Merge remote-tracking branch 'upstream/master'

.cirrus.yml

@@ -2,7 +2,7 @@ task:
   container:
     image: $ELECTRUM_IMAGE
     cpu: 1
-    memory: 1G
+    memory: 2G
   matrix:
     - name: Tox Python $ELECTRUM_PYTHON_VERSION
       env:
@@ -17,9 +17,13 @@ task:
        - env:
            ELECTRUM_PYTHON_VERSION: 3.10
        - env:
+           ELECTRUM_PYTHON_VERSION: 3.11
+       - name: Tox Python 3 debug mode
+         env:
            ELECTRUM_PYTHON_VERSION: 3
-       - env:
-           ELECTRUM_PYTHON_VERSION: rc
+           # enable additional checks:
+           PYTHONASYNCIODEBUG: "1"
+           PYTHONDEVMODE: "1"
     - name: Tox PyPy
       allow_failures: true
       env:
@@ -35,9 +39,11 @@ task:
     - git tag
   install_script:
     - apt-get update
-    - apt-get -y install libsecp256k1-0
+    - apt-get -y install libsecp256k1-dev
     - pip install -r $ELECTRUM_REQUIREMENTS_CI
   tox_script:
+    - export PYTHONASYNCIODEBUG
+    - export PYTHONDEVMODE
     - tox
   coveralls_script:
     - if [ ! -z "$COVERALLS_REPO_TOKEN" ] ; then coveralls ; fi
@@ -52,6 +58,8 @@ task:
     CI_BRANCH: $CIRRUS_BRANCH
     CI_PULL_REQUEST: $CIRRUS_PR
     # in addition, COVERALLS_REPO_TOKEN is set as an "override" in https://cirrus-ci.com/settings/...
+  depends_on:
+    - Flake8 Mandatory
 
 task:
   name: Locale
@@ -64,7 +72,7 @@ task:
     fingerprint_script: echo Locale && echo $ELECTRUM_IMAGE && cat $ELECTRUM_REQUIREMENTS_CI
   install_script:
     - apt-get update
-    - apt-get -y install gettext
+    - apt-get -y install gettext qttools5-dev-tools
     - pip install -r $ELECTRUM_REQUIREMENTS_CI
     - pip install requests
   locale_script:
@@ -74,7 +82,7 @@ task:
     ELECTRUM_REQUIREMENTS_CI: contrib/requirements/requirements-ci.txt
     # in addition, crowdin_api_key is set as an "override" in https://cirrus-ci.com/settings/...
   depends_on:
-    - Tox Python 3.9
+    - Tox Python 3.8
   only_if: $CIRRUS_BRANCH == 'master'
 
 task:
@@ -93,10 +101,10 @@ task:
     populate_script: mkdir -p /tmp/bitcoind
   install_script:
     - apt-get update
-    - apt-get -y install libsecp256k1-0 curl jq bc
+    - apt-get -y install libsecp256k1-dev curl jq bc
     - pip3 install .[tests]
-    # install e-x some commits after 1.16.0 tag, where it uses same aiorpcx as electrum
-    - pip3 install git+https://github.com/spesmilo/electrumx.git@c8d2cc0d5cf9e549a90ca876d85fed9a90b8c4ed
+    # install e-x some commits after 1.16.0 tag
+    - pip3 install git+https://github.com/spesmilo/electrumx.git@4e66804dc0d668cd6bd4602b547e2f5b2e227e97
     - "BITCOIND_VERSION=$(curl https://bitcoincore.org/en/download/ | grep -E -i --only-matching 'Latest version: [0-9\\.]+' | grep -E --only-matching '[0-9\\.]+')"
     - BITCOIND_FILENAME=bitcoin-$BITCOIND_VERSION-x86_64-linux-gnu.tar.gz
     - BITCOIND_PATH=/tmp/bitcoind/$BITCOIND_FILENAME
@@ -114,6 +122,8 @@ task:
     ELECTRUM_REQUIREMENTS: contrib/requirements/requirements.txt
     # ElectrumX exits with an error without this:
     ALLOW_ROOT: 1
+  depends_on:
+    - Flake8 Mandatory
 
