Bitcoin Core 0.21.0 was released
It is available from https://bitcoincore.org/bin/bitcoin-core-0.21.0/
Release mail: https://lists.linuxfoundation.org/pipermail/bitcoin-core-dev/2021-January/000097.html
@orionwl It'd be good to timestamp SHA256SUMS.asc
@pete good point i'll look into installing OTS on the release signing machine
(it's not entirely trivial for…reasons…)
@orionwl Does it really need to be on the release signing machine? OTS proofs are self-verifying after all, so all you need is the ability to upload to the website.
@orionwl Yeah, simply timestamp SHA256SUMS.asc and upload the .ots proof.
I'd advise *against* timestamping the SHA256SUMS files directly, as that gives the wrong impression as to what the main purpose of the timestamp is: validation of the PGP signatures into the future, not validation of the releases themselves.
@orionwl One option of course would be to have a git repo of all the binaries and timestamp the git repo itself. Then publish on the website only the .ots proof for the .asc, extracted with the git-extract command.
@pete that would work, though i don't think a git repository is particularly suitable for storing binaries
in any case: i've uploaded a timestamped .asc here: https://bitcoincore.org/bin/bitcoin-core-0.21.0/SHA256SUMS.asc.ots
will try to do so from now on for releases
@orionwl I've got literally hundreds of gigabytes of stuff in git repos, using git-annex. Even without git-annex, storing binaries in git repos when the intent is long-term 100% complete archiving is fine. Only downside is normal checkouts take up twice the space.
Looks like the full set of binaries is a couple hundred MB. git can handle that just fine out of the box.
@FreePietje @orionwl @joeyh git-annex is awesome software! I've been using it for years.
@orionwl The PGP signature packet format does *not* include the full digest of what is being signed - just 16 bits of the digest - so there could be a potential issue with verifying the file contents if quantum computing ever becomes a thing. IIRC ECC sigs act like hash functions even with quantum computing, so IIUC they would be verifiable. I don't know about RSA.
https://tools.ietf.org/html/rfc4880#section-5.2.3