[Pkg-bitcoin-devel] Bug#792231: This needs examined as soon as possible
Tristan Seligmann
mithrandi at mithrandi.net
Mon Aug 3 14:41:23 UTC 2015
Unfortunately there are some significant challenges with 2.0+. The primary
issue is the dependency on tlslite, which was removed from Debian
previously due to being insecure and unmaintained. In addition, quite a bit
of the certificate handling code does things incorrectly (see eg. the
certificate chain verification code[1] that does not check the certificate
purpose, allowing anyone with a valid cert to sign a fraudulent cert as if
they were a CA).
I would very much welcome help with these issues, but be warned there is
most likely a fair amount of work involved in either rewriting the
cert-handling code to use another library (probably
python-openssl/python-cryptography), or resurrecting and maintaining the
tlslite package.
[1]
https://github.com/spesmilo/electrum/blob/master/lib/paymentrequest.py#L119
On Mon, 3 Aug 2015 at 15:51 Thomas Ward <teward at dark-net.net> wrote:
> 1.9.8 is a year old. In addition, 2.4 is the current version.
>
> Failing to update breaks recovery of wallets from newer versions, and
> there are quite a lot of improvements in 2.4 over 1.9.8 that should be
> reviewed and included.
>
>
>
> Thomas
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-bitcoin-devel/attachments/20150803/ce8417b7/attachment.html>
More information about the Pkg-bitcoin-devel
mailing list