“Who watch the watchmen ?”

I don’t deny that ossification has its advantage, as somehow for the hobbyist bitcoiner less software changes give more time to read, test and understand them. Somehow, the point of my article is drawing the attention on FOSS domain experts who are under a principal-agent situation who have turn “paid professional” and then who have to justify the financial resources dedicated to pay their salaries, with some incentives misalignment with the end-users. When you start to be paid for doing FOSS software, objectively this becomes a bit less free. And then they can be obviously enticed to make the whole FOSS development pipeline a closed-door to protect their jobs from news FOSS contributors, or even just to surf on the project inertia and make their daily job less demanding.

“The price of liberty is eternal vigilance”. Thomas Jefferson, or some of the same standing.

More seriously, I don’t think BOLT12 was an attack on Lightning for someone who’ve seen the development. More yet another payment protocol in the half of dozen payment protocols we already have. Maybe a bit better, but quite complex...

I bet I’m more mentally stable than you, anon :)

Quis custodiet ipsos custodes ?

See how much work is it to write a new block-relay p2p stack in rust on top.

Always bug to fix - Cypherpunks debug code.

They do. It’s not like they’re asking for public money on their website from plebs like you and me, anon.

@petertodd a comedy show in the US once and the canadian comedian on stage was making a lot of fun in the room by saying a lot of "cliches" on canadians :) Don't take it as it is, I swear it's a joke.

More seriously, if there are intel agencies out in the wild deliberately trying to influence the bitcoin protocol development process, they could set up a more or less fake non-profit organization and that organization having a special tax status to receive donations from whatever industry donors. It could be from then quite easy to have the board helicoptering money more or less randomly on bitcoin open-source contributors, and this being a vector of attack. All very in the hypothetical line of thought...

After all, all major money are fiat today, at least since the 90s and there is no more constitutional limits strictly guaranteeing the independence of the Bundesbank w.r.t to its monetary policy. So bitcoin protocol development could be disrupted tomorrow with massive chunks of fiat money thrown on developers.

I don't really think an organization like OpenSats is sincerely to question on that regard. People at the board have a real track record in the bitcoin industry, and they are quite public about from where the majority of theirs funds is coming from. Have they lived it to their original promise to be as much pass through as they can when opensat was initially announced in 2020 ? I don't know, sounds they have a lot of people getting financial compensation in operations, there is no public report on the remunerations of the operation team. Beyond, it would be great for them to start to motivate their grant refusals on sounds technical arguments.

In matters of open-source funding transparency, I think there is a good example with NLNET Labs in the Netherlands, which is a non-profit maintaining multiple pieces of open-source software related to the Internet stack. Their software support policy announce explicitly the following:

"Dutch tax regulations allow us to have reserves that guarantee two years of continued operations in case all industry funding would disappear. Thus, in the unlikely event that NLnet Labs can no longer commit to maintaining our software projects, we will announce this at least two years in advance."

Personally, I think it's a good policy example to minimize the risks of grants inflation and promises towards serious and legit open-source contributors expectations not being fulfilled, whatever are the underlying reasons. At the start of the COVID pandemie in 2020 and when I was still full-time at Chaincode, I've seen 2 serious open-source contributors suddenly being defunded by their industry backers due to the sudden changes no ones expected in the economical conjecture.

About scaling Nostr, I think there is an old technical comment of yours about some Nostr architectural choices during the mempoolfullrbf that I've never replied here. I think it's only the email or comment of yours on the Internet, I've never replied too (if my memory is correct ?), though I''ll put my thoughts on Nostr scalability on stacker news during the coming future.

@conduition Thanks for the clarification.

Look, one piece of advice if a vulnerability report is to be quite clear in giving a disclosure timeline ahead (and fair to update in flight if they are mitigations developed and deployed). If the report is done outside of a bug bounty program with no rules of engagement, picking up a timeline is really on your shoulders. In the situation of very low funds exposed, as apparently it’s the case here, giving 2 weeks of warn-up would have been very good courtesy. My IMHO only.

Sure, if you’re vendor and there are plausible vulnerabilities affecting your soft, this can be very pragmatic to downside funds exposed. Giving time to people to deploy the fixes.

I don’t wish to sound too harsh on conduition here, I believe it’s great to have more folks doing vulnerabilities hunting in the ecosystem. On the other hand, in infosec rule of thumb is often to give 90 days to vendors. Unless there are clear hints that vendors do not wish to implement mitigations (or mitigations cannot be deployed easily).

I know 90 days can be a lot, so even if you think circumstances are worthy of less, in my opinion nothing displayed in the disclosure report warrants to give only 4 days to the vendors.

As of today, it’s indeed quite easy to go and burak a bitcoin L2. But I don’t think it is the culture we wish to nurture on the long-term in the ecosystem, if we wish seriously to take care of end-users financial wealth (or privacy). Failing to do so, that’s only going slowly towards the path were vulnerabilities are weaponized for other purposes...

From a quick read of Mercury server code, there is support for mainnet: https://github.com/commerceblock/mercurylayer/blob/dev/server/src/server_config.rs#L98

From protocol documentation (https://github.com/commerceblock/mercurylayer/blob/dev/docs/protocol.md#initialisation) the coin pubkey is a key-path spend to P (P1 = O1 + S1). If the statecoin is spent as a happy path, there shall be no mark in the blockchain logs.

So how can you be sure there is no mainnet traffic ?

@conduition sorry you let 4 days between initial report to vendors and full disclosure ???

like did the Mercury vendors physically threaten you or committed any other ethically dubious behaviors before to act so ???

Champagne Peter.

From my understanding, there have been a leak of Atlanta attendees private information without their awareness, and some part of this information is included now as part of the FBI investigation and some part has been made in the public. Saying that, I agree it’s still very confusing what did effectively happen.

I reached out to folks like Luke who has been for sure in touch with the FBI agent / unit to get more information. When I got an answer, I’ll certainly communicate what is my understanding. Some articles sounds to misquote.

Some people have many social ids for reasons. Like one social network account for work, another one for your hobbys.

Yeah more likely the DOJ, it’s good to know. Thanks.

Yeah it’s good to have more press information. Luke is a Florida resident, and we end up with some Georgia, Atlanta conference attendees doxxed. It’s just not cool.

Thanks for the information, if correct.

That line of attitude, you have to own it. Generally, silence and knowing your rights can be more wise. And staying chill.

Like said EFF and ACLU have generally good ressources, though better to have this reviewed it with one of your own lawyer.

As often said in development circles from laborious years of CSW litigations, IANA.