Ethereum developers are considering changes to public disclosure of critical bugs after the November 11 “accidental hard fork”.
Geth had fixed the bug in early October following a disclosure, but it still existed in previous versions of Geth. The bug temporarily caused 80% of the network running on Geth to follow a different path than other clients.
Now, developers are rearranging the security vulnerability disclosure process in the aftermath of what some developers do called the biggest threat to Ethereum since the 2016 attack on The DAO.
This question comes with luggage. A common ethics in open-source software (OSS) like Ethereum is that vendors are tasked with “promptly informing those affected by vulnerabilities,” Summa founder James Prestwich told CoinDesk. In other words, Geth is responsible for alerting addicted users to possible complications.
However, blockchains, at their core, are financial settlement mechanisms. Traditional methods of disclosing bugs in the OSS can lead to undesirable results for other players with money at stake.
In the All Core Developers call on Friday, Ethereum developer Micah Zoltu and geth team leader Peter Szilágyi both disagreed with issuing a list of critical vulnerability notifications. Zoltu said such a list would create an uneven playing field for the projects, while Szilágyi said that any disclosure of bugs creates a weak spot in Ethereum’s infrastructure.
For example, disclosing the bug early to the Infura service provider – which most decentralized finance (DeFi) uses to connect to the Ethereum blockchain – would be an unfair advantage against its competitors. Furthermore, the consequences for the wider ecosystem could be severe if the inside information on the list were leaked to the conflicting parties.
Given the option again, Szilágyi said he would deal with the recent disclosure in the same way – meaning that, by keeping the consent bug hidden (although at some point during the call he should have let users know that a version Geth’s previous one contained a vulnerability). Geth did this for other consensus vulnerabilities, he said.
“Disclosure is a complex subject and user safety is paramount,” Prestwich concluded.
[ad_2]Source link