Please remove electrum from the archive
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
electrum (Ubuntu) |
Fix Released
|
Medium
|
Adam Conrad | ||
Bug Description
This is a request for BLACKLISTING and REMOVAL of the Electrum Bitcoin Wallet program from the repositories.
This request comes with the following considerations:
(1) The Electrum Wallet upstream latest release is 2.4. The version in all our repositories are at least one year old.
(2) Debian has identified issues with the 2.0+ code which prevents updating, including but not limited to (please refer to https:/
(a) tlslite dependency for the package and code was removed
(b) 2.0+ code has poor handling of certificate verification, including not verifying the use purpose of a certificate, meaning there is an MITM vector when it reaches out to Electrum servers.
(3) There were multiple additional changes in 2.0+ which can break reverse compatibility, including:
(a) A bitcoin blockchain soft-fork on July 4th, 2015, which only the newer Electrum versions know about.
(b) There are significant client-to-server communication improvements, security, and bug fixes, which only exist in the 2.0+ code.
(c) Wallet seed codes from newer versions cannot work with the older versions that exist.
After a discussion in #ubuntu-motu with Iain Lane, he suggested poking the security team. After further discussion in #ubuntu-hardened with Steve Beattie, and Seth Arnold, briefly, upon which I said it was my belief it should be removed from Wily and a sync blacklist imposed, it was said by Steve Beattie that it seems a sensible course of action to remove Electrum from Wily and impose a sync blacklist.
There are no reverse dependencies, nor reverse build dependencies that I could identify.
description: | updated |
Changed in electrum (Ubuntu): | |
importance: | Undecided → Medium |
Changed in electrum (Ubuntu Trusty): | |
status: | New → Triaged |
importance: | Undecided → Medium |
information type: | Public → Public Security |
tags: | added: patch trusty vivid |
tags: | removed: patch |
tags: | removed: trusty vivid |
Additional discussion with infinity (Adam Conrad) has led to the point that we should probably dummy-out the prior versions for a similar reason we did the `bitcoin` source package.
Note that I intend to do that as an SRU, but I have other priorities on my list for now.