At the core of bitcoin is the setting up, or “compiling” of the software and there is a level of trust needed in the process if you agree or not. However, an update in the code could make it more trustworthy.
Guix, a featuring container program, was just integrated into Bitcoin Core, the most widely used bitcoin implementations. This means that real users can take it for a spin. This results in the code being more trustworthy when it is downloaded from the Ubuntu operating system in the building phase.
In a tweet last month, Carl Dong, the lead developer of the project, stated that even though it has been a long journey, #Guix support for deterministic, bootstrappable builds using Bitcoin Core has landed in master.
There are protections integrated into this building process. When developers go to Bitcoin.org to download Bitcoin Core, they use the Gitian procedure to create “reproducible” builds. This allows the developers to confirm that their distributed binaries being downloaded are the right version and not a duplicate that has a secret backdoor included in the program, which reduces the potential for bitcoin theft.
However, Dong stated that even this process isn’t secure enough when it comes to the building process, as he outlined in a detailed presentation in Amsterdam at the Breaking Bitcoin conference.
With the Gitian procedure, the computer can make use of the code produced. When using this procedure, developers might not be aware that they are getting the code via the Ubuntu operating system. This could give users a false sense of security.
Dong told CoinDesk that at this time, Ubuntu (or the person who acquires the authority signing keys to Ubuntu) has an impact on both the accessibility and security of Bitcoin Core’s release binaries. In the long run, putting faith in un-auditable, opaque binary downloads from third parties such as Ubuntu could be asking for big trouble.
Not Disillusioned Anymore
In doing so, as the “reproducible builds” processes were happening a couple of years ago, Dong stated to CoinDesk that he was “disillusioned” with the process used to build bitcoin.
He discovered that he wasn’t alone, and after he was working at Chaincode Labs, a bitcoin protocol development hub located in New York City, the project got new life. He got input from Cory Fields and Russ Yanofsky, both contributors to Bitcoin Core, along with others that helped to develop the Bitcoin Core software.
His ultimate answer was to keep the trust in these binaries to a minimum where applicable. Another important component was to track the exact source of the binaries.
During his Breaking Bitcoin speech, Dong said that as developers take advantage of Guix to create toolchain, there is a way to verify how every tool in the toolchain was produced and simply bootstrap them from a skeleton group of binaries that are trustworthy.
Dong doesn’t believe they created a foolproof system. He said that is isn’t possible to take out all trusted third parties from the build procedure, but the current process does help.
Furthermore, he stated they are looking for a more effective way to audit toolchain provided by third parties. By using Guix, Gong went on to say that it gives them much more visibility into the set of binaries we trust and how a build environment using Bitcoin Core could be developed from it.
At this time, Linus operating system users have this change available to them. Dong, along with others are making the changes available for Mac and Windows users too.
Michael Ford, maintainer of the software and a Bitcoin Core contributor tweeted that it was a huge first step and offers a workable option for building with Gitian. There are numerous improvements for Guix in the works. He believes he’ll play a pivotal part in the 0.19.0 release.
Keep in mind that Dong has a strategy to make the builds reproducible into the future.
Dong said, that Bitcoin Core developers could build on the previous versions of Bitcoin Core in the future. They will be able to create binaries that are identical to the bit as they are released.
This reproducibility in the future will give us to chance to produce the precise behavior of prior releases and comes in handy for testing and debugging
Dong is being praised for his efforts to make bitcoin more trustworthy, even though the technical change seems arcane.
David Vorick, Sia’s co-founder and lead developer tweeted that these kinds of innovations are usually invisible to the investment communities and consumers, however, it is the main reason why bitcoin is where is today.