Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1834731 - Review Request: bitcoin - Peer to Peer Cryptographic Currency
Summary: Review Request: bitcoin - Peer to Peer Cryptographic Currency
Keywords:
Status: ASSIGNED
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Warren Togami
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1020292 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-05-12 10:09 UTC by Simone Caronni
Modified: 2021-06-04 08:14 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: ---
ppisar: fedora-review?


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1937302 1 medium NEW Review Request: bitcoin-selinux - Bitcoin Core SELinux policy 2021-03-18 11:03:57 UTC

Internal Links: 1937302

Description Simone Caronni 2020-05-12 10:09:48 UTC
Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec
SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.19.1-1.fc31.src.rpm
Description:
Bitcoin is a digital cryptographic currency that uses peer-to-peer technology to
operate with no central authority or banks; managing transactions and the
issuing of bitcoins is carried out collectively by the network.
Fedora Account System Username: slaanesh

Comment 1 Simone Caronni 2020-05-12 10:10:22 UTC
*** Bug 1020292 has been marked as a duplicate of this bug. ***

Comment 2 Simone Caronni 2020-05-12 10:15:55 UTC
SPEC file contains the necessary information to build on CentOS / RHEL 7 as well.

Comment 3 Oleg Girko 2020-05-13 20:59:27 UTC
I was packaging a Dash client for Fedora for quite some time. Dash was originally a fork of Bitcoin, and now it still synchronises its codebase with newer versions of Bitcoin. Hence, Dash is not different than Bitcoin from packaging point of view, only some file names and TCP port numbers are different.
You can take a look at spec and other files I use to build Dash here: https://obs.infoserver.lv/package/show/cryptocurrency/dash-core
If you find any ideas from this useful, feel free to use them. :-)

My spec file was originally based on spec file that was in Bitcoin source's contrib subdirectory (it was removed from there since then), but significantly evolved.

It has provisions for building with depends system, making deterministic build closer to the one used for binary distribution by vendor (but not exactly the same: still using compiler and some system libraries from Fedora). In order to be suitable for building in isolated environment without network connectivity, all sources needed for building are added as "SourceN:" directives in autogenerated section of spec file, and "update-sources.sh" script has to be run to update these sources every time you change the version number. This feature is not suitable for official Fedora package because it essentially bundles various libraries, so it's disabled by default.

Also, functional tests in "%check" section are run in parallel, and temporary directory is placed in "/var/tmp" for them, because "/tmp" is sometimes tmpfs in isolated build environment. and some tests require 8 gigabytes of space in tmpdir.

Comment 4 Simone Caronni 2020-05-14 07:02:50 UTC
Thanks I will look at it.

Comment 5 Eugene A. Pivnev 2020-06-07 11:37:38 UTC
Selinux* things must be optional.
If user set "selinux=disabled" than he can remove most of *selinux* rpms from host.
But your packages require to reinstall them again.

Summary good job, I use this for last month ok (f30 x32, f32 x64).

Comment 6 Robert-André Mauchin 🐧 2020-06-26 18:04:20 UTC
 - 
Source0:    http://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz

→

Source0:    http://github.com/%{name}/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz

 - Why does the core subpackage obsoletes the main package? Also for a rename the Obsolete part must be fixed, to the release above the last release of the obsoleted package.

%package core
Summary:    Peer to Peer Cryptographic Currency
Obsoletes:  %{name} < %{version}-%{release}
Provides:   %{name} = %{version}-%{release}

 - GZipping the man pages is handled by rpm, do not do it yourself:

gzip %{buildroot}%{_mandir}/man1/$i.1

 - This is only needed in EPEL7:

%post core
/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :

%postun core
if [ $1 -eq 0 ] ; then
    /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null
    /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
fi

%posttrans core
/usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :

 Please put it behind a condition.

 - Do not package libtool archive. Static library are generally not packaged, and, if really needed, must have their own static subpackage:

%{_libdir}/libbitcoinconsensus.a
%{_libdir}/libbitcoinconsensus.la

 
 - In order to avoid unintentional soname bump, we recommend not globbing the major SONAME version from shared library. Be more specific instead:

%{_libdir}/libbitcoinconsensus.so.*

 - /var/lib/, {_localstatedir}/lib → use %{_sharedstatedir}

 - /var/, %{_var} → use %{_localstatedir}

 - /run → %{_rundir}

 - I know nothing about SELinux, I need to find another reviewer for this

Comment 7 Robert-André Mauchin 🐧 2020-06-26 18:41:33 UTC
Also create a logrotate file for the log: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_logrotate_config_file

Comment 8 Simone Caronni 2020-06-30 09:40:18 UTC
Thanks for the feedback, updating the package now.

Comment 9 Simone Caronni 2020-06-30 10:23:21 UTC
(In reply to Robert-André Mauchin from comment #6)
> Source0:   
> http://github.com/%{name}/%{name}/archive/v%{version}/%{name}-%{version}.tar.
> gz

Updated.

>  - Why does the core subpackage obsoletes the main package? Also for a
> rename the Obsolete part must be fixed, to the release above the last
> release of the obsoleted package.

Long old gone thing, removed the Obsoletes.

>  - GZipping the man pages is handled by rpm, do not do it yourself:
> 
> gzip %{buildroot}%{_mandir}/man1/$i.1

Missed it. Actually man pages are now installed automatically, so I removed the section entirely.

>  - This is only needed in EPEL7:
> 
> %post core
> /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
> 
> %postun core
> if [ $1 -eq 0 ] ; then
>     /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null
>     /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
> fi
> 
> %posttrans core
> /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
> 
>  Please put it behind a condition.

Missed it, fixed.

>  - Do not package libtool archive. Static library are generally not
> packaged, and, if really needed, must have their own static subpackage:
> 
> %{_libdir}/libbitcoinconsensus.a
> %{_libdir}/libbitcoinconsensus.la

Disabled static library building and removed the local archive.

>  - In order to avoid unintentional soname bump, we recommend not globbing
> the major SONAME version from shared library. Be more specific instead:
> 
> %{_libdir}/libbitcoinconsensus.so.*

Fixed.

>  - /var/lib/, {_localstatedir}/lib → use %{_sharedstatedir}
>  - /var/, %{_var} → use %{_localstatedir}
>  - /run → %{_rundir}

Missed, all fixed.

>  - I know nothing about SELinux, I need to find another reviewer for this

I will not separate the selinux policies from the main package. Many packages in the distribution require SELinux (ex. FreeIPA). It's not something that should be disabled, pretty much like the firewall.


Testing now the above changes with 0.20, will post the updated src.rpm after all functional tests have run.

Comment 10 Simone Caronni 2020-06-30 10:41:57 UTC
(In reply to Robert-André Mauchin from comment #7)
> Also create a logrotate file for the log:
> https://docs.fedoraproject.org/en-US/packaging-guidelines/
> #_logrotate_config_file

A couple of notes here:

- The log file after months of a running daemon is only 9.7 Mb, so I'm not sure there is really any benefit here.
- When enabling -debug on the daemon, the -shrinkdebugfile is automatically set to 1, so the log file is trimmed at startup.

