[Buildroot] [PATCH 1/1] package/bitcoin: add backporting requirement note to bitcoin package

All of lore.kernel.org
 help / color / mirror / Atom feed

* [Buildroot] [PATCH 1/1] package/bitcoin: add backporting requirement note to bitcoin package
@ 2020-02-02  8:55 James Hilliard
  2020-02-02  9:12 ` Yann E. MORIN
  0 siblings, 1 reply; 3+ messages in thread
From: James Hilliard @ 2020-02-02  8:55 UTC (permalink / raw)
  To: buildroot

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
---
 package/bitcoin/bitcoin.mk | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/package/bitcoin/bitcoin.mk b/package/bitcoin/bitcoin.mk
index 040c55b8a6..c58bd9797c 100644
--- a/package/bitcoin/bitcoin.mk
+++ b/package/bitcoin/bitcoin.mk
@@ -4,6 +4,10 @@
 #
 ################################################################################
 
+# Major version updates must be backported unconditionally, if backporting
+# is not feasible the bitcoin package must be removed from any such branches.
+# Details:
+# https://bitcoinmagazine.com/articles/linux-distribution-packaging-and-bitcoin-1374549783
 BITCOIN_VERSION = 0.19.0.1
 BITCOIN_SITE = https://bitcoincore.org/bin/bitcoin-core-$(BITCOIN_VERSION)
 BITCOIN_AUTORECONF = YES
-- 
2.20.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [Buildroot] [PATCH 1/1] package/bitcoin: add backporting requirement note to bitcoin package
  2020-02-02  8:55 [Buildroot] [PATCH 1/1] package/bitcoin: add backporting requirement note to bitcoin package James Hilliard
@ 2020-02-02  9:12 ` Yann E. MORIN
  2020-02-02  9:28   ` James Hilliard
  0 siblings, 1 reply; 3+ messages in thread
From: Yann E. MORIN @ 2020-02-02  9:12 UTC (permalink / raw)
  To: buildroot

James, All,

On 2020-02-02 01:55 -0700, James Hilliard spake thusly:
> Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
> ---
>  package/bitcoin/bitcoin.mk | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/package/bitcoin/bitcoin.mk b/package/bitcoin/bitcoin.mk
> index 040c55b8a6..c58bd9797c 100644
> --- a/package/bitcoin/bitcoin.mk
> +++ b/package/bitcoin/bitcoin.mk
> @@ -4,6 +4,10 @@
>  #
>  ################################################################################
>  
> +# Major version updates must be backported unconditionally, if backporting
> +# is not feasible the bitcoin package must be removed from any such branches.
> +# Details:
> +# https://bitcoinmagazine.com/articles/linux-distribution-packaging-and-bitcoin-1374549783

The referenced post is not about ensuring the latest version is
packaged, but it is a pledge that distributions do not package bitcoin
at all, or that if they do, they just plainly use binaries provided by
upstream, and that the distributions do carefully assess the unbundling
of bundled libraries if they do so.

And the reasons they provide do not really apply to us, I believe,
because we are not a distribution; we are a buildsystem that generates
firmware images. Once such an image is flashed on a device, we have no
way to guarantee that it will be updated, or even updatable.

Besides, we're not doing any unbundling on that package; the only
external dependencies (bot optional) are not bundled.

Finally, if one were to use a released version of Buildroot, say
2019.05, we are no longer maintaining it, so it would anyway be stuck to
the older bitcoin version anyway...

The best we can ensure is that we try to follow upstream releases as
closely as possible in master (and thus interesting parties should send
patches), and when it makes sense secrity-wise, to backport it to the
older branches, like we do for all other packages.

So, this comment is not about what upstream said, and, I believe, does
not make sense us. Or we'd need to have such a comment in all
packages...

Regards,
Yann E. MORIN.