 task:
   container:
@@ -124,9 +134,9 @@ task:
     folder: ~/.cache/pip
     fingerprint_script: echo Flake8 && echo $ELECTRUM_IMAGE && cat $ELECTRUM_REQUIREMENTS
   install_script:
-    - pip install flake8
+    - pip install flake8 flake8-bugbear
   flake8_script:
-    - flake8 . --count --select=$ELECTRUM_LINTERS --show-source --statistics
+    - flake8 . --count --select="$ELECTRUM_LINTERS" --ignore="$ELECTRUM_LINTERS_IGNORE" --show-source --statistics --exclude "*_pb2.py,electrum/_vendor/"
   env:
     ELECTRUM_IMAGE: python:3.8
     ELECTRUM_REQUIREMENTS: contrib/requirements/requirements.txt
@@ -136,10 +146,13 @@ task:
         # list of error codes:
         # - https://flake8.pycqa.org/en/latest/user/error-codes.html
         # - https://pycodestyle.pycqa.org/en/latest/intro.html#error-codes
-        ELECTRUM_LINTERS: E9,E101,E129,E273,E274,E703,E71,F63,F7,F82,W191,W29
+        # - https://github.com/PyCQA/flake8-bugbear/tree/8c0e7eb04217494d48d0ab093bf5b31db0921989#list-of-warnings
+        ELECTRUM_LINTERS: E9,E101,E129,E273,E274,E703,E71,F63,F7,F82,W191,W29,B
+        ELECTRUM_LINTERS_IGNORE: B007,B009,B010,B019
     - name: Flake8 Non-Mandatory
       env:
-        ELECTRUM_LINTERS: E,F,W,C90
+        ELECTRUM_LINTERS: E,F,W,C90,B
+        ELECTRUM_LINTERS_IGNORE: ""
       allow_failures: true
 
 task:
@@ -170,6 +183,8 @@ task:
   env:
     CIRRUS_WORKING_DIR: /opt/wine64/drive_c/electrum
     CIRRUS_DOCKER_CONTEXT: contrib/build-wine
+  depends_on:
+    - Tox Python 3.8
 
 task:
   name: Android build (Kivy $APK_ARCH)
@@ -196,6 +211,8 @@ task:
     - ./contrib/android/make_apk.sh kivy "$APK_ARCH" debug
   binaries_artifacts:
     path: "dist/*"
+  depends_on:
+    - Tox Python 3.8
 
 task:
   name: Android build (QML $APK_ARCH)
@@ -222,6 +239,8 @@ task:
     - ./contrib/android/make_apk.sh qml "$APK_ARCH" debug
   binaries_artifacts:
     path: "dist/*"
+  depends_on:
+    - Tox Python 3.8
 
 ## mac build disabled, as Cirrus CI no longer supports Intel-based mac builds
 #task:
@@ -278,6 +297,8 @@ task:
     path: "dist/*"
   env:
     CIRRUS_DOCKER_CONTEXT: contrib/build-linux/appimage
+  depends_on:
+    - Tox Python 3.8
 
 task:
   container:
@@ -299,6 +320,8 @@ task:
     - name: source-only tarball build
       env:
         OMIT_UNCLEAN_FILES: 1
+  depends_on:
+    - Tox Python 3.8
 
 task:
   name: Submodules

.gitignore

@@ -34,14 +34,10 @@ contrib/build-wine/build/
 contrib/build-wine/.cache/
 contrib/build-wine/dist/
 contrib/build-wine/signed/
-contrib/build-wine/fresh_clone/
-contrib/build-linux/sdist/fresh_clone/
 contrib/build-linux/appimage/build/
 contrib/build-linux/appimage/.cache/
-contrib/build-linux/appimage/fresh_clone/
 contrib/osx/.cache/
 contrib/osx/build-venv/
-contrib/android/fresh_clone
 contrib/android/android_debug.keystore
 contrib/secp256k1/
 contrib/zbar/
@@ -50,7 +46,7 @@ contrib/.venv_make_packages/
 
 # shared objects
 electrum/*.so
-electrum/*.so.0
+electrum/*.so.*
 electrum/*.dll
 electrum/*.dylib
 contrib/osx/*.dylib

.gitmodules

@@ -1,6 +1,3 @@
-[submodule "contrib/deterministic-build/electrum-locale"]
-	path = contrib/deterministic-build/electrum-locale
-	url = https://github.com/spesmilo/electrum-locale
 [submodule "electrum/www"]
 	path = electrum/plugins/payserver/www
 	url = https://github.com/spesmilo/electrum-http.git

MANIFEST.in

@@ -3,6 +3,7 @@ include README.md
 include electrum-bsty.desktop
 include *.py
 include run_electrum
+include org.electrum.electrum.metainfo.xml
 recursive-include packages *.py
 recursive-include packages cacert.pem
 

README.md

@@ -22,7 +22,7 @@ but not everything. The following sections describe how to run from source, but
 is a TL;DR:
 
 ```
-$ sudo apt-get install libsecp256k1-0
+$ sudo apt-get install libsecp256k1-dev
 $ python3 -m pip install --user ".[gui,crypto]"
 ```
 
@@ -37,7 +37,7 @@ For elliptic curve operations,
 [libsecp256k1](https://github.com/bitcoin-core/secp256k1)
 is a required dependency:
 ```
-$ sudo apt-get install libsecp256k1-0
+$ sudo apt-get install libsecp256k1-dev
 ```
 
 Alternatively, when running from a cloned repository, a script is provided to build
@@ -99,7 +99,7 @@ $ python3 -m pip install --user -e .
 
 Create translations (optional):
 ```
-$ sudo apt-get install python-requests gettext
+$ sudo apt-get install python3-requests gettext qttools5-dev-tools
 $ ./contrib/pull_locale
 ```
 

RELEASE-NOTES

@@ -1,3 +1,135 @@
+# Release 4.4.5 (June 20, 2023)
+ * Hardware wallets:
+   - jade: fix regression in sign_transaction (#8463)
+ * Lightning:
+   - fix "rebalance_channels" function (#8468)
+ * enforce that we run with python asserts enabled,
+   regardless of platform (d1c88108)
+
+
+# Release 4.4.4 (May 31, 2023)
+ * QML GUI:
+   - fix creating multisig wallets involving BIP39 seeds (#8432)
+   - fix "cannot scroll to open a lightning channel" (#8446)
+   - wizard: "confirm seed" screen to normalize whitespaces (#8442)
+   - fix assert on address details screen (#8420)
+ * Qt GUI:
+   - better handle some expected errors in SwapDialog (#8430)
+ * libsecp256k1: bump bundled version to 0.3.2 (10574bb1)
+
+
+# Release 4.4.3 (May 11, 2023)
+ * Intentionally break multisig wallets that have heterogeneous master
+   keys. Versions 4.4.0 to 4.4.2 of Electrum for Android did not check
+   that master keys used the same script type. This may have resulted
+   in the creation of multisig wallets that cannot be spent from
+   with any existing version of Electrum. It is not sure whether any
+   users are affected by this; if there are any, we will publish
+   instructions on how to spend those coins (#8417, #8418).
+ * Qt GUI:
+   - handle expected errors in DSCancelDialog (#8390)
+   - persist addresses tab toolbar "show/hide" state (b40a608b)
+ * QML GUI:
+   - implement bip39 account detection (0e0c7980)
+   - add share toolbutton for outputs in TxDetails (#8410)
+ * Hardware wallets:
+   - Ledger:
+     - fix old bitcoin app support (<2.1): "no sig for ..." (#8365)
+     - bump req ledger-bitcoin (0.2.0+), adapt to API change (30204991)
+ * Lightning:
+   - limit max feature bit we accept to 10_000 (#8403)
+   - do not disconnect on "warning" messages (6fade55d)
+ * fix wallet.get_tx_parents for chain of unconf txs (#8391)
+ * locale: translate more strings when using "default" lang (a0c43573)
+ * wallet: persist frozen state of addresses to disk right away (#8389)
+
+
+# Release 4.4.2 (May 4, 2023)
+ * Qt GUI:
+   - fix undefined var check in swap_dialog (#8341)
+   - really fix "recursion depth exceeded" for utxo privacy analysis (#8315)
+ * QML GUI:
+   - fix signing txs for 2fa wallets (#8368)
+   - fix for wallets with encrypted-keystore but unencrypted-storage (#8374)
+   - properly delete wizard components after use (#8357)
+   - avoid entering loadWallet if daemon is already busy loading (#8355)
+   - no auto capitalization on import and master key text fields (5600375d)
+   - remove Qt virtual keyboard and add Seedkeyboard for seed entry (#8371, #8352)
+   - add runtime toggling of android SECURE_FLAG, to allow screenshots (#8351)
+   - restrict cases where server is shown "lagging" (53d61c01)
+ * fix hardened char "h" vs "'" needed for some hw wallets (#8364, 499f5153)
+ * fix digitalbitbox(1) support (22b8c4e3)
+ * fix wrong type for "history_rates" config option (#8367)
+ * fix issues with wallet.get_tx_parents (a1bfea61, 56fa8325)
+
+
+# Release 4.4.1 (April 27, 2023)
+ * Qt GUI:
+   - fix sweeping (#8340)
+   - fix send tab input_qr_from_camera (#8342)
+   - fix crash reporter showing if send fails on typical errors (#8312)
+   - bumpfee: disallow targeting an abs fee. only allow feerate (#8318)
+ * QML GUI:
+   - fix offline-signing or co-signing pre-segwit txs (#8319)
+   - add option to show onchain address in ReceiveDetailsDialog (#8331)
+   - fix strings unique to QML did not get localized/translated (#8323)
+   - allow paying bip21 uri onchain that has both onchain and bolt11
+     if we cannot pay on LN (#8334, 312e50e9)
+   - virtual keyboard: make buttons somewhat larger (75e65c5c)
+   - fix(?) Android crash with some OS-accessibility settings (#8344)
+   - fix channelopener.connectStr qr scan popping under (#8335)
+   - fix restoring from old mpk (watchonly for "old" seeds) (#8356)
+ * libsecp256k1: add runtime support for 0.3.x, bump bundled to 0.3.1
+ * forbid paying to "http:" lnurls (enforce https or .onion) (1b5c7d46)
+ * fix wallet.bump_fee "decrease payment" erroring on too high target
+   fee rate (#8316)
+ * fix performance regressions in tx logic (ee521545, 910832c1)
+ * fix "recursion depth exceeded" for utxo privacy analysis (#8315)
+
+
+# Release 4.4.0 (April 18, 2023)
+
+ * New Android app, using QML instead of Kivy
+   - Using Qt 5.15.7, PyQt 5.15.9
+   - This release still on python3.8
+   - Feature parity with Kivy
+   - Android Back button used throughout, for cancel/close/back
+   - Note: two topbar menus; tap wallet name for wallet menu, tap
+     network orb for application menu
+   - Note: long-press Receive/Send for list of payment requests/invoices
+ * Qt GUI improvements
+   - New onchain transaction creation flow, with configurable preview
+   - Various options have been moved to toolbars, where their effect
+     can be more directly observed.
+ * Privacy features:
+    - lightning: support for option scid_alias.
+    - Qt GUI: UTXO privacy analysis: this dialog displays all the
+      wallet transactions that are either parent of a UTXO, or can be
+      related to it through address reuse (Note that in the case of
+      address reuse, it does not display children transactions.)
+    - Coins tab: New menu that lets users easily spend a selection
+      of UTXOs into a new channel, or into a submarine swap (Qt GUI).
+ * Internal:
+    - Lightning invoices are regenerated everytime routing hints are
+      deprecated due to liquidity changes.
+    - Script descriptors are used internally to sign transactions.
+
+
+# Release 4.3.4 - Copyright is Dubious (January 26, 2023)
+ * Lightning:
+   - make sending trampoline payments more reliable (5251e7f8)
+   - use different trampoline feature bits than eclair (#8141)
+ * invoice-handling: fix get_request_by_addr incorrectly mapping
+   addresses to request ids when an address was reused (#8113)
+ * fix a deadlock in wallet.py (52e2da3a)
+ * CLI: detect if daemon is already running (c7e2125f)
+ * add an AppStream metainfo.xml file for Linux packagers (#8149)
+ * payserver plugin:
+   -replaced vendored qrcode lib
+   -added tabs for on-chain and lightning invoices
+   -revamped html and javascript
+
+
 # Release 4.3.3 - (January 3, 2023)
  * Lightning:
    - fix handling failed HTLCs in gossip-based routing (#7995)

SECURITY.md

@@ -2,12 +2,15 @@
 
 ## Reporting a Vulnerability
 
-The following keys may be used to communicate sensitive information to developers:
+To report security issues, send an email to the addresses listed below (not for support).
+Please send any report to all emails listed here.
+The following GPG keys may be used to communicate sensitive information to developers.
 
-| Name | Email | Fingerprint |
-|------|-------|----------------|
-| ThomasV | thomasv@electrum.org | 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 |
-| SomberNight | somber.night@protonmail.com | 4AD6 4339 DFA0 5E20 B3F6 AD51 E7B7 48CD AF5E 5ED9 |
+
+| Name        | Email                                  | GPG fingerprint                                   |
+|-------------|----------------------------------------|---------------------------------------------------|
+| ThomasV     | thomasv [AT] electrum [DOT] org        | 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 |
+| SomberNight | somber.night [AT] protonmail [DOT] com | 4AD6 4339 DFA0 5E20 B3F6 AD51 E7B7 48CD AF5E 5ED9 |
 
 You can import a key by running the following command with that
 individual’s fingerprint: `gpg --recv-keys "<fingerprint>"`