Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Meta: Packaging Bitcoin Core as vanilla system package #17343

Closed
maflcko opened this issue Nov 1, 2019 · 5 comments
Closed

Meta: Packaging Bitcoin Core as vanilla system package #17343

maflcko opened this issue Nov 1, 2019 · 5 comments
Labels
Brainstorming Build system

Comments

@maflcko
Copy link
Member

maflcko commented Nov 1, 2019

Depending on the user, we offer a wide range of ways to get Bitcoin Core:

However, there is no way to get Bitcoin Core as a vanilla system package, where it could serve as a dependency for other packages. Currently the user needs to install and maintain the dependencies manually. This might not be ideal for everyone and we should make it easy to use Bitcoin Core as a non-sysadmin.

I think in the past, a vanilla system package has been rejected because it would make it hard to apply security fixes (some distros ship year-old software, https://lists.debian.org/debian-backports/2013/12/msg00062.html). Also, those package would generally not be deterministically compiled, thus not easily auditable.

However, now that Debian and Ubuntu are capable of shipping updated software (e.g. recent versions of docker or firefox), which receives security and other bugfixes, it seems time to maybe reconsider this decision.

And given that users of an operating system already need to trust the maintainers of their vanilla system package manager, it doesn't seem to get worse when Bitcoin Core is offered through the same. I guess, if Bitcoin Core were offered as a new package and it used a deterministic build (like debians deterministic build effort) or bootstrapable build (like guix) it would be really nice to have, but not a requirement.

I am opening this issue mostly to see what everyone else thinks about this.
@maflcko maflcko mentioned this issue Nov 1, 2019
Open
@laanwj
Copy link
Member

laanwj commented Nov 2, 2019

However, now that Debian and Ubuntu are capable of shipping updated software (e.g. recent versions of docker or firefox), which receives security and other bugfixes, it seems time to maybe reconsider this decision.

So are they willing make a similar exception for bitcoin core? I think that's what matter here foremost. If not, this is hopeless, if they are, I don't think it's much of a problem. At least Gentoo already has bitcoin core as a distro package.

@elichai
Copy link
Contributor

elichai commented Nov 14, 2019
edited
Loading

I'll hijack the conversation to also ask do we know who currently maintains the bitcoin packages in Arch Linux? (both in official-community and in AUR)

https://www.archlinux.org/packages/community/x86_64/bitcoin-qt/
https://aur.archlinux.org/packages/bitcoin-git/
https://aur.archlinux.org/packages/bitcoin-core/
https://aur.archlinux.org/packages/bitcoin-core-git/

Anyway I think if distros already have bitcoin core packages we're better off maintaining them properly and making sure they're not vulnerabilities stealing private keys.

@maflcko
Copy link
Member Author

maflcko commented Nov 14, 2019

Anyway I think if distros already have bitcoin core packages we're better off maintaining them properly and making sure they're not vulnerabilities stealing private keys.

I don't think we have the resources to maintain them ourselves. Us not providing them, will make people provide "community versions" of Bitcoin Core, which could be assumed to be of lower quality than a vanilla package.
Also, I don't think we can protect against people installing packages that steal their keys. I think that this is the responsibility of the package manager maintainers of that distro. Again, I assume that vanilla packages are less likely to steal your keys. And if any vanilla package was to steal your keys, there is nothing we could do about that anyway.

@maflcko
Copy link
Member Author

maflcko commented Jan 2, 2020
edited
Loading

This has been discussed in today's IRC meeting: http://www.erisian.com.au/meetbot/bitcoin-core-dev/2020/bitcoin-core-dev.2020-01-02-19.00.log.html#l-51

Some TLDR (for myself):

  • The current debian package uses system leveldb, instead of our subtree. This was considered a blocker.
  • The debian patch policy was considered too strict. (1) not allowing even minor fixes to stable versions. And (2), not providing an upgrade path to newer versions of Bitcoin Core and the risk of new users running outdated versions of Bitcoin Core. No conclusion was reached on (1). No conclusion was reached on (2), but I mentioned that "backports" could be used to release newer versions of Bitcoin Core in older releases of debian.
  • The PPA was considered superior to a vanilla debian package, especially in light of "backports" pacakges. I mentioned that it was lacking a maintainer who is willing to spend time on our current bitcoin/bitcoin PPA.

@hebasto
Copy link
Member

hebasto commented Jan 12, 2020

Depending on the user, we offer a wide range of ways to get Bitcoin Core:
...

Are any reasons that flathab link is not provided by https://bitcoincore.org/en/download/:

image

?

@hebasto hebasto mentioned this issue Jan 12, 2020
Closed
@maflcko maflcko closed this as completed Jan 17, 2022
@maflcko maflcko mentioned this issue May 12, 2022
Merged
@bitcoin bitcoin locked and limited conversation to collaborators Jan 17, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Brainstorming Build system
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@laanwj @fanquake @elichai @maflcko @hebasto