>  BITCOIN_VERSION = 0.19.0.1
>  BITCOIN_SITE = https://bitcoincore.org/bin/bitcoin-core-$(BITCOIN_VERSION)
>  BITCOIN_AUTORECONF = YES
> -- 
> 2.20.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Buildroot] [PATCH 1/1] package/bitcoin: add backporting requirement note to bitcoin package
  2020-02-02  9:12 ` Yann E. MORIN
@ 2020-02-02  9:28   ` James Hilliard
  0 siblings, 0 replies; 3+ messages in thread
From: James Hilliard @ 2020-02-02  9:28 UTC (permalink / raw)
  To: buildroot

On Sun, Feb 2, 2020 at 2:12 AM Yann E. MORIN <yann.morin.1998@free.fr> wrote:
>
> James, All,
>
> On 2020-02-02 01:55 -0700, James Hilliard spake thusly:
> > Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
> > ---
> >  package/bitcoin/bitcoin.mk | 4 ++++
> >  1 file changed, 4 insertions(+)
> >
> > diff --git a/package/bitcoin/bitcoin.mk b/package/bitcoin/bitcoin.mk
> > index 040c55b8a6..c58bd9797c 100644
> > --- a/package/bitcoin/bitcoin.mk
> > +++ b/package/bitcoin/bitcoin.mk
> > @@ -4,6 +4,10 @@
> >  #
> >  ################################################################################
> >
> > +# Major version updates must be backported unconditionally, if backporting
> > +# is not feasible the bitcoin package must be removed from any such branches.
> > +# Details:
> > +# https://bitcoinmagazine.com/articles/linux-distribution-packaging-and-bitcoin-1374549783
>
> The referenced post is not about ensuring the latest version is
> packaged, but it is a pledge that distributions do not package bitcoin
> at all, or that if they do, they just plainly use binaries provided by
> upstream, and that the distributions do carefully assess the unbundling
> of bundled libraries if they do so.
Yeah, I guess this specific issue is probably less of a concern now as
openssl should no longer be a critical dependency.
This used to be a major problem:
https://github.com/bitcoin/bips/blob/master/bip-0066.mediawiki
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-July/009697.html
>
> And the reasons they provide do not really apply to us, I believe,
> because we are not a distribution; we are a buildsystem that generates
> firmware images. Once such an image is flashed on a device, we have no
> way to guarantee that it will be updated, or even updatable.
It might be a good idea to remove the package entirely or at least place
warnings all over the config readme.
>
> Besides, we're not doing any unbundling on that package; the only
> external dependencies (bot optional) are not bundled.
>
> Finally, if one were to use a released version of Buildroot, say
> 2019.05, we are no longer maintaining it, so it would anyway be stuck to
> the older bitcoin version anyway...
So my suggestion there would be to remove the package entirely from
older released versions of buildroot that are no longer supported right
before they lose support.
>
> The best we can ensure is that we try to follow upstream releases as
> closely as possible in master (and thus interesting parties should send
> patches), and when it makes sense secrity-wise, to backport it to the
> older branches, like we do for all other packages.
So this is where things are tricky as it's very often not feasible to backport
minimal security patches for bitcoin, at least that's been the case
historically.
>
> So, this comment is not about what upstream said, and, I believe, does
> not make sense us. Or we'd need to have such a comment in all
> packages...
I'll discuss with upstream and see what makes the most sense.
>
> Regards,
> Yann E. MORIN.
>
> >  BITCOIN_VERSION = 0.19.0.1
> >  BITCOIN_SITE = https://bitcoincore.org/bin/bitcoin-core-$(BITCOIN_VERSION)
> >  BITCOIN_AUTORECONF = YES
> > --
> > 2.20.1
> >
> > _______________________________________________
> > buildroot mailing list
> > buildroot at busybox.net
> > http://lists.busybox.net/mailman/listinfo/buildroot
>
> --
> .-----------------.--------------------.------------------.--------------------.
> |  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
> | +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
> | +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
> | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
> '------------------------------^-------^------------------^--------------------'

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2020-02-02  9:28 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-02  8:55 [Buildroot] [PATCH 1/1] package/bitcoin: add backporting requirement note to bitcoin package James Hilliard
2020-02-02  9:12 ` Yann E. MORIN
2020-02-02  9:28   ` James Hilliard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.