Hi Peter, I agree that handling of vulnerability reports could be improved, although I have less expectations from bitcoin core to acknowledge any feedback. Here are a few things that we can do to improve the process: - Report vulnerabilities anonymously and share real identity with disclosure later if required. - Send the email to achow101 or sipa or fanquake and keep security@bitcoincore.org in Cc. - Lets create a hall of fame webpage which has the name of all developers who reported vulnerabilities along with other details. Community could also donate directly to developers. - Do not expect response on weekends and wait for at least 7-30 days before full disclosure if vulnerability report is ignored. Maybe you and others on mailing list could add suggest more improvements. /dev/fd0 floppy disk guy On Saturday, July 20, 2024 at 3:12:46 PM UTC Peter Todd wrote: > On Fri, Jul 19, 2024 at 10:57:40PM -0700, /dev /fd0 wrote: > > Hi Antoine, > > > > > I'm interested if you can propose a formal or mathematical definition > of > > what constitute > > > an in-topic of off-topic comments on a matters like full RBF, which > has > > been controversial > > > for like a decade. > > > > I will quote _willcl-ark_'s last comment as I do not have enough > > permissions in bitcoin core repository to moderate comments: > > > > "However the comments section here has become difficult to follow due to > > numerous off-topic comments, a few personal disagreements, and > repetition > > of arguments. In the interest of having a more productive and focused > > technical and philosophical discussion we are going to close and lock > this > > PR." > > > > A new pull request should help reviewers. If you do not agree with it, > feel > > free to discuss it with moderators in bitcoin core IRC channel. > > It's quite bizzare to use "off topic comments" as an excuse to close a > pull-req > fixing a specific security vulnerability, assuming you actually care about > that > vulnerability. As I've said elsewhere, Core could have easily and quietly > merged that pull-req as-is, possibly by having a few people write some > obvious > ACK rationals. > > The only good explanation for closing it is to further delay merging the > pull-req, as well as disclosing the vulnerability. > > -- > https://petertodd.org 'peter'[:-1]@petertodd.org > -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/955e7097-ca7a-452a-953f-718aca14cdc6n%40googlegroups.com.