So I see two options:

1. Add -shrinkdebugfile=1 to the systemd unit, so the log file is also trimmed when NOT starting in debug mode
2. Add -shrinkdebugfile=0 to the systemd unit so the log file is never trimmed even when debugging and then add the logrotate file.

I think solution 1 is better.

Comment 11 Simone Caronni 2020-06-30 10:58:23 UTC
In the meanwhile, before changing anything for the logging:

Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec
SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.20.0-2.fc32.src.rpm

* Tue Jun 30 2020 Simone Caronni <negativo17@gmail.com> - 0.20.0-2
- Update Source0 URL.
- Do not obsolete "bitcoin", just leave the provider for it.
- Let the build install the man pages.
- Make sure old post scriptlets run only on RHEL/CentOS 7.
- Do not install static library and archive.
- Be explicit with share object versions.
- Use macros for more directories.
- Use GCC 9 and not 7 to build on RHEL/CentOS 7.

Comment 12 Robert-André Mauchin 🐧 2020-06-30 11:27:15 UTC
 - Could you follow the rules specified at https://fedoraproject.org/wiki/SELinux/IndependentPolicy and use the %pre/%post macros documented there?

 - See the post by DWalsh on the -devel ML: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/GK3KPEDHX5NLDW32X7RIAP2IVEYHIAX3/

Comment 13 Simone Caronni 2020-06-30 14:06:06 UTC
(In reply to Robert-André Mauchin from comment #12)
>  - Could you follow the rules specified at
> https://fedoraproject.org/wiki/SELinux/IndependentPolicy and use the
> %pre/%post macros documented there?
> 
>  - See the post by DWalsh on the -devel ML:
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/
> message/GK3KPEDHX5NLDW32X7RIAP2IVEYHIAX3/

Ah, I was not aware of it. I will check, thanks!

Comment 14 Vit Mojzis 2020-06-30 14:21:38 UTC
The Independent policy guide (https://fedoraproject.org/wiki/SELinux/IndependentPolicy) should cover all you need in terms of packaging the policy.
As for the policy itself, please try to follow https://github.com/SELinuxProject/refpolicy/wiki/StyleGuide. Also, using "permissive bitcoin_t;" disables the SELinux confinement on the domain (AVC denials are logged, but not enforced) and should therefore only be used for debugging/testing.

Comment 15 Simone Caronni 2020-06-30 14:44:10 UTC
(In reply to Vit  Mojzis from comment #14)
> The Independent policy guide
> (https://fedoraproject.org/wiki/SELinux/IndependentPolicy) should cover all
> you need in terms of packaging the policy.
> As for the policy itself, please try to follow
> https://github.com/SELinuxProject/refpolicy/wiki/StyleGuide. Also, using
> "permissive bitcoin_t;" disables the SELinux confinement on the domain (AVC
> denials are logged, but not enforced) and should therefore only be used for
> debugging/testing.

Ok, thanks for the info!

Comment 16 Eugene A. Pivnev 2020-06-30 16:18:17 UTC
(In reply to Simone Caronni from comment #10)
> (In reply to Robert-André Mauchin from comment #7)
> > Also create a logrotate file for the log:
> > https://docs.fedoraproject.org/en-US/packaging-guidelines/
> > #_logrotate_config_file
> 
> A couple of notes here:
> 
> - The log file after months of a running daemon is only 9.7 Mb, so I'm not
> sure there is really any benefit here.

I think it is not matter how big is log file.
Let user to decide switch it off on demand.

Comment 17 marco 2020-06-30 18:56:11 UTC
Some questions.

* In the spec file, what exactly is `Source4` used for?

* Why is the Bitcoin Core package called `bitcoin` and not `bitcoin-core` like in other package managers. E.g. https://snapcraft.io/bitcoin-core or https://flathub.org/apps/details/org.bitcoincore.bitcoin-qt

* Is the package going to be made available in CentOS? If yes, on what schedule is CentOS/RHEL going to update the package? Is there a chance that EOL version are offered in the package manager? See https://bitcoincore.org/en/lifecycle/

Comment 18 Eugene A. Pivnev 2020-06-30 19:51:12 UTC
(In reply to marco from comment #17)
> * Why is the Bitcoin Core package called `bitcoin` and not `bitcoin-core`
> like in other package managers. E.g. https://snapcraft.io/bitcoin-core or
> https://flathub.org/apps/details/org.bitcoincore.bitcoin-qt

I can try to answer this.
* "bitcoin-core" includes bitcoind (bitcoin-server, but it is "client" of bitcoin network), bitcoin-utils (pure "client" as client) and bitcoin-qt ("server" as client + partially "client" as client all-in-one :-)
* all of them are absolutely indepent from each another on runtime.
So, this "-core" is not "core" and not includes runtime core (and this is big problem - it's impossible to select "-lib" from these tonns of code).
And as for me I think current packaging (bitcoin => -server + -utils + -qt) is very logical.
PS. in addition some of docs say "..then run bitcoin-core (they mean bitcoin-qt binary) and..."

Comment 19 Simone Caronni 2020-07-01 07:17:33 UTC
(In reply to Eugene A. Pivnev from comment #16)
> (In reply to Simone Caronni from comment #10)
> > (In reply to Robert-André Mauchin from comment #7)
> > > Also create a logrotate file for the log:
> > > https://docs.fedoraproject.org/en-US/packaging-guidelines/
> > > #_logrotate_config_file
> > 
> > A couple of notes here:
> > 
> > - The log file after months of a running daemon is only 9.7 Mb, so I'm not
> > sure there is really any benefit here.
> 
> I think it is not matter how big is log file.
> Let user to decide switch it off on demand.

Exactly, but -shrinkdebugfile set to 1 automatically when in debug mode, the user will get truncated logs at restart. So in my opinion is better to disable the default shrinkdebugfile when turning on debug if we want to use logrotate.

Comment 20 Simone Caronni 2020-07-01 07:24:27 UTC
(In reply to marco from comment #17)
> * In the spec file, what exactly is `Source4` used for?

Contains some things related to packaging (icon, desktop menu, etc.). I might remove it entirely at some point.
It's unpacked in the %autosetup macro:

%autosetup -a 4 -p1

> * Is the package going to be made available in CentOS? If yes, on what
> schedule is CentOS/RHEL going to update the package? Is there a chance that
> EOL version are offered in the package manager? See
> https://bitcoincore.org/en/lifecycle/

I'm planning to build it also on CentOS/RHEL 7+ (stuff is already in the spec file).
I just plan to build the latest version. Maintaining minor releases of previous version in EPEL might be an option (ex. 0.20.1 in EPEL when 0.21 gets released in Fedora), but I don't really see the point honestly. Might be that at one point due to dependencies it's not possible to build the latest for EPEL, so in that case a maintained old release or bundling of some libraries could be an option.

