In short, when one downloads the Bitcoin Core client from official sources like the bitcoin repository on GitHub, they are trusting a number of other systems to build and compile the Bitcoin software on their local device.
There are so many facets one has to take into consideration when approaching Bitcoin in an attempt to understand how it works. Cryptography, computer science, economics, game theory, psychology and many other disciplines are part of Bitcoin's DNA in one way or another. This morning we're going to focus on the computer science part of Bitcoin. Specifically Bitcoin's build security.
Bitcoin Core contributor Carl Dong gave a great presentation at Breaking Bitcoin last weekend on Bitcoin's current build system, where it leaves us vulnerable to nefarious actors, and how we can minimize the attack surfaces that exist when users initially download the Bitcoin Core client. I highly recommend you check it out if you get a free 15-minute window today.
In short, when one downloads the Bitcoin Core client from official sources like the bitcoin repository on GitHub, they are trusting a number of other systems to build and compile the Bitcoin software on their local device. We are trusting that the tools used to build Bitcoin when you download it aren't compromised. At the moment, we can verify that the code compiled at the end of the day matches that which was fed to us via the bitcoin/bitcoin repository on GitHub, but we are a bit blind when it comes to whether or not the tools used to compile the code are compromised or not without diving into the code of those tools. I imagine very few people dive into the code to make sure the tools aren't being malicious. This is definitely something we should look to fix.
Luckily for us, men like Carl Dong are on the case. Working hard to make Bitcoin both reproducible and bootstrappable with as little trust as possible. Leveraging a package manager called Guix, Carl is making progress in this direction. Check out his talk when you get a chance. Learn a bit about the nitty-gritty details of running the Bitcoin software, the attack surface that exists when handling this software, and how Bitcoiners are working hard to reduce this attack surface. Making Bitcoin more resilient in the long-run.
Song of the morning.