Questions about Knots and security

[nakoshi-satamoto]

I want to move away from Bitcoin Core, I am considering Knots but I have some genuine concerns that I want to have addressed in my consideration of switching to Knots. My concerns are not intended as a personal attack on anyone, but concerns cannot be ignored when dealing with financial infrastructure. If this post is censored then I take that as a sign of confirmation of my concerns, if my concerns are invalid then please address with reasoning and logic and open discussion rather than censorship. Thank you

1. The lead developer of Knots is chaotically disorganized and insecure in their digital life. I've seen this first hand when that persons personal server was exposing personal files I saw how disorganized, cluttered, and insecure that person was. This person was also compromised in the past with their PGP key compromised and the Knots repo considered as potentially comporomised also. This was due to poor security practices to begin with by that person. Why would I have any confidence in a bitcoin implementation that is ran by someone that has poor security practice and disorganized?

2. Is Knots using reproducible builds? If not then good to know so people can know they should compile from source.

3. Does more than one person sign the source code? Do these signers even check the code or just blindly sign whatever the lead dev puts out?

4. Is Knots code even audited? Especially after the hack?

[nakoshi-satamoto]

on point 1. , if what I saw in the past was intentional sharing of personal files rather than security malpractice, then I have even further concerns on the judgement and decision making of that person. This is why I think it was rather security misconfiguration. Again, this is not intended to be a personal attack, but rather valid concerns due to software that deals with money and the need of security being a top priority.

[nakoshi-satamoto]

is this an AI answer?

[nakoshi-satamoto]

Yeah, never trust AI. Half the time AI makes up stuff or distracts from true answers.
These generated answers are either invalid, not relevant, or does not answer.

[nakoshi-satamoto]

PGP is pointless if the key is compromised. Verifying signatures is pointless if the source code is compromised. I'm talking about reproducible builds of Knots, not Core. Running Knots in an isolated airgapped environment does not negate the impact of it being compromised even if it was useful in an isolated environment. Again, compmiling from source code is also not the solution if the source code itself is compromised or insecure, not audited.

[nakoshi-satamoto]

It is pointless to continue further discussion based on this lazy AI generated answer. The use of AI just discredits something and utilizing the output of AI just results in wasted time and following fallacies.

[luke-jr]

This isn't genuine concerns, it's slanderous lies.

[nakoshi-satamoto]

I have respect for you luke-jr, can you please address my concerns? If you can convince me that these concerns are invalid I will then be convinced to switch from Core. Thank you

[luke-jr]

Again, there are no genuine concerns mentioned, only slanderous lies. There is nothing to address.

[nakoshi-satamoto]

It apparently is pointless to have dialog with you, you do not even answer questions but just close discussions and not even answer questions with reasoning and logic. But fine, I can do the same, there are genuince concerns and these are not lies. There are things to address.

In the mantime, I'm avoiding Knots, I'm probably going to fork Core intsead. But I can simplify my questions if that helps

1. is Knots maintained by more than one person?

2. Does Knots use reproducible builds, or should people compile from source?

3. Does more than one person sign the source code, if so do they even review what they are signing?

[luke-jr]

1. Yes, the 5 Core maintainers are also de facto maintainers of Knots in every relevant sense.
2. Reproducible builds are available, and signatures published so you could see this for yourself... The Ubuntu PPA is compiled non-reproducibly by Canonical, and Start9/Umbrel are also non-reproducible at this time AFAIK. (Also true for Core)
3. Reproducible builds produce tarballs signed by the builder, who are typically not assumed to review code. git only allows a single tag signer. I know I review things, but you'd have to check each PR individually to see who else has reviewed each (this is also the case for Core, note).

[nakoshi-satamoto]

Knots is no different than Core, if open discussion is cenosred, and the fact this discussion was closed by Luke just proves my concerns of Knots bieng a one man show who controls this project.

[luke-jr]

Not at all. Your comments just prove you're engaging in bad faith.

[nakoshi-satamoto]

Now @luke-jr is deleting my other posts and comments. By this activity of not addressing my concerns and then censorship, Knots proved to me it cannot be trusted and is heavy on censorship. But I saved screenshots before you could delete. I'm going to release expose Knots for what it really is.

[luke-jr]

Moderation is not censorship. Spamming lies over and over is not going to be tolerated. You have made it clear you are a bad actor.