IRC meeting summary for 2017-03-09
- 0.14.0 release
- Alert key disclosure timeline
- Next releases
Bitcoin Core 0.14.0 was released the day before the meeting. Cheers and congratulations for a successful release were shared.
Alert key disclosure timeline
The Bitcoin alert system introduced in Bitcoin 0.3.11 has been phased out over the last several Bitcoin Core releases. For more information, please see the public information statement.
In an earlier Bitcoin Core release, the alert system was redesigned to contain a hardcoded “final” alert that could be triggered in case the private key for the alert system was compromised. As part of the Bitcoin Core 0.14.0 release process, this final alert was triggered—which should have paved the path for the scheduled public release of the alert key.
Gregory Maxwell started, “There are DOS vulnerabilities in older versions that the final alert does not block. :( All versions. They’re worse in older ones. (Obviously [only] versions with alerts enabled). No RCE [Remote Code Execution], just OOM [Out Of Memory].”
According to Luke Dashjr, 2,606 nodes (4.54%) run a version of Bitcoin Core below 0.12.1. It’s those versions that Maxwell identified as being vulnerable to problems related to abuse of the alerts key.
Rough agreement seemed to be reached that a Common Vulnerabilities and Exposures (CVE) disclosure would be made for the denial-of-service vulnerabilities Maxwell found to further remind users of older versions of Bitcoin Core that they need to upgrade. After the CVE is distributed and the situation re-evaluated, a determination could be made on whether to disclose the alert key then.
Next releases (0.14.1 and 0.15)
With 0.14.0 released, developers have begun tagging issues and Pull Requests (PRs) for backporting to a 0.14.1 minor release. In addition, the 0.15 release schedule has been proposed.
Matt Corallo suggests #9959 and #9955 for 0.14.1 minor release. Nobody argued with Alex Morcos who suggested, “we should tag those for 0.14 or backport or whatever we say, but not cause for expedited minor release”. This means that developers will probably wait for several other bug fixes or especially useful backports to become available before producing a 0.14.1 release, keeping the schedule free to work on longer-term improvements for 0.15 and beyond.
Wladimir van der Laan proposed the 0.15 release schedule in #9961. As of this writing, the schedule is:
2017-07-02 ----------- - Open Transifex translations for 0.15 - Soft translation string freeze (no large or unnecessary string changes until release) - Finalize and close translations for 0.13 2017-07-16 ----------- - Feature freeze (bug fixes only until release) - Translation string freeze (no more source language changes until release) 2017-08-06 ----------- - Split off `0.15` branch from `master` - Start RC cycle, tag and release `0.15.0rc1` - Start merging for 0.16 on master branch 2017-09-01 ----------- - Release 0.15.0 final (aim)
No one objected to the proposed schedule in the meeting. Issues and PRs will continue to be tagged for backporting as 0.14.1.
|wumpus||Wladimir van der Laan|
This summary was compiled without input from any of the participants in the discussion, so any errors are the fault of the summary author and not the discussion participants.