220 sats \ 3 replies \ @jnaulty 22 Feb 2023 freebie \ on: AMA: Ask Murch Anything bitcoin
One problem the Bitcoin Core Team spent energy solving for is:
- how does one trust that they're running the bitcoin-core binary that corresponds to the source code at a specific release version and not its evil twin?
- how does one verify if this is the same code they think everyone else is running?
- how does one verify what people think the code and binary should be for a given release?
- what identity anchors are used to establish trust in the bitcoin-core dev community for contributors and core dev individuals?
A bunch of volunteers and Bitcoin Core contributors submit their own attestations to the Bitcoin Core repository. These attestations are tied to a specific commit and thus you can check that at least these attestations agree on the version they commit to. If you want to be thorough, you can set up your own Guix build and check that you arrive at the same binary yourself. This commit should correspond to the release tag signed by one of he maintainers. The PGP keys of the attesters are also held in the repository. You should import their keys and check that other keys you have encountered before certify the attester’s keys.
So, you can either trust the “social proof” of a ton of people staring at the Bitcoin Core repository, hoping that someone would raise alarm bells if attestations disagree or not match the release commit, or you could use a web-of-trust per the PGP keys to assign a higher trust to some attestations.
reply
Thanks for the link towards the PGP keys of the attesters. The link included in the Linux verification instructions on the Bitcoin Core website is erroneous.
reply
You may also find the Release Process documentation interesting: https://github.com/bitcoin/bitcoin/blob/master/doc/release-process.md#building
reply