Re: [Tails-dev] Tails vs Electrum

Delete this message

Reply to this message
Author: intrigeri
Date:  
To: s7r, tails-dev
Subject: Re: [Tails-dev] Tails vs Electrum
Hi s7r,

s7r wrote:
> intrigeri wrote:


>> Option A: use a trusted onion server and keep 3.1.3-1~bpo9+1 for now
>> ====================================================================


Update: Tails 3.14 should ship Electrum 3.2.3-1 from sid. That won't
help it connect to the network but at least we upgrade to the newest
version that's in Debian, which is the best we can do.

>> If that's sufficient to fix the most critical issues on the short
>> term, then we need to know: […]


Thanks a lot for your comprehensive answer!

> I run 2 (two) .onion servers, accessible via v3 onion hostnames (new
> generation onion services). They run on own hardware and have plenty of
> resources and bandwidth so, they should be reliable. But the situation
> gets complicated because the servers can be abused (DOSed) by clients at
> application level (ask expensive historic data for addresses that
> consume high CPU and disk I/O resources) and make the server
> unavailable. […]


So I understand that basically, as of today, we would trade "Electrum
in Tails can't connect to the network most of the time because we run
a deprecated client version" (the current situation) for "Electrum can
use the configured trusted Onion server only when it's not DoS'ed".

I guess this would be a usability improvement but it does not seem
sufficient to make Electrum in Tails really usable.

> If we decide to do this, it means users MUST have a higher level of
> trust in this server, rather than any public Electrum server. […]


The risk×impact does not seem too bad to me. At least, not enough
to be a blocker in itself.

So all in all, my current take on option A is: at least as long as the
DoS issue is that severe, this option doesn't seem to provide enough
usability benefits to be worth doing the work and taking the security
hit. And we're thus left with option B:

>> Option B: find co-maintainers for the Debian package
>> ====================================================
>>
>> We have the skills at Tails to become co-maintainers but if there's
>> a way to find some other co-maintainers, it would be sweet. Ideally we
>> would not have to be part of it but worst case we can, at least for
>> a while.
>>
>> s7r, how about you ask the Debian Cryptocoin Team¹ if they want to
>> co-maintain Electrum with mithrandi and/or with some Tails folks,
>> under the umbrella of their team?
>>
>> [1] https://qa.debian.org/developer.php?email=team%2Bcryptocoin%40tracker.debian.org


> I have sent some emails, but I have to admit I didn't have time to stay
> quite on top of this. I plan to further discuss it and look for solutions.


Great!

Any progress on this front? Could you please point me to the
corresponding mailing list thread?

(And if you only did private email so far, I suggest you switch to
using that team's public mailing list in the future, which fits the
Debian culture better and has thus more chances to work :)

Please Cc me further communication with the Debian Cryptocoin team, if
you don't mind. It'll help me assess whether, and how much, we as
Tails need to invest into co-maintaining the package.

Cheers,
--
intrigeri