Hacker News new | past | comments | ask | show | jobs | submit login

Do not use "the bitcoin PPA". Launchpad compiles this on their own infrastructure outside of the gitian build process. If, for some insane reason, if you must use "the bitcoin PPA", always check hashes, always verify the binaries are correct, and always check signatures regarding those particular hashes.

edit: livejournal -> launchpad




The PPA seems to be the recommended Ubuntu install instruction on bitcoin.org:

https://bitcoin.org/en/download

Aren't all of Ubuntu's packages built on launchpad? It's interesting that you don't trust launchpad, should I not trust my OS either? And as far as checking signatures, that's what apt does automatically anyway, as I understand.

I know people like Moxie insist that it's only acceptable to have the (at least) software's author sign the software. Well, personally I'd rather trust a larger organization with more reputation to lose. (Ideally I'd have both, of course, when we get to deterministic builds.)

edit: Oh, deterministic builds is what gitian is. Okay I see your point :-) But still, why trust your OS at that point?


Yes, deterministic debian is a good idea and we should make that happen.


In the meantime, do you recommend against PPAs in general, or just for specific sensitive things like Bitcoin?


Launchpad build process for bitcoind is not the same as the gitian build process. My recommendation is specific to Bitcoin Core, although I have not evaluated the security of other PPAs on launchpad...


Well they're at most as secure as their maintainers.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: