[Pkg-bitcoin-devel] Bug#718272: upstream does not support stable releases (block migration to testing)

Scott Howard showard at debian.org
Mon Jul 29 14:51:34 UTC 2013 

Source: bitcoin
Severity: serious

The bitcoin network requires on strict adherence to consensus between nodes.
Small changes to underlying libraries, even justified security changes,
threaten to break consensus and could possible cause accidental forks.

For example, it is possible for bug fix in libleveldb to cause a fork in the
network if existing nodes expect buggy behaviour.

Therefore, bitcoin upstream developers have strongly encouraged downstream
packagers to use the exact version of libleveldb included with their source
code.  However, upstream does not backport or support previously released
versions of bitcoind/bitcoin-qt.

For example: if we release Debian Jessie with version 0.8 of bitcoin, and a
security bug is found in that version and fixed upstream, the fix may be based
on top of version 0.10 and unable to be ported to 0.8. Upstream will, in that
case, release version 0.10 and not backport the fix to 0.8. This is especially
tricky now that Debian is using the bitcoin packaged version of leveldb.

Because of the sensitivity of this situation (lots of money can be lost), I
believe we should block migration to testing until either upstream supports
stable releases or we have a volunteer that works closely enough with upstream
code (an upstream developer) that is will to backport security and network-
related fixes.


There has been some work on multibit and electrum packages in Debian, these may
be better choices for wallets. If we keep bitcoin in unstable, we'll be able to
update as needed and users will understand that these packages are not stable
and will need to be updated often.



-- System Information:
Debian Release: wheezy/sid
  APT prefers raring-updates
  APT policy: (500, 'raring-updates'), (500, 'raring-security'), (500, 'raring-proposed'), (500, 'raring'), (100, 'raring-backports')
Architecture: i386 (i686)

Kernel: Linux 3.8.0-27-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

More information about the Pkg-bitcoin-devel mailing list