Source: bitcoin Severity: serious The bitcoin network requires on strict adherence to consensus between nodes. Small changes to underlying libraries, even justified security changes, threaten to break consensus and could possible cause accidental forks.
For example, it is possible for bug fix in libleveldb to cause a fork in the network if existing nodes expect buggy behaviour. Therefore, bitcoin upstream developers have strongly encouraged downstream packagers to use the exact version of libleveldb included with their source code. However, upstream does not backport or support previously released versions of bitcoind/bitcoin-qt. For example: if we release Debian Jessie with version 0.8 of bitcoin, and a security bug is found in that version and fixed upstream, the fix may be based on top of version 0.10 and unable to be ported to 0.8. Upstream will, in that case, release version 0.10 and not backport the fix to 0.8. This is especially tricky now that Debian is using the bitcoin packaged version of leveldb. Because of the sensitivity of this situation (lots of money can be lost), I believe we should block migration to testing until either upstream supports stable releases or we have a volunteer that works closely enough with upstream code (an upstream developer) that is will to backport security and network- related fixes. There has been some work on multibit and electrum packages in Debian, these may be better choices for wallets. If we keep bitcoin in unstable, we'll be able to update as needed and users will understand that these packages are not stable and will need to be updated often. -- System Information: Debian Release: wheezy/sid APT prefers raring-updates APT policy: (500, 'raring-updates'), (500, 'raring-security'), (500, 'raring-proposed'), (500, 'raring'), (100, 'raring-backports') Architecture: i386 (i686) Kernel: Linux 3.8.0-27-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
