Skip to content

Securing Open Source repositories and contributions: best practices for Bitcoin codebases #7

Description

@storopoli

Description

Bitcoin is probably the most valuable code running anywhere, but a lot of it is maintained like any other open source project: small teams, limited time, CI nobody has looked at hard. We tell users to verify instead of trust. We're worse at doing that for the code itself.

The attacks that worked recently were proofs of concept. The maintainer-takeover that backdoored XZ was a manual, multi-year con; the next ones will be cheaper and faster. AI lets an attacker manufacture a plausible contributor history, open convincing pull requests at scale, and seed package registries with hallucinated-then-squatted dependency names. CI keeps getting more interconnected, which means more tokens to leak and more actions to poison downstream. This talk is about getting ahead of that curve rather than cleaning up after it.

Topics that I'll cover (not exhaustively) and how to secure/harden against them:

  • Supply chain attacks
  • CI/Actions vulnerabilities
  • Social engineering
  • Binary blobs & the unauditable

About the Speaker

Jose Storopoli: PhD in Computational Statistics. Engineer Lead at Alpen Labs.
Rust Bitcoin ecosystem maintainer and contributor.

Social Links

Github: https://GitHub.com/storopoli
Twitter: https://x.com/storopoli
Website: https://storopoli.com

Talk Details

Length of Talk

15 to 30 minutes

Preferred Day/Time Slot

Any day/time will work.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions