[Bug 1481033] [NEW] Please remove electrum from the archive

[Thomas Ward]

Public bug reported:

This is a request for BLACKLISTING and REMOVAL of the Electrum Bitcoin
Wallet program from the repositories.

This request comes with the following considerations:
(1) The Electrum Wallet upstream latest release is 2.4.  The version in all our repositories are at least one year old.

(2) Debian has identified issues with the 2.0+ code which prevents updating, including but not limited to (please refer to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792231#22) :
    (a) tlslite dependency for the package and code was removed
    (b) 2.0+ code has poor handling of certificate verification, including not verifying the use purpose of a certificate, meaning there is an MITM vector when it reaches out to Electrum servers.

(3) There were multiple additional changes in 2.0+ which can break reverse compatibility, including:
    (a) A bitcoin blockchain soft-fork on July 4th, 2015, which only the newer Electrum versions know about.
    (b) There are significant client-to-server communication improvements, security, and bug fixes, which only exist in the 2.0+ code.
    (c) Wallet seed codes from newer versions cannot work with the older versions that exist.

After a discussion in #ubuntu-motu with Iain Lane, he suggested poking
the security team.  After further discussion in #ubuntu-hardened with
Steve Beattie, and Seth Arnold, briefly, upon which I said it was my
belief it should be removed from Wily and a sync blacklist imposed, it
was said by Steve Beattie that it seems a sensible course of action to
remove Electrum from Wily and impose a sync blacklist.

There are no reverse dependencies, nor reverse build dependencies that I
could identify.

** Affects: electrum (Ubuntu)
     Importance: Undecided
         Status: New

** Description changed:

  This is a request for BLACKLISTING and REMOVAL of the Electrum Bitcoin
  Wallet program from the repositories.
  
  This request comes with the following considerations:
  (1) The Electrum Wallet upstream latest release is 2.4.  The version in all our repositories are at least one year old.
  
  (2) Debian has identified issues with the 2.0+ code which prevents updating, including but not limited to (please refer to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792231#22) :
-     (a) tlslite dependency for the package and code was removed
-     (b) 2.0+ code has poor handling of certificate verification, including not verifying the use purpose of a certificate, meaning there is an MITM vector when it reaches out to Electrum servers.
+     (a) tlslite dependency for the package and code was removed
+     (b) 2.0+ code has poor handling of certificate verification, including not verifying the use purpose of a certificate, meaning there is an MITM vector when it reaches out to Electrum servers.
  
  (3) There were multiple additional changes in 2.0+ which can break reverse compatibility, including:
-     (a) A bitcoin blockchain soft-fork on July 4th, 2015, which only the newer Electrum versions know about.
-     (b) There are significant client-to-server communication improvements, security, and bug fixes, which only exist in the 2.0+ code.
-     (c) Wallet seed codes from newer versions cannot work with the older versions that exist.
+     (a) A bitcoin blockchain soft-fork on July 4th, 2015, which only the newer Electrum versions know about.
+     (b) There are significant client-to-server communication improvements, security, and bug fixes, which only exist in the 2.0+ code.
+     (c) Wallet seed codes from newer versions cannot work with the older versions that exist.
  
  After a discussion in #ubuntu-motu with Iain Lane, he suggested poking
  the security team.  After further discussion in #ubuntu-hardened with
  Steve Beattie, and Seth Arnold, briefly, upon which I said it was my
  belief it should be removed from Wily and a sync blacklist imposed, it
  was said by Steve Beattie that it seems a sensible course of action to
  remove Electrum from Wily and impose a sync blacklist.
+ 
+ There are no reverse dependencies, nor reverse build dependencies that I
+ could identify.

-- 
You received this bug notification because you are a member of Ubuntu
Package Archive Administrators, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1481033

Title:
  Please remove electrum from the archive

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/electrum/+bug/1481033/+subscriptions