[Bug 1481033] Re: Please remove electrum from the archive
Mathew Hodson
mathew.hodson at gmail.com
Tue Nov 10 07:20:43 UTC 2015
** Information type changed from Public to Public Security
** Tags added: patch trusty vivid
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to a duplicate bug report (1499094).
https://bugs.launchpad.net/bugs/1481033
Title:
Please remove electrum from the archive
Status in electrum package in Ubuntu:
Fix Released
Status in electrum source package in Trusty:
Triaged
Bug description:
This is a request for BLACKLISTING and REMOVAL of the Electrum Bitcoin
Wallet program from the repositories.
This request comes with the following considerations:
(1) The Electrum Wallet upstream latest release is 2.4. The version in all our repositories are at least one year old.
(2) Debian has identified issues with the 2.0+ code which prevents updating, including but not limited to (please refer to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792231#22) :
(a) tlslite dependency for the package and code was removed
(b) 2.0+ code has poor handling of certificate verification, including not verifying the use purpose of a certificate, meaning there is an MITM vector when it reaches out to Electrum servers.
(3) There were multiple additional changes in 2.0+ which can break reverse compatibility, including:
(a) A bitcoin blockchain soft-fork on July 4th, 2015, which only the newer Electrum versions know about.
(b) There are significant client-to-server communication improvements, security, and bug fixes, which only exist in the 2.0+ code.
(c) Wallet seed codes from newer versions cannot work with the older versions that exist.
After a discussion in #ubuntu-motu with Iain Lane, he suggested poking
the security team. After further discussion in #ubuntu-hardened with
Steve Beattie, and Seth Arnold, briefly, upon which I said it was my
belief it should be removed from Wily and a sync blacklist imposed, it
was said by Steve Beattie that it seems a sensible course of action to
remove Electrum from Wily and impose a sync blacklist.
There are no reverse dependencies, nor reverse build dependencies that
I could identify.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/electrum/+bug/1481033/+subscriptions
More information about the Ubuntu-sponsors
mailing list