IRC meeting summary for 2017-03-09

• Link to this week logs
• Meeting minutes by meetbot

Main topics

• 0.14.0 release
• Alert key disclosure timeline
• Next releases

0.14.0 release

Bitcoin Core 0.14.0 was released the day before the meeting. Cheers and congratulations for a successful release were shared.

Alert key disclosure timeline

Background

The Bitcoin alert system introduced in Bitcoin 0.3.11 has been phased out over the last several Bitcoin Core releases. For more information, please see the public information statement.

In an earlier Bitcoin Core release, the alert system was redesigned to contain a hardcoded “final” alert that could be triggered in case the private key for the alert system was compromised. As part of the Bitcoin Core 0.14.0 release process, this final alert was triggered—which should have paved the path for the scheduled public release of the alert key.

Comments

Gregory Maxwell started, “There are DOS vulnerabilities in older versions that the final alert does not block. :( All versions. They’re worse in older ones. (Obviously [only] versions with alerts enabled). No RCE [Remote Code Execution], just OOM [Out Of Memory].”

According to Luke Dashjr, 2,606 nodes (4.54%) run a version of Bitcoin Core below 0.12.1. It’s those versions that Maxwell identified as being vulnerable to problems related to abuse of the alerts key.

Conclusion

Rough agreement seemed to be reached that a Common Vulnerabilities and Exposures (CVE) disclosure would be made for the denial-of-service vulnerabilities Maxwell found to further remind users of older versions of Bitcoin Core that they need to upgrade. After the CVE is distributed and the situation re-evaluated, a determination could be made on whether to disclose the alert key then.

Next releases (0.14.1 and 0.15)

Background

With 0.14.0 released, developers have begun tagging issues and Pull Requests (PRs) for backporting to a 0.14.1 minor release. In addition, the 0.15 release schedule has been proposed.

Comments

Matt Corallo suggests #9959 and #9955 for 0.14.1 minor release. Nobody argued with Alex Morcos who suggested, “we should tag those for 0.14 or backport or whatever we say, but not cause for expedited minor release”. This means that developers will probably wait for several other bug fixes or especially useful backports to become available before producing a 0.14.1 release, keeping the schedule free to work on longer-term improvements for 0.15 and beyond.

Wladimir van der Laan proposed the 0.15 release schedule in #9961. As of this writing, the schedule is:

2017-07-02
-----------
- Open Transifex translations for 0.15
- Soft translation string freeze (no large or unnecessary string changes until release)
- Finalize and close translations for 0.13

2017-07-16
-----------
- Feature freeze (bug fixes only until release)
- Translation string freeze (no more source language changes until release)

2017-08-06
-----------
- Split off `0.15` branch from `master`
- Start RC cycle, tag and release `0.15.0rc1`
- Start merging for 0.16 on master branch

2017-09-01
-----------
- Release 0.15.0 final (aim)

Conclusion

No one objected to the proposed schedule in the meeting. Issues and PRs will continue to be tagged for backporting as 0.14.1.

Comic relief

<gmaxwell> There are also funds paid to the alert key in the network, I believe
           0.01 BTC or so. :P

<wumpus> surprised no one ever swiped that

Participants

Disclaimer

This summary was compiled without input from any of the participants in the discussion, so any errors are the fault of the summary author and not the discussion participants.