Follow

it would be good to be prepared for the moment that bitcoincore.org comes under attack, exploiting legal or other loopholes

it's not a matter of *if*, but *when*

it's a bit of a single point of failure which makes it an attractive target for people on a crusade against bitcoin

if you want to help, make mirrors (can we do something like "deterministic verifiable builds for websites"?), host the files, seed the torrents, show them what censorship resistance means

@orionwl does a more robust way to create a mirror exist now, other than `wget -mkxKE -e robots=off bitcoincore.org` ?

@0x0ff yes, wget seems suboptimal

the robust way is to clone the website off github (git@github.com:bitcoin-core/bitcoincore.org.git), so that you have a copy of the source code as well, then you can build it yourself

@0x0ff however that's for the website—it won't give you a copy of the historical release binaries, i'm not sure of a good way to mirror those, maybe best would be to make a script based on

github.com/bitcoin/bitcoin/blo

and

github.com/bitcoin-core/bitcoi

that gets *all* releases and verifies them against their gitian.sigs hashes

@0x0ff oh this one might actually be best, it downloads SHA256SUMS.asc for an arbitrary release, verifies the signature, and downloads all the files mentioned in it:

github.com/bitcoin/bitcoin/tre

I'm storing the source-tarball along with the blockchain and laanwj's gpg-pub-key. Anything else, except hodling the fuck out of bitcoin to fill the war-chest for the future?

@orionwl it should be possible to make a website build deterministic html and javascript. I've done the latter before. Might require some patches to the framework it's using.

Then to verify you use Python script that fetches index.html and everything it links to, and check the hash. Preferably from an unpredictable IP.

@orionwl Git over bittorrent? Also, it’s not that easy to take down an onion addressable self hosted website that just contains torrent links and shasums etc.

How large is the org website? It could be mirrored with torrents if it’s static. New releases are basically torrent links that let you dl your own copy of the website and from there the relevant binaries as torrents as well.

@orionwl Hosting the whitepaper elsewhere is not a defense but sure

@Seccour @orionwl I think in this case the right actions have been taken. Remove an attack vector for time wasting. gmax argument is convincing too mastodon.social/@Raindogdance/

@michaelfolkson @orionwl Should have been taken before the lawyers asked then. Because now it can, and will, be used against Cobra and others as an argument against them.

I understand that it's big waste of time and ressources. But at some point people involve in Bitcoin need to understand that if you contribute in any way to Bitcoin or its ecosystem you are a target. From ennemies of Bitcoin, to criminals, if you contribute to Bitcoin or its ecosystem, you matter

@Seccour @orionwl I'm not a lawyer but I don't think one website taking down a resource sets any legal precedent whatsoever. If a court judgement forced the website to that would be legal precedent.

If this demand could be followed by further ridiculous demands for taking down other things then it would be worth standing up to him. But I don't see what else he can demand get taken down. Pick your battles. Other people and other sites can choose to fight this battle.

@michaelfolkson @orionwl >I'm not a lawyer but I don't think one website taking down a resource sets any legal precedent whatsoever

Taking down the resource after being asked to* by CSW's lawyers. There is a difference between taking down the resource, and doing so under pressure from lawyers.

I really hope it will not matter in the end if (more like when) CSW will go in court against others. But it's something that should have required slightly more thinking

@michaelfolkson @orionwl CSW will not stop there. If he can get the Whitepaper, he will go for the name, the code, you name it.

@Seccour @michaelfolkson @orionwl Did you read the linked post by gmax? He makes clear that the whitepaper distribution is ambiguous enough for a court case to be dragged on for *years* by CSW. That's simply not where the resources of the maintainers of bitcoin core should be going.

@Seccour @orionwl Long term contributors and maintainers should not be choosing to fight these battles. Their time is much better utilized using their skills to advance the software. Only exception is when avoiding one battle opens the door to many more battles wasting their time. I don't think this is one of those examples.

@michaelfolkson @orionwl For sure. But I think this battle is worth it. And they also wouldn't have to fight themself directly. They could give control of the site to someone or an entity (even a non-profit) that would do the fight for them.

Removing the whitepaper was the easy way out but not the best option imo

@Seccour @orionwl This site is used as a trusted source of information on Core releases. Giving control to someone else is a cure that is worse than the disease.

@michaelfolkson @orionwl "official control" not actual control over the domain or the server with the code on it. Like a Straw Man

@michaelfolkson @orionwl Homme de paille in French. Not sure if Straw Man is best translation

@Seccour @michaelfolkson @orionwl > They could give control of the site to someone or an entity (even a non-profit) that would do the fight for them.

And introduce an entire new attack vector in the form of that entity being taken over? That seems backwards. This was the cleanest way.

@michaelfolkson @orionwl Being involved in Bitcoin and being vocal about it has risks involved.

I paid for them in 2019, will probably paid for them later on. But it's a risk I'm willing to take and that I have taken. If someone is not willing to take those risks they should stop getting involved publicly with it

@Seccour @michaelfolkson @orionwl Bullshit. It's not so black and white. You don't need to take 100% of the risks or 0%.

@kekcoin @michaelfolkson @orionwl There is the no risk option: Not being involved at all

And the risky option: Being involved.

The level of risk you take once you're involve change.

@Seccour Taking risks isn't absolute, it's a gradient. BTC devs have more of an abstract risk currently, as what they do is legal (which might change/not matter _later_on_).

If you are faced with a silly, but potentially resource consuming, legal battle that's very concrete and it might be worth mitigating if you have better things to do than spending your time with lawyers.

@orionwl Saïvann Carignan and myself actually put a fair amount of effort into making the Bitcoin.org build deterministic back in the day. You can still see one legacy of that: bitcoin.org/sha256sums.txt. The current BitcoinCore.org build is *almost* fully deterministic with the only dynamic bit I recall being date stamps in the RSS files. Making it fully deterministic would be easy and I can port over the old verification stuff from Bitcoin.org hopefully without much effort.

@harding @orionwl you guys are awesome. I remember all the translating stuff saivann did…much respect. I really appreciate the optech newsletter too! I certainly don’t understand all of it, but enough to get a feel for the future.

Sign in to participate in the conversation
unidentified instance

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!