Regarding EOL releases, no, no plan to keep EOL releases alive.

Comment 21 Daniel Walsh 2020-07-01 18:33:43 UTC
Don't think you have to build multiple different SELinux policies, one should work on all variants.

Comment 22 Björn Persson 2020-07-06 14:29:30 UTC
Cryptocurrency wallets are very juicy targets for criminals, so it's paramount that you do everything you can to prevent and detect attempts to inject malware into the package.

First, never use insecure HTTP if HTTPS is available.

Second, verify upstream's signature before unpacking the tarball. Unfortunately they sign it in an indirect way that our handy verifier script doesn't expect. That makes the verification code a bit tricky, so I have written it for you.

These are the changes you need to make:

--- bitcoin.spec.old	2020-06-30 12:57:18.000000000 +0200
+++ bitcoin.spec	2020-07-06 15:48:51.656323998 +0200
@@ -7,9 +7,9 @@
 Release:    2%{?dist}
 Summary:    Peer to Peer Cryptographic Currency
 License:    MIT
-URL:        http://bitcoin.org/
+URL:        https://bitcoin.org/
 
-Source0:    http://github.com/%{name}/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
+Source0:    https://github.com/%{name}/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
 Source1:    %{name}-tmpfiles.conf
 Source2:    %{name}.sysconfig
 Source3:    %{name}.service
@@ -20,12 +20,16 @@
 Source8:    README.server.redhat
 Source9:    README.utils.redhat
 Source10:   README.gui.redhat
+Source11:   https://bitcoin.org/bin/bitcoin-core-%{version}/SHA256SUMS.asc
+Source12:   https://bitcoin.org/laanwj-releases.asc
 
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  boost-devel
 BuildRequires:  checkpolicy
 BuildRequires:  desktop-file-utils
+BuildRequires:  gnupg2
+BuildRequires:  grep
 BuildRequires:  java
 BuildRequires:  libdb4-cxx-devel
 BuildRequires:  libevent-devel
@@ -76,7 +80,7 @@
 may be used by third party software to provide consensus verification
 functionality.
 
-Unless you know need this package, you probably do not.
+Unless you know you need this package, you probably do not.
 
 %package devel
 Summary:    Peer-to-peer digital currency
@@ -126,6 +130,15 @@
 need this package.
 
 %prep
+gpgworkdir="$(mktemp --directory)"
+# Decode the ASCII armor on the keyring.
+gpg2 --homedir="${gpgworkdir}" --yes --output="${gpgworkdir}/keyring.gpg" --dearmor '%{SOURCE12}'
+# Verify the signature on the checksums file using the decoded keyring.
+gpgv2 --homedir="${gpgworkdir}" --keyring="${gpgworkdir}/keyring.gpg" '%{SOURCE11}'
+# Verify the tarball using the checksums file minus the signature.
+( cd '%{_sourcedir}' && grep bitcoin '%{SOURCE11}' | sha256sum --check --ignore-missing - )
+rm --recursive --force ${gpgworkdir}
+
 %autosetup -a 4 -p1
 mv packaging-*/debian/* contrib/debian/

Comment 23 marco 2020-07-08 12:42:25 UTC
If you fetch the key from the same website the binaries are taken from, there is no security. Anyone replacing the binaries can trivially replace the key.

Also, bitcoincore.org is the official download site (bitcoin.org is a mirror site unrelated to the Bitcoin Core project). So I recommend to use the steps to verify from their download page: https://bitcoincore.org/en/download/

The instructions recommend to fetch the key based on its fingerprint (01EA5486DE18A882D4C2684590C8019E36C2E964).

Comment 24 Björn Persson 2020-07-08 17:59:33 UTC
(In reply to marco from comment #23)
> If you fetch the key from the same website the binaries are taken from,
> there is no security. Anyone replacing the binaries can trivially replace
> the key.

That would be true if the upstream project would generate a new key for every release, and also wouldn't sign their keys.

When a new release is signed with the same key that the developers have been using for years, then that increases our confidence that it is from the same source as all the previous releases. When a key needs replacing, then the project can maintain continuity by signing the new key with the old key. We packagers must be very careful when a release-signing key changes, and not blindly replace the key like we replace a tarball.

In this particular case you're also off the mark because my patched spec *doesn't* fetch the key from the same website as the binaries. To my slight surprise I found that the tarball from Github is identical to the one on bitcoin.org (and on bitcoincore.org). If that's reliable, then we can improve security by fetching the tarball from Github and the signed checksum file from bitcoin.org or bitcoincore.org, and verifying them with the key we already have. An attacker will then have to acquire the secret key and compromise *both* websites before they can sneak malicious changes past the verification step.

> Also, bitcoincore.org is the official download site (bitcoin.org is a mirror
> site unrelated to the Bitcoin Core project).

In that case the URL field in the package should also point to https://bitcoincore.org/en/about/.

> The instructions recommend to fetch the key based on its fingerprint
> (01EA5486DE18A882D4C2684590C8019E36C2E964).

Hmm, they refer to keyserver.ubuntu.com, which runs Hockeypuck. I don't see any statement that Hockeypuck has a solution to the spam attack (https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f) that led to keys.fedoraproject.org being turned off (https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/COEYWJBQDAWRSYNQW7Y7TD2EKEGBWOAY/) in February this year. If it doesn't then you expose yourself to a denial of service when you fetch from the keyserver.

In case somebody thinks that fetching a key from a keyserver is more secure than fetching it from the project's website: It's not, because anyone can write somebody else's name on a key and upload it to a keyserver. Only the fingerprint ensures that you get the right key, and someone who can replace files on the project's website can replace the fingerprint too.

Comment 25 marco 2020-07-08 18:49:38 UTC
> packagers must be very careful when a release-signing key changes

Source12 simply downloads the key from https://bitcoin.org/laanwj-releases.asc without checking the hash or fingerprint, so there is no way to detect changes. What am I missing?

> To my slight surprise I found that the tarball from Github is identical to the one on bitcoin.org (and on bitcoincore.org)

I think this is only a coincidence for the 0.20.0 release. All other releases should not match, which is why I assumed the download sources are identical.

> I don't see any statement that Hockeypuck has a solution to the spam attack

Good point, personally I can recommend https://keys.openpgp.org/vks/v1/by-fingerprint/01EA5486DE18A882D4C2684590C8019E36C2E964, which claim to be resistant to those attacks ( https://keys.openpgp.org/about/faq#sks-pool )

Not sure, but keyserver.ubuntu.com might have solved the attack by disabling key updates, which could lead to problems should the key ever be revoked.

Though generally, as long as the fingerprint matches, it should be possible to download the key from any source with reliable uptime.

Comment 26 Björn Persson 2020-07-08 20:29:23 UTC
(In reply to marco from comment #25)
> Source12 simply downloads the key from
> https://bitcoin.org/laanwj-releases.asc without checking the hash or
> fingerprint, so there is no way to detect changes. What am I missing?

You're missing the fact that RPMbuild doesn't download anything and the Koji builders are isolated from Internet access. All sources and patches are taken from the Fedora Project's Git repository and lookaside cache, and change only when a package maintainer uploads a new file. Our source file verification policy says that the keyring shall be committed to Git:
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification

The URL is there to document where the keyring came from, so that anyone can download it and verify that it's identical to the one in Git.

Comment 27 Oleg Girko 2020-07-08 20:38:35 UTC
(In reply to Björn Persson from comment #26)
> (In reply to marco from comment #25)
> > Source12 simply downloads the key from
> > https://bitcoin.org/laanwj-releases.asc without checking the hash or
> > fingerprint, so there is no way to detect changes. What am I missing?
> 
> You're missing the fact that RPMbuild doesn't download anything and the Koji
> builders are isolated from Internet access. All sources and patches are
> taken from the Fedora Project's Git repository and lookaside cache, and
> change only when a package maintainer uploads a new file. Our source file
> verification policy says that the keyring shall be committed to Git:
> https://docs.fedoraproject.org/en-US/packaging-guidelines/
> #_source_file_verification
> 
> The URL is there to document where the keyring came from, so that anyone can
> download it and verify that it's identical to the one in Git.

This looks too dependent on Fedora infrastructure.
What about those who want to re-build the package from the spec file on their computer (and download all necessary sources using spectool)?
What about those who want to re-build the package using OBS and download_files source service?
I think, the main PGP public key's checksum should be embedded into spec file and checked against to make sure all re-downloaded sources are correct.

Comment 28 Björn Persson 2020-07-10 15:54:08 UTC
(In reply to Oleg Girko from comment #27)
> What about those who want to re-build the package from the spec file

I would recommend rebuilding from the source RPM package. Rebuilding from only a spec isn't possible in the general case. Many packages have patches, and sometimes there is no working URL to a source. Those will be missing if you try to rebuild from only the spec.

> I think, the main PGP public key's checksum should be embedded into spec
> file and checked against to make sure all re-downloaded sources are correct.

That wouldn't hurt. You would want a GnuPG command – or a series of commands – to verify that the given keyring contains a key with the given fingerprint, and also that it doesn't contain any other keys. Can you propose such a command? Don't forget to ensure that GnuPG will look only in the specified keyring even if the user has a default keyring.

Comment 29 Oleg Girko 2020-07-10 16:56:25 UTC
(In reply to Björn Persson from comment #28)
> (In reply to Oleg Girko from comment #27)
> > I think, the main PGP public key's checksum should be embedded into spec
> > file and checked against to make sure all re-downloaded sources are correct.
> 
> That wouldn't hurt. You would want a GnuPG command – or a series of commands
> – to verify that the given keyring contains a key with the given
> fingerprint, and also that it doesn't contain any other keys. Can you
> propose such a command? Don't forget to ensure that GnuPG will look only in
> the specified keyring even if the user has a default keyring.

Something like this in %prep section:

    echo 123456789abcdef... %{SOURCE12} | sha256sum -c

Comment 30 Simone Caronni 2020-07-18 07:56:26 UTC
Thanks, I've added signature verification which is a bit from all comments above.
The packaging guidelines are pretty clear about signatures, so:

- Key is downloaded from the keyserver (as also suggested by upstream) and instructions are in the SPEC file.
- Key is added to the Fedora SCM (aka it's in git).
- Detached signed checksum is in the lookaside cache (aka it's in the sources file).
- Since /usr/lib/rpm/redhat/gpgverify (aka %gpgverify) does not support signed sums files I've replaced it with gpgv2/sha256sum commands.

I will also add the SHA256UM.asc file in the .gitignore file once approved so there is no chance that the hashed checksum gets into SCM and can only go into the lookaside cache.

Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec
SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.20.0-3.fc32.src.rpm

* Sat Jul 18 2020 Simone Caronni <negativo17@gmail.com> - 0.20.0-3
- Add signature verification.
- Trim changelog.
- Fix typo in the libs description.

I will start working on the SELinux part hopefully soon (terribly busy in real life).

Comment 31 Simone Caronni 2020-07-19 18:01:24 UTC
Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec
SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.20.0-4.fc32.src.rpm

* Sun Jul 19 2020 Simone Caronni <negativo17@gmail.com> - 0.20.0-4
- Fix tests on RHEL/CentOS 7.

Comment 32 Björn Persson 2020-07-19 19:55:48 UTC
Thank you for adding the signature verification, but you're still using HTTP instead of HTTPS in URL and Source20 for no reason I can see.

Comment 33 Simone Caronni 2020-07-21 17:48:40 UTC
(In reply to Björn Persson from comment #32)
> Thank you for adding the signature verification, but you're still using HTTP
> instead of HTTPS in URL and Source20 for no reason I can see.

Just forgot it to change it in %url which get expanded in the Source20 line.

Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec
SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.20.0-5.fc32.src.rpm

More cleanups:

* Tue Jul 21 2020 Simone Caronni <negativo17@gmail.com> - 0.20.0-5
- Use HTTPS for url tag.
- Reorganize sources. Add cleaned files from the packaging repository directly;
  bash completion snippets are now supported in the main sources.
- Move check section after install and include desktop file validating in
  there.

Room for improvements:
- Check hardening measures for the systemd unit (differences between the various distributions).
  Ex.: https://github.com/bitcoin/bitcoin/blob/master/contrib/init/bitcoind.service#L53-L74
- Rework SELinux policy
- Check about bundling libdb4 (deprecated everywhere in Fedora, not available in EPEL), upstream accepts any libdb versions for building but wallets are not compatible across different libdb versions and need to be converted. Debian builds with the latest libdb: https://salsa.debian.org/cryptocoin-team/bitcoin/-/blob/master/debian/rules#L31

Comment 34 Simone Caronni 2020-07-21 17:49:13 UTC
I'll be away from the 25th of July for holidays until the 17th of August.

Comment 35 Simone Caronni 2020-07-21 20:01:32 UTC
Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec
SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.20.0-6.fc32.src.rpm

* Tue Jul 21 2020 Simone Caronni <negativo17@gmail.com> - 0.20.0-6
- Update systemd unit.
- Update configuration options.
- Declared bundled libraries/forks.

Room for improvements:
- Rework SELinux policy
- Check about bundling libdb4 (deprecated everywhere in Fedora, not available in EPEL), upstream accepts any libdb versions for building but wallets are not compatible across different libdb versions and need to be converted. Debian builds with the latest libdb: https://salsa.debian.org/cryptocoin-team/bitcoin/-/blob/master/debian/rules#L31

I've run out of procrastination items for the SELinux policy :D

Comment 36 Simone Caronni 2020-07-23 04:51:37 UTC
I've tested with a few wallets and everything is fine, no conversion needed.

Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec
SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.20.0-7.fc32.src.rpm

* Wed Jul 22 2020 Simone Caronni <negativo17@gmail.com> - 0.20.0-7
- Use libdb 5.x instead of deprecated 4.x. Fixes build on RHEL/CentOS 8.

Room for improvements:
- Rework SELinux policy

Comment 37 marco 2020-08-05 09:46:48 UTC
> BuildRequires:  openssl-devel
> BuildRequires:  protobuf-devel

I believe neither of them are needed at all

Comment 38 Simone Caronni 2020-09-25 08:59:35 UTC
Getting back to this over the weekend. I just moved and got back internet today.

Comment 39 Simone Caronni 2020-11-19 20:39:13 UTC
House move, renovations, virus, work, kids, you name the issue.
No time yet for looking at the SELinux policy.

Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec
SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.20.1-2.fc32.src.rpm

* Thu Nov 19 2020 Simone Caronni <negativo17@gmail.com> - 0.20.1-2
- Remove openssl/protobuf from build requirements.

* Wed Oct 21 2020 Simone Caronni <negativo17@gmail.com> - 0.20.1-1
- Update to 0.20.1.

Comment 40 Eugene A. Pivnev 2020-11-21 23:51:25 UTC
(In reply to Simone Caronni from comment #39)

Keep in mind that now:
- bitcoins service does not covers DATA_DIR (/etc/sysconfig/bitcoin) with "datadir=" variable from /etc/bitcoin/bitcoin.conf.
  So if you want to move working data (~400GB) out from /var/lib you have to edit right (and only) DATA_DIR
- permissions of /etc/bitcoin folder (0750) too strict - ordinary users cannot view conf
- permissions of bitcoind data folder (/var/lib/bitcoin if "out of box") too strict too.

Comment 41 Simone Caronni 2020-11-23 09:53:24 UTC
(In reply to Eugene A. Pivnev from comment #40)
> (In reply to Simone Caronni from comment #39)
> 
> Keep in mind that now:
> - bitcoins service does not covers DATA_DIR (/etc/sysconfig/bitcoin) with
> "datadir=" variable from /etc/bitcoin/bitcoin.conf.
>   So if you want to move working data (~400GB) out from /var/lib you have to
> edit right (and only) DATA_DIR

Keep in mind that there is an SELinux policy that covers all these folders, so you would need to edit that as well. Let's say that if you have SELinux policies covering the specifics of a service you better think about it two times before shuffling things around.

> - permissions of /etc/bitcoin folder (0750) too strict - ordinary users
> cannot view conf
> - permissions of bitcoind data folder (/var/lib/bitcoin if "out of box") too
> strict too.

Which is fine, as the former might contain the RPC password and the latter a wallet.

Comment 42 Simone Caronni 2020-12-09 08:46:28 UTC
Anyone up for review? And maybe help with the SELinux policy as well.

Comment 43 Eugene A. Pivnev 2021-01-07 15:01:34 UTC
(In reply to Simone Caronni from comment #42)
> Anyone up for review? And maybe help with the SELinux policy as well.

I can review but just after selinux fix.

Comment 44 Oleg Girko 2021-01-18 23:02:00 UTC
1. Please add "--tmpdirprefix %{_tmppath}" to command line args of functional tests in "%check" section. By default, "/tmp" is used by tests for temporary data dirs, usually it's mounted as tmpfs, but some tests use quite large amount of space (like 7 or 8 gigabytes), so it can lead to test failures on systems with limited amount of memory.

2. What's the reason to include java as build requirement?

Comment 45 Oleg Girko 2021-01-20 00:47:55 UTC
Everything builds OK if I remove java from build requirements.

I've built updated packages with the following changes:
- Update to 0.21.0.
- Use /var/tmp instead of /tmp as tmpdirprefix for functional tests.
- Remove java from build requirements.

See https://obs.infoserver.lv/package/show/cryptocurrency/bitcoin for details.

Comment 46 Simone Caronni 2021-01-20 15:26:52 UTC
Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec
SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.21.0-2.fc32.src.rpm

* Wed Jan 20 2021 Simone Caronni <negativo17@gmail.com> - 0.21.0-2
- Update to 0.21.0.
- Remove java build requirement.
- Use local folder for test output.

Comment 47 Simone Caronni 2021-01-20 15:29:22 UTC
(In reply to Oleg Girko from comment #45)
> - Update to 0.21.0.

For the 0.21 release something has changed in the boost code, so Boost as provided by the base distribution in CentOS/RHEL 7 is no longer enough.

I'm struggling on how to make the build system consider -I%{_includedir}/boost169 both at %configure time and at make time.

If I add the BOOST_CPPFLAGS I can pass configure but not the build, if I add it to CXXFLAGS or CPPFLAGS it breaks the configure detection (with or without BOOST_CPPFLAGS declared).

Any hint? Everything is in the SPEC file above.

Comment 48 Warren Togami 2021-01-26 18:02:51 UTC
Sorry I've missed this discussion. Please do not proceed with this package in Fedora until we've had a chance to speak. I am concerned that we have a long-term plan in line with upstream's recommendations.

Concerned parties please contact me at warren on Freenode or wtogami@gmail.com. Let's schedule a meeting to discuss this. See historical discussion in Bug #1020292.

Comment 49 Warren Togami 2021-01-26 18:21:25 UTC
> - permissions of /etc/bitcoin folder (0750) too strict - ordinary users cannot view conf

You mean bitcoin.conf? You absolutely do not want other users to be able to read that. It can contains secrets.

Overall I have concerns that this package shoehorns non-default config and datadir. This is not the "normal" way of using bitcoind. This package entering the repository could be a surprise to some with several external repo packages that people have installed in the past years.

I wrote related concerns of packaging conflicts at https://bugzilla.redhat.com/show_bug.cgi?id=1020292#c45

> # FIXME This is less than ideal, but until dwalsh gives me a better way...

Mitigating factor is if all the non-upstream-default stuff is in an optional subpackage. In your case -server does seem to self-contain the .service, selinux, non-default config and non-default datadir. If people want to use it in the upstream way they could install only the main package. (I have not fully reviewed if these things are fully contained in the -server subpackage.)

> * Wed Jul 22 2020 Simone Caronni <negativo17@gmail.com> - 0.20.0-7
> - Use libdb 5.x instead of deprecated 4.x. Fixes build on RHEL/CentOS 8.

Sorry please do not do this. Upstream strongly recommends against using DB5 for a reason.

db4 is the official upstream wallet.dat format. They plan to migrate away from db4 to sqlite in the next year. Building against db5 is in the build system as only a convenience but it is strongly discouraged all these years because db5 wallet.dat is not supported by the upstream distribution, and it could leave users stuck without a supported migration path.

Comment 50 Warren Togami 2021-01-26 19:09:23 UTC
https://salsa.debian.org/debian/guix/-/tree/debian/devel/debian
I'm told this is how Debian packaged Guix. It appears to be a proper bootstrap starting from guile.

Comment 51 Warren Togami 2021-01-26 19:09:47 UTC
oops wrong ticket

Comment 52 Warren Togami 2021-01-27 07:25:01 UTC
> For the 0.21 release something has changed in the boost code, so Boost as provided by the base distribution in CentOS/RHEL 7 is no longer enough.

I have a plan to fix this and more for RHEL7+ and Fedora in a uniform way. It might take a few weeks for this to be ready. I can explain it sooner if you would like to talk.

Sorry for injecting myself into this after you've put half a year of work into this. You disregarded critical warnings in Bug #1020292 as to why packaging this is hazardous. There are risks you are not familiar with as to why historically none of the leading distros (Fedora, Debian, Ubuntu) have packaged Bitcoin Core. Tldr: Builds dynamic linked to system libraries have previously been vulnerable to catastrophic network divergence. Distribution packages wouldn't be dangerous if only a few people used it. But should they become the most common way of using Bitcoin Core then it would be a systemic risk. This was not only a hypothetical problem. BIP66 is one such historical example that could have been exacerbated by distro packages becoming the most common way to run Bitcoin Core full nodes.

The safer way for downstream distributions to handle this not become possible until recent upstream work (Guix-related). There's three step needed to make this usable for Fedora/RHEL.

1) Guix-based deterministic builds of Bitcoin Core to become the official release process (replacing their previous Ubuntu-based Gitian). This work is now 99% complete.

2) Add rpmbuild to upstream's Guix build process. It would generate deterministic binary RPMS alongside their binary tarballs.

https://salsa.debian.org/debian/guix/-/tree/debian/devel/debian
https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org

3) Package Guix for Fedora much in the same way as Debian did it. This would allow us to have a known deterministic build system that is capable of building identical binaries.

I did not appreciate how you closed Bug #1020292 and disregarded the warnings written there. Out of respect I am not unilaterally closing this bug.

Step #2 above is an opportunity to collaborate. I assigned one of my engineers to work on this. We should collaborate on what exactly we want to be in a bitcoincore RPM package. For example instead of your -server package we may want to consider systemd service @ units as an official way to configure and launch multiple nodes.

Comment 53 Simone Caronni 2021-01-27 12:06:57 UTC
First of all, I've been using these packages myself for years, but I'm all in for one that is fine by everyone, including your concerns.

(In reply to Warren Togami from comment #52)
> I did not appreciate how you closed Bug #1020292 and disregarded the
> warnings written there. Out of respect I am not unilaterally closing this
> bug.

The original ticket has been closed according to guidelines and the original poster even jumped in, so respect or not, this does not give you any entitlement to close tickets arbitrarily.

All you've written it's all nice but I'm not even sure if builds based on GUIX that don't follow guidelines are allowed in Fedora/EPEL. Have you checked that? If not, that as well would grant people to ignore your comments and just proceed.

> Step #2 above is an opportunity to collaborate. I assigned one of my
> engineers to work on this. We should collaborate on what exactly we want to
> be in a bitcoincore RPM package. For example instead of your -server package
> we may want to consider systemd service @ units as an official way to
> configure and launch multiple nodes.

I'm fine with your proposal, but the original bug report for the review is open since 2013, and apart high level things that should be done or not done I've not seen much from you on the topic.
If you think the various components (guix etc.) are mature enough why don't you post a review for guix, a guix-based RPM or the parts that in your opinion are important? You can take over, I don't mind. I can take the reviews straight away if you're fine so we can get this sorted out. Even if the various components are not 100% ok like you said, already it's a start.

Comment 54 Oleg Girko 2021-01-27 14:42:15 UTC
I think that threat of unintentional fork due to slightly different versions of system libraries is significantly exaggerated. So far this threat is purely theoretical, there were no incidents related to that. The problem fixed with BIP66 was caused not by variations of OpenSSL behaviour between different versions, but by using OpenSSL incorrectly in Bitcoin Core client.

https://github.com/bitcoin/bips/blob/master/bip-0066.mediawiki

Relying on specific implementation details of particular versions of libraries is harmful because it introduces undocumented implicit consensus rules nobody knows about. And requiring using one true build of a single client does not help at all, it just hides a ticking bomb until it explodes later. An incident with unintended hard fork when migrating Bitcoin Core client from BerkleyDB to LevelDB has shown this quite prominently.

https://github.com/bitcoin/bips/blob/master/bip-0050.mediawiki

Another lesson from this incident is that unintended forks caused by bugs in consensus rules do not cause catastrophic consequences and are resolved very quickly. And I'm pretty sure that they are beneficial in the long run because they fix hidden critical bugs that (also theoretically) can be exploited by malicious actors.

Approach taken by Ethereum is much healthier. They not only don't require one true build of a single client, but they even encourage multiple client implementations. Consensus rules of Ethereum 2 beacon chain make using the most popular validator client riskier than less popular ones: more clients misbehave synchronously, bigger penalty they get. Of course, this doesn't guarantee from unintended forks caused by bugs of consensus implementation. But this causes most of these bugs to be caught early in testnet.

Hence, building Bitcoin client with system libraries is only slightly riskier than using one true build, but this risk is very minor (and only theoretical so far), and this is acceptable risk. If Linux distributions adopt this approach, this will be beneficial in the long run because it will help to detect and fix bugs in consensus implementation earlier.

I'm voting for adding properly built (using system libraries) Bitcoin Core client to Fedora and accepting minor risks caused by this for bigger benefit of Bitcoin ecosystem's diversity.

And to show that I've already put my money where my mouth is, I use Dash Core client built the same way for almost 4 years without a single incident.

https://obs.infoserver.lv/package/show/cryptocurrency/dash-core

(Dash Core codebase is originally a fork of Bitcoin's one.)

Comment 55 Warren Togami 2021-01-27 21:15:06 UTC
Oleg wrote:
> So far this threat is purely theoretical, there were no incidents related to that. 

This is incorrect. Some alt coins like PPC suffered exactly a catastrophic fork because they disregarded warnings in this regard.

The diversity argument is counter to the opinion of among Bitcoin Core developers. Debating the diversity of implementations issue is not productive here. I ask that folks please defer to upstream Bitcoin Core developer opinions on the wisdom and safety of how to ship Bitcoin Core in downstream distributions.

Simone wrote:
> I'm fine with your proposal, but the original bug report for the review is open since 2013, and apart high level things that should be done or not done I've not seen much from you on the topic.

Upstream did not have a feasible build method until recently. I am sorry this took so long. I also recognize this is extremely weird compared to the normal way software is built in Fedora. The upstream developers felt so strong about this that it was preferable to have no Bitcoin in the leading Linux distros all these years. Now however we are close to a satisfactory solution. I ask for a bit more patience.

