## Ubuntu bitcoin PPA

8

Since bitcoin is a software package that involves "real" money (inasmuch as any currency is "real"), I know there are major incentives for unscrupulous people to build backdoors into software related to bitcoin. For example, consider the current warning in IRC#bitcoin: "...All keys generated with brainwallet.org should be considered compromised" (a backdoor was apparently built into that software though I don't have specific details).

So as I consider building a second bitcoin node for myself (my first was in Arch using an official package), this time in Linux Mint 17.1 (based on Ubuntu 14.04) using an unofficial bitcoin PPA, I'm taking careful note of the warning that I usually dismiss without much of a second thought for using Debian/Ubuntu/Mint PPAs: "You can update your system with unsupported packages from this untrusted PPA by adding ppa:bitcoin/bitcoin to your system's Software Sources." (emphasis not in original)

And so before I use this PPA myself, I thought I would ask here if anyone else has used this PPA (that was only recently revised by Matt Corallo on 2015-02-18), and if you found any specific problems with it?

As I think about using it myself, I wonder if I should look at the MD5 checksum and/or diff of the source files used in the PPA as compared with those of the original Bitcoin Core sources. I don't know; maybe that's being too paranoid, but I'm wondering if others have used this PPA and if so, if they compared it with the original upstream sources.

I considered asking this question at https://askubuntu.com/, but I think it's better suited to this Q/A community because it's less about Ubuntu (I think this PPA could be used in many different distros that are all based on Ubuntu like my Mint distro) and more about Bitcoin.

2

Any particular reason you don't want to build the binary yourself using the github source?

– Jimmy Song – 2015-02-23T18:06:37.293

3Matt Corallo is one of the top contributors of Bitcoin, so if he's the one that maintains the Bitcoin PPA, I would count that as a positive signal. ;) – Murch – 2015-02-23T18:53:24.023

@jimmysong that's a great question, and I am considering it, but from a software maintenance perspective, I've found that every time I do something like that, I end up regretting it months later because I have a lot more work to do when I want to upgrade to the next release. I may end up doing that in spite of that logic because as I wrote above, bitcoin is special. I'm still on the fence, honestly. – Kevin Ford The Submariner – 2015-02-23T19:20:46.450

@Murch I didn't realize that. Thanks for mentioning it. Matt, if you're reading, no offense intended with my question. Just trying to be duly diligent is all. :) – Kevin Ford The Submariner – 2015-02-23T19:22:47.813

Yikes. I'd heard rumours about brainwallet.org using a compromised key generator. Have we got a link to any of the discussions? – Wizard Of Ozzie – 2015-02-25T09:12:36.293

1

In any case, I put together a Dockerfile following the official Bitcoin Core install guide. It also is careful to git clone the latest release version.