-
Notifications
You must be signed in to change notification settings - Fork 36.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Meta: Packaging Bitcoin Core as vanilla system package #17343
Comments
So are they willing make a similar exception for bitcoin core? I think that's what matter here foremost. If not, this is hopeless, if they are, I don't think it's much of a problem. At least Gentoo already has bitcoin core as a distro package. |
I'll hijack the conversation to also ask do we know who currently maintains the bitcoin packages in Arch Linux? (both in official-community and in AUR) https://www.archlinux.org/packages/community/x86_64/bitcoin-qt/ Anyway I think if distros already have bitcoin core packages we're better off maintaining them properly and making sure they're not vulnerabilities stealing private keys. |
I don't think we have the resources to maintain them ourselves. Us not providing them, will make people provide "community versions" of Bitcoin Core, which could be assumed to be of lower quality than a vanilla package. |
This has been discussed in today's IRC meeting: http://www.erisian.com.au/meetbot/bitcoin-core-dev/2020/bitcoin-core-dev.2020-01-02-19.00.log.html#l-51 Some TLDR (for myself):
|
Are any reasons that flathab link is not provided by ? |
Depending on the user, we offer a wide range of ways to get Bitcoin Core:
./depends
)./depends
and Ubuntu system packages). They are signed for macOS and Windows, and reproducible to some extent.However, there is no way to get Bitcoin Core as a vanilla system package, where it could serve as a dependency for other packages. Currently the user needs to install and maintain the dependencies manually. This might not be ideal for everyone and we should make it easy to use Bitcoin Core as a non-sysadmin.
I think in the past, a vanilla system package has been rejected because it would make it hard to apply security fixes (some distros ship year-old software, https://lists.debian.org/debian-backports/2013/12/msg00062.html). Also, those package would generally not be deterministically compiled, thus not easily auditable.
However, now that Debian and Ubuntu are capable of shipping updated software (e.g. recent versions of docker or firefox), which receives security and other bugfixes, it seems time to maybe reconsider this decision.
And given that users of an operating system already need to trust the maintainers of their vanilla system package manager, it doesn't seem to get worse when Bitcoin Core is offered through the same. I guess, if Bitcoin Core were offered as a new package and it used a deterministic build (like debians deterministic build effort) or bootstrapable build (like guix) it would be really nice to have, but not a requirement.
I am opening this issue mostly to see what everyone else thinks about this.
The text was updated successfully, but these errors were encountered: