#bitcoin-core-dev Log

19:00:12 <laanwj> #startmeeting 
19:00:12 <core-meetingbot> Meeting started Thu Jan  6 19:00:12 2022 UTC.  The chair is laanwj. Information about MeetBot at https://bitcoin.jonasschnelli.ch/ircmeetings.
19:00:12 <core-meetingbot> Available commands: action commands idea info link nick
19:00:24 <laanwj> #bitcoin -core-dev Meeting: achow101 _aj_ amiti ariard BlueMatt cfields Chris_Stewart_5 darosior digi_james dongcarl elichai2 emilengler fanquake fjahr gleb glozow gmaxwell gwillen hebasto instagibbs jamesob jarolrod jb55 jeremyrubin jl2012 jnewbery jonasschnelli jonatack jtimon kallewoof kanzure kvaciral laanwj larryruane lightlike luke-jr maaku marcofalke meshcollider michagogo moneyball
19:00:26 <laanwj> morcos nehan NicolasDorier paveljanik petertodd phantomcircuit promag provoostenator ryanofsky sdaftuar sipa vasild
19:00:46 <kvaciral[m]> hi
19:00:49 <laanwj> welcome to the first IRC meeting of 2022
19:00:50 <jb55> hi
19:00:50 <larryruane> Hi
19:00:53 <b10c__> hi
19:00:54 <sipa> hi
19:00:56 <lightlike> hi
19:01:10 <achow101> hi
19:01:21 <ariard> hi
19:01:41 <laanwj> there is one proposed meeting topic: Add security.md in /doc (prayank)
19:01:53 <laanwj> any last minute ones?
19:02:40 <brunoerg> hi
19:02:45 <michaelfolkson> hi
19:03:07 <jamesob> hi
19:03:10 <laanwj> #topic High priority for review
19:03:10 <core-meetingbot> topic: High priority for review
19:03:36 <laanwj> there are 8 blockers, 1 chasing concept ACK in https://github.com/bitcoin/bitcoin/projects/8 at the moment
19:03:44 <laanwj> anything to add/remove or that is (almost) ready for merge?
19:05:33 <Guest94> hallo boss
19:06:41 <Guest94> hallo
19:06:46 <Guest94> hallo
19:06:55 <sipa> Guest94: you're in the middle of a meeting
19:06:58 <laanwj> apparently not, let's move on to the next topic then
19:07:13 <laanwj> #topic Add security.md in /doc (prayank)
19:07:13 <core-meetingbot> topic: Add security.md in /doc (prayank)
19:07:27 <prayank> hi
19:08:08 <prayank> There are 3 reasons for suggesting this topic
19:08:13 <prayank> 1. Other sources of information are wiki, stackexchange, reddit, twitter etc. with their own problems
19:08:24 <prayank> 2. There are lot of things related to security which are not documented anywhere
19:08:36 <prayank> 3. Even if the pull request ends never being merged, it would help in knowing the issues that should be documented (if not here elsewhere)
19:10:20 <b10c__> what would you put into security.md?
19:11:15 <prayank> Security recommendations, known issues, footguns and other things that affect security for p2p, rpc, wallet etc. when using  Bitcoin Core. Can also add unfixed vulnerabilities like https://medium.com/@lukedashjr/cve-2018-20587-advisory-and-full-disclosure-a3105551e78b
19:11:26 <michaelfolkson> Note there is already https://github.com/bitcoin/bitcoin/blob/master/SECURITY.md but sounds like prayank wants a lot more guidance/content than what is in that
19:11:47 <michaelfolkson> That's just instructions for reporting a vulnerability
19:13:37 <b10c__> e.g. the content of the REST interface "Risks" section? https://github.com/bitcoin/bitcoin/blob/master/doc/REST-interface.md#risks
19:14:07 <b10c__> i'm trying to understand what your goal is and if there's need for a security.md
19:14:26 <prayank> even json-rpc doc has 1-2 things about security but bitcoin core has more than just these few things about rpc and rest
19:14:48 <jeremyrubin> what is the benefit of having it go through core review v.s. external repo/site?
19:15:28 <prayank> goal: already shared in reasons, get some documentation about secuirty that users can rely on need: there is no such doc already so a project like bitcoin core needs one
19:15:44 <sipa> i don't think it's a bad idea to have a guide "how to run bitcoin core securely" somewhere in our documentation, but it's a wide topic that could encompass lots of things
19:16:08 <jonatack> hi
19:16:10 <prayank> jeremyrubin: people can write anything on external repo/site
19:17:05 <prayank> siap: agree
19:17:14 <prayank> sorry *sipa
19:17:28 <Guest94> sorry
19:17:33 <jamesob> seems like that might be a good candidate for https://github.com/bitcoin-core/bitcoincore.org? or https://github.com/bitcoin-core/bitcoin-devwiki?
19:17:50 <achow101> is there an example from other projects that we could look at just to get an idea of what you mean?
19:18:01 <prayank> jamesob: maybe
19:18:25 <jeremyrubin> one thing that could be nice could be some RPCs / GuI dialogs that explain to users what their setups are and any security issues from it. I'm all for a security guide + some features for helping people ensure their node is OK. E.g., an RPC which prints out all auth credentials allowed and their recency of use.
19:19:40 <prayank> achow101: sure I will try to find few relevant docs and share later maybe in an issue or here
19:19:59 <jeremyrubin> prayank: maybe you can publish an initial draft of the document you have in mind and then we can figure out where it goes? I wouldn't mind contributing some info to it as well.
19:20:03 <jonatack> prayank: it might be easiest to open a small pull with a limited scope to begin with. and if it is merged, possibly expand or extend gradually over time with successive pulls.
19:20:13 <jeremyrubin> jonatack: +1
19:20:44 <prayank> jeremyrubin: jonatack: agree. will do
19:20:46 <ariard> achow101: e.g see lnd https://github.com/lightningnetwork/lnd/blob/master/docs/safety.md
19:20:57 <michaelfolkson> prayank: Is this the luke-jr doc you meant to link to? https://medium.com/@lukedashjr/how-to-securely-install-bitcoin-9bfeca7d3b2a
19:21:46 <michaelfolkson> I guess the one you linked to does have some user guidance in it though it is focused on disclosure of a CVE
19:21:50 <prayank> michaelfolkson: this can be helpful but the link I shared is one low severity issue not fixed which may affect security so it was an example
19:22:22 <Guest94> air drop bitcon core boss link shere plis
19:22:35 <Guest94> tank you
19:23:22 <michaelfolkson> As long as things that are argued over/disputed are stripped out seems like a good idea to me too
19:23:54 <Guest94> selling tanbang bitcoin using nonor lcbel first nanbang bitcon on coinbase. what's the solution, through what boss, darn ginal's account can't login to the mining machine's password. please give the solution bossselling tanbang bitcoin using nonor lcbel first nanbang bitcon on coinbase. what's the solution, through what boss, darn ginal's account
19:23:54 <Guest94> can't login to the mining machine's password. please give the solution boss
19:24:03 <michaelfolkson> Can someone boot Guest94
19:24:12 <Guest94> im sorry plis shering
19:25:53 <laanwj> any other topics?
19:26:49 <laanwj> #endmeeting