but we can transition users to a setup that has consistent messaging (ie clear bitcoin.org/bitcoincore.org distinction) and that we can more easily maintain the security requirements of serving Bitcoin binaries from. |
|
@TheBlueMatt The download process is so integrated into the site, and users are so used to it, that I can't see much utility in pushing users to another site just to create "consistent messaging". If bitcoincore.org wants to distribute binaries, it can do that, but it shouldn't have to mean bitcoin.org has to change how it's currently operating (which is working well). There's no need for a single authoritative place to download the binaries from. Lets just have mirrors up on bitcoin.org, bitcoincore.org, and some other sites, and we can distribute them in a more decentralized way. |
|
This sounds reasonable to me. |
|
@Cobra-Bitcoin Bitcoin Core binaries do have one authoritative source though, it is the Bitcoin Core developers. It would be more respectful and transparent for bitcoin.org to acknowledge that fact and refer visitors to the official website IMO, should it have a download page. It doesn't mean that bitcoin.org cannot mirror the binaries on bitcoin.org/bin/, this is only good. If the download page isn't replaced by a redirect completely, at least a visible banner citing the real source of the binaries would be good IMO. |
|
@laanwj What are your thoughts on this? Would be interested to know what the person handling the release process thinks... |
|
@Cobra-Bitcoin I think there are two separate issues. One is secure hosting/distribution of the binaries. We know most users do not verify their binaries so we should protect them as much as possible by default with a secure hosting setup. Now that the Bitcoin Core project has it's own established website, it makes sense that it does make those binaries available for download/link from the project website. bitcoin.org is obviously a huge resource for bitcoin in general, and the wallet section of the site links to many different wallets. I think it makes sense for it to be the same for Bitcoin Core. Mirroring binaries is also ok, as is linking to bitcoincore.org binaries directly while keeping a separate download page, but it is inconsistent with how all the other wallets are linked - which is with a splashpage and a link to each wallet's own website. |
|
Just wanted to add some data to this thread. Unlike other wallets on Bitcoin.org, Bitcoin Core has its own sub-site on Bitcoin.org: This sub-site received approximately 22.5K unique visits last month; 108K unique visits so far this year. Separate from this, is the download page, which received close to 80K unique visits last month; 380K+ unique visits so far this year. Also, keep in mind that the download page is translated into many languages, so it displays natively to people in other countries in their own vernacular by default - not sure if this happens on the Bitcoin Core website. All in all, we're talking about at the minimum, 400K unique visits of people all over the world so far this year interacting with these pages, so I would just recommend we exercise great caution when modifying things. For example, the first result for "download bitcoin" on Google is the download page. If we heavily modify this page, we could lose that result and there is no guarantee that Bitcoin Core's website will replace it as number one. We could lose a lot of visitors via search engines. Also, an alternative client could very well improve its own rankings as a result. For example Bitcoin Unlimited is currently the 5th search result for "bitcoin download" and the 3rd result for "download bitcoin" (Bitcoin.org is 1st for both). If Bitcoin.org loses the 1st position, there is a likely probability that it would improve BU's ranking for both key phrases. Anyhow, just sharing this data so we can hopefully make a data-driven decision, here, and try to approach this objectively as possible. My personal recommendation if something must be done would be to as a compromise, only change the actual file link locations themselves (the hyperlink references) and add an additional note/link to Bitcoin Core's website on the download page mentioning that it is the official site of the client. |
|
I have two questions:
|
|
@harding re 2: the binaries could be uploaded to Github under each tagged release and then the download links directly to those files. This is how we do it with Armory. Otherwise there would need to be another server hosting the binaries and the site linking to those. |
|
I just noticed the downloads are already available on bitcoincore.org (https://bitcoincore.org/bin/bitcoin-core-0.14.2/), but the download link in the release notes still links to bitcoin.org. Imho it would make sense to point the download link in the release notes to bitcoincore.org, but also have the files hosted as mirror on bitcoin.org. |
|
Just for reference, bitcoincore.org it's own dedicated servers colocated with DDOS protection and various other security measures. There is no more use of CF DDOS protection on https://bitcoincore.org/ pages. |
|
Future releases will be linked. |
Need to move downloads from bitcoin.org. Should be easily accessible/findable from the main page.
The text was updated successfully, but these errors were encountered: