On Wed, Mar 27, 2024 at 09:50:20AM -1000, David A. Harding wrote: > On 2024-03-27 08:04, Peter Todd wrote: > > I was able to verify independently that the relevant people had seen > > the email and weren't planning on replying. > > Can you provide detail on this? I'm not going because I don't want anyone else subject to harassment over this. > > You're just harassing me here; I highly > > suspect you'd have said nothing at all if I hadn't brought up > > disclosure. > > I think I would have said something. Any time I'm writing a description for > Optech about an attack that affects existing Bitcoin software and was > responsibly disclosed, I back link to it from a special page [1]. In cases > of ambiguity about whether or not an attack was responsibly disclosed, I > investigate. > > I'm sorry this feels to you like harassment. To me it feels like whiplash: > I inferred responsible disclosure based on your original text, learned it > might not have been, and now am being told by you that it was indeed > responsible. I'm not the only person who thinks this looks like harassment. The fact is you started this conversation with: "I'm especially concerned given your past history of publicly revealing vulnerabilities before they could be quietly patched and the conflict of interest of you using this disclosure to advocate for a policy change you are championing." You haven't substantiated any of this. Nor have you even tried to argue that my take on the vulnerability is incorrect: it's just an interesting variation of well-known attacks that doesn't substantially change the situation. Anyway, this conversation is just wasting everyones' time. If this actually is a deal-breaking exploit that must be fixed quickly and quietly - the type of exploit for which responsible disclosure is necessary - what we should be talking about is how to fix it. I proposed two different design changes that mitigates it. One of which fixes other issues too. Antoine Riard also proposed potential mitigations. Do you have a useful comment on these proposals? -- https://petertodd.org 'peter'[:-1]@petertodd.org -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/ZgSB6kmLiDG08Yrd%40petertodd.org.