[Bug 1481033] Re: Please remove electrum from the archive

Mathew Hodson mathew.hodson at gmail.com
Tue Nov 10 07:20:43 UTC 2015 

** Information type changed from Public to Public Security

** Tags added: patch trusty vivid

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to a duplicate bug report (1499094).
https://bugs.launchpad.net/bugs/1481033

Title:
  Please remove electrum from the archive

Status in electrum package in Ubuntu:
  Fix Released
Status in electrum source package in Trusty:
  Triaged

Bug description:
  This is a request for BLACKLISTING and REMOVAL of the Electrum Bitcoin
  Wallet program from the repositories.

  This request comes with the following considerations:
  (1) The Electrum Wallet upstream latest release is 2.4.  The version in all our repositories are at least one year old.

  (2) Debian has identified issues with the 2.0+ code which prevents updating, including but not limited to (please refer to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792231#22) :
      (a) tlslite dependency for the package and code was removed
      (b) 2.0+ code has poor handling of certificate verification, including not verifying the use purpose of a certificate, meaning there is an MITM vector when it reaches out to Electrum servers.

  (3) There were multiple additional changes in 2.0+ which can break reverse compatibility, including:
      (a) A bitcoin blockchain soft-fork on July 4th, 2015, which only the newer Electrum versions know about.
      (b) There are significant client-to-server communication improvements, security, and bug fixes, which only exist in the 2.0+ code.
      (c) Wallet seed codes from newer versions cannot work with the older versions that exist.

  After a discussion in #ubuntu-motu with Iain Lane, he suggested poking
  the security team.  After further discussion in #ubuntu-hardened with
  Steve Beattie, and Seth Arnold, briefly, upon which I said it was my
  belief it should be removed from Wily and a sync blacklist imposed, it
  was said by Steve Beattie that it seems a sensible course of action to
  remove Electrum from Wily and impose a sync blacklist.

  There are no reverse dependencies, nor reverse build dependencies that
  I could identify.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/electrum/+bug/1481033/+subscriptions

More information about the Ubuntu-sponsors mailing list