Comment 56 Oleg Girko 2021-01-27 23:14:37 UTC
(In reply to Warren Togami from comment #55)
> Oleg wrote:
> > So far this threat is purely theoretical, there were no incidents related to that. 
> 
> This is incorrect. Some alt coins like PPC suffered exactly a catastrophic
> fork because they disregarded warnings in this regard.

I was not talking about minor altcoins with very low adoption rate. They suffer from more serious problems, like being vulnerable to 51% attacks. Also, they suffer from lack of developer resources and accumulate technical debt much quicker as a result. Hence, I'm not surprised that among thousands of altcoins you can find one that suffered because of this problem. You can find even more altcoins that suffered much worse problems because of bugs in their code anyway.

> The diversity argument is counter to the opinion of among Bitcoin Core
> developers.

Yes, I know. But this doesn't automatically mean that Bitcoin Core developers are right. Ethereum developers have radically different opinion, for example.

> Debating the diversity of implementations issue is not
> productive here.

I'm not debating diversity of implementations. I'm just using this argument to point to the fact that insisting on using particular versions of libraries is not an acceptable way to build reliable software. Unfortunately, it's becoming quite common mindset among developers: "I've tested my program with these particular versions of libraries, hence everyone should use them". Yes, this makes life easier for developers, but complicates life for everyone else.

There is a good reason Fedora has a strong attitude against bundling of libraries. Upstream developers are usually not proficient enough to update all libraries they use in a timely manner. Maintainers of library packages are more proficient in this. If a remotely exploitable vulnerability is found in one of many libraries Bitcoin Core uses, it will take much more time for new version of Bitcoin Core to be released and packaged than for new version of this particular library packaged in Fedora. Very often Fedora gets patched package even before upstream releases a new version.

Hence, if my argument about beneficial diversity is not enough for you, I have a much stronger argument: vulnerability in a bundled library.

Remotely exploitable vulnerability is a true nightmare scenario for a cryptocurrency software, because it can lead to massive theft of funds. Unintended forks are just a nuisance compared to that. Even large-scale fork can lead just to temporary outage and increased time to reach consensus. Some transactions may be remaining in the mempool for a long time or even lost, so they have to be repeated later, but it's very unlikely that funds will be lost or stolen as a result. Single cases of double spend that can happen during an outage like this (that will be resolved when the fork is over anyway) are nothing compared to mass theft of funds.

Considering a very minor fraction of nodes that will run Fedora-packaged Bitcoin Core, a theoretical fork involving these nodes will not be even large-scale. In worst case scenario, small percentage of nodes will be temporarily banned from the network until the problem is fixed. And probability of this is still lower than an unpatched vulnerability in a library Bitcoin uses. And packaging procedures in Fedora are well suited exactly to mitigate risks like this.

> I ask that folks please defer to upstream Bitcoin Core
> developer opinions on the wisdom and safety of how to ship Bitcoin Core in
> downstream distributions.

As a former Dash Core developer, I strongly disagree. Bitcoin Core deveopers' "wisdom" prevented Bitcoin Core client from being shipped in downstream distributions at all for 12 years already.

> Simone wrote:
> > I'm fine with your proposal, but the original bug report for the review is open since 2013, and apart high level things that should be done or not done I've not seen much from you on the topic.
> 
> Upstream did not have a feasible build method until recently. I am sorry
> this took so long. I also recognize this is extremely weird compared to the
> normal way software is built in Fedora. The upstream developers felt so
> strong about this that it was preferable to have no Bitcoin in the leading
> Linux distros all these years. Now however we are close to a satisfactory
> solution. I ask for a bit more patience.

I don't think that building with all libraries bundled is satisfactory solution. At least, not for me. So, let's package Bitcoin Core client according to Fedora guidelines for now. However, I'm not against providing a bundled version as another option when it's available. I'm just against having this as the only option (and no option at all for quite a long time before it's available). Let users decide which slightly increased risk they prefer to take: minor fork and temporary ban or remotely exploitable vulnerability.

Comment 57 Warren Togami 2021-01-28 17:54:47 UTC
There were multiple misstatements of fact in what you wrote that I will not dissect here because this is the wrong forum for ideological debate between competitors. 

The only question here is if Fedora will follow Bitcoin Core upstream's safety recommendations. It was not possible in past years but now the toolchain is 99.99% ready. I'm working on this.

Simone, I'm interested in collaborating with you.

Comment 58 Warren Togami 2021-01-28 18:07:14 UTC
> Yes, I know. But this doesn't automatically mean that Bitcoin Core developers are right. Ethereum developers have radically different opinion, for example.

Ethereum has had numerous emergency updates due to catastrophic errors through the years. Bitcoin has had significantly fewer emergency updates. You call this a difference of opinion. We call this wisdom.
Let's not go deeper into the ideological debate.

Regarding the bundled library argument I was unfair that I did not respond. I am well aware of the bundled library reasoning. I am among the people who wrote Fedora's packaging standards and zealously defended it years ago. There is more recently an exceptions process where bundled libraries are allowed in Fedora. Bitcoin Core through the years has been working towards progressively eliminating external library dependencies because they have been the source of most dangerous vulnerabilities. That being said the libraries that it continues to rely upon are carefully tracked by the upstream project.

https://fedoraproject.org/wiki/Bundled_Libraries?rd=Packaging:Bundled_Libraries
Fedora now has a process to help keep track of bundled libraries. This package will follow these guidelines and anything else required by FESCO.

Comment 59 Eugene A. Pivnev 2021-02-12 10:48:01 UTC
Seems hardcoded selinux dependency not resolved.
What about moving selinux things into -selinux subpackage?

Comment 60 Eugene A. Pivnev 2021-02-12 11:21:13 UTC
(In reply to Robert-André Mauchin 🐧 from comment #7)
> Also create a logrotate file for the log:
> https://docs.fedoraproject.org/en-US/packaging-guidelines/
> #_logrotate_config_file

And this is not solved yet too.

Comment 61 Eugene A. Pivnev 2021-02-12 12:49:17 UTC
> %package server
> Requires:           %{name}-utils%{_isa} = %{version}

Really?

Comment 62 Simone Caronni 2021-03-07 17:04:08 UTC
(In reply to Eugene A. Pivnev from comment #60)
> (In reply to Robert-André Mauchin 🐧 from comment #7)
> > Also create a logrotate file for the log:
> > https://docs.fedoraproject.org/en-US/packaging-guidelines/
> > #_logrotate_config_file
> 
> And this is not solved yet too.

I replied here, not planning to change it at the moment: https://bugzilla.redhat.com/show_bug.cgi?id=1834731#c19

Comment 63 Simone Caronni 2021-03-07 17:04:39 UTC
(In reply to Eugene A. Pivnev from comment #61)
> > %package server
> > Requires:           %{name}-utils%{_isa} = %{version}
> 
> Really?

Well, to interact with the daemon you require the cli, but is not strictly required per se. I've removed the requirement.

