Is bitcoin-qt as PPA really secure? How to proof?

2

With Bitcoins being that much worth currently, I came to the conclusion of using a unique old computer just for this "use case".

I would like to run Ubuntu with bitcoin-qt (from PPA), but now the paranoia kicks in: what if the client is corrupted? I know that I can check against the MD5/SHsomething, but who guarantees that the client itself is not corrupted due to an error/mistake or even intentionally?

It is said that with PPA, nobody guaratees that the software itself is not corrupted, so I am unsure about transfering quite a lot of money to some software I don't know anything about.

Ice09

Posted 2013-04-03T09:14:55.993

Reputation: 129

2If you're really paranoid (not a bad thing) you can just avoid connecting your wallet-hosting (running the software) computer to the internet and avoid this issue entirely. In the end, though, the Bitcoin client is open-source software; no company guarantees that it will work no matter what source you obtain it from. Caveat emptor. – BinaryMage – 2013-04-03T16:28:53.420

ok, but is there a way (without internet) to be sure that my current wallet really is valid (and contains the amount of BTC I assume) any more? For this to know, you would need internet, correct? – Ice09 – 2013-04-04T07:56:59.840

3

Armory (an alternate Bitcoin client) has excellent support for offline wallets and superb documentation; I'd suggest you take a look at their page here.

– BinaryMage – 2013-04-04T15:18:21.620

technically the company who develops the software (be it the original source code developers or a deviation of the original) is responsible for the stability. the entire bitcoin system is open source. if you dont want open source, bitcoin isnt for you. – Alex – 2013-04-16T16:46:06.177

you should ask the Askubuntu.com crowd. which is also a stackexchange site. – Alex – 2013-04-16T16:47:51.027

I felt this term wasn't obvious in the question, so note that PPA stands for Personal Package Archives.

– Nayuki – 2016-01-11T02:26:58.547

Answers

1

You can instead directly install from the source code. It is available on the project site along with release signatures.

Murch

Posted 2013-04-03T09:14:55.993

Reputation: 51 063

You might want to do the deterministic build thing and then also check the hashes and pgp signatures for the executable. Help the distributedness of the build process. Next step of course is that you are trusting the Ubuntu repos, which could still completely pwn you. (As any other distro / OS of course.) – Jannes – 2016-01-10T15:49:18.593

@Jannes: Perhaps you should write an answer, I think it would probably be better. :) – Murch – 2016-01-10T20:55:53.850