Comment 64 Simone Caronni 2021-03-07 17:05:21 UTC
(In reply to Eugene A. Pivnev from comment #59)
> Seems hardcoded selinux dependency not resolved.
> What about moving selinux things into -selinux subpackage?

Replied here: https://bugzilla.redhat.com/show_bug.cgi?id=1834731#c9

Comment 65 Simone Caronni 2021-03-07 17:15:49 UTC
(In reply to Simone Caronni from comment #64)
> (In reply to Eugene A. Pivnev from comment #59)
> > Seems hardcoded selinux dependency not resolved.
> > What about moving selinux things into -selinux subpackage?
> 
> Replied here: https://bugzilla.redhat.com/show_bug.cgi?id=1834731#c9

Nevermind, saw a note in the package guidelines, will separate it from the main package.

Comment 66 Mattia Verga 2021-03-08 17:51:04 UTC
*** Bug 1020292 has been marked as a duplicate of this bug. ***

Comment 67 Simone Caronni 2021-03-10 10:24:19 UTC
Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec
SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.21.0-3.fc32.src.rpm

* Wed Mar 10 2021 Simone Caronni <negativo17@gmail.com> - 0.21.0-3
- Remove requirements for utils subpackage in server subpackage.
- Separate SELinux package in its own subpackage and use RPM rich booleans on
  Fedora and RHEL/CentOS 8+ to install the SELinux package if the base policy is
  installed.
- Update server README.

Comment 68 Simone Caronni 2021-03-10 10:33:29 UTC
Separate SELinux policy package here: https://bugzilla.redhat.com/show_bug.cgi?id=1937302

Comment 69 Simone Caronni 2021-03-10 17:44:43 UTC
Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec
SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.21.0-4.fc33.src.rpm

* Wed Mar 10 2021 Simone Caronni <negativo17@gmail.com> - 0.21.0-4
- Fix build on RHEL/CentOS 8.
- Adjust SELinux requirement for server subpackage.

Comment 70 Warren Togami 2021-04-08 18:46:30 UTC
I looked into packaging Guix for Fedora. It would be possible but difficult. For now I give up on the reproducible build goal as that is a problem that needs to be solved for the entire Fedora build system.

These are my remaining recommendations to align best with upstream's intent.

* Fedora's package should be named "bitcoincore". It should conflict with "bitcoin". This would allow a popular feature-fork "bitcoinknots" would have the same binary and configuration files and would thus conflict with these other names.
* Ask FESCO to disallow any package named "bitcoin". There are multiple reasons for this including unexpected upgrade conflicts with ways it was previously packaged. It is also convenient for distributors to entirely sidestep political fights over what has the right to be called "bitcoin".
* Less important: Another upstream concern is the risk of old bitcoin binaries in the wild when Fedora goes EOL. The simplest safeguard is to ship a final RPM update before a Fedora release's EOL that simply removes the binary. We would ask FESCO if they're OK with this.

Thoughts?

FYI: Years ago the linked library dependencies were a terrible risk of causing consensus failure. It was beyond hypothetical risk, it actually happened to unmaintained clones who failed to heed CVE's. That previous risk was mostly mitigated by the removal of openssl. Upstream aims to eventually eliminate the boost dependency which would further reduce risk. In any case the risk is low enough now that it might be OK to ship in downstream distros. Don't mistake this as endorsement. I intend for upstream to distribute a reproducibly built RPM that would Epoch override the Fedora package for those who prefer static libraries exactly as tested by upstream. Upstream opposes automatic upgrades of Bitcoin Core so this would be a way for Fedora users to opt-in to upstream's recommended deployment method. This isn't Fedora's concern but just explaining the line of reasoning here.

Comment 71 Simone Caronni 2021-04-12 08:50:40 UTC
(In reply to Warren Togami from comment #70)
> * Fedora's package should be named "bitcoincore". It should conflict with
> "bitcoin". This would allow a popular feature-fork "bitcoinknots" would have
> the same binary and configuration files and would thus conflict with these
> other names.

Fine, I will make the necessary adjustments.

> * Ask FESCO to disallow any package named "bitcoin". There are multiple
> reasons for this including unexpected upgrade conflicts with ways it was
> previously packaged. It is also convenient for distributors to entirely
> sidestep political fights over what has the right to be called "bitcoin".

Fine for me as well.

> * Less important: Another upstream concern is the risk of old bitcoin
> binaries in the wild when Fedora goes EOL. The simplest safeguard is to ship
> a final RPM update before a Fedora release's EOL that simply removes the
> binary. We would ask FESCO if they're OK with this.

I think this solves nothing (someone could still avoid installing the updates, fetching an old package or we could just miss a release retirement because of a person being on holiday, etc. Same applies for manually installed binaries, there is no way to enforce that. If you want it I'm fine with that, but again I think it's completely useless.

> FYI: Years ago the linked library dependencies were a terrible risk of
> causing consensus failure. It was beyond hypothetical risk, it actually
> happened to unmaintained clones who failed to heed CVE's. That previous risk
> was mostly mitigated by the removal of openssl. Upstream aims to eventually
> eliminate the boost dependency which would further reduce risk. In any case
> the risk is low enough now that it might be OK to ship in downstream
> distros.

I'm fine with this as well and will try to keep it in sync as possible with these dependencies slated for removal.

> Don't mistake this as endorsement. I intend for upstream to
> distribute a reproducibly built RPM that would Epoch override the Fedora
> package for those who prefer static libraries exactly as tested by upstream.
> Upstream opposes automatic upgrades of Bitcoin Core so this would be a way
> for Fedora users to opt-in to upstream's recommended deployment method. This
> isn't Fedora's concern but just explaining the line of reasoning here.

I'm willing to keep it updated / in sync with upstream for the time being, so we can ensure a smooth upgrade path for whoever wants to use official binaries. Count me in if you think I should contribute to the upstream's SPEC file and SELinux policies. I'm fine also in integrating Guix as conditionals in the SPEC file to allow building from the same SPEC file (e.g. hosted upstream, non-guix build in fedora, higher epoch and guix build upstream).

Are you ok with these points?

Comment 72 Eugene A. Pivnev 2021-04-30 18:47:26 UTC
Current package (0.21.0-4) _requires_ selinux subpackage.
So - no way to install bitcoin server without selnux.
What about 'Recommends' or 'Suggests'?

Comment 73 Simone Caronni 2021-05-03 11:08:17 UTC
(In reply to Eugene A. Pivnev from comment #72)
> Current package (0.21.0-4) _requires_ selinux subpackage.
> So - no way to install bitcoin server without selnux.
> What about 'Recommends' or 'Suggests'?

Well it's requiring it only if the selinux-policy-targeted package is installed, otherwise not even suggesting it. I was using this guide which is still in draft: https://fedoraproject.org/wiki/PackagingDrafts/SELinux_Independent_Policy#Adding_dependency_to_the_spec_file_of_corresponding_package

Do we have something a bit more up to date or official than this?


Note You need to log in before you can comment on or make changes to this bug.