Topic: Anyone use a COLDCARD hardware wallet? - page 2. (Read 492 times)

Reproducibility is one segment of open-source code. It's one of the conditions to be considered open-source, but not the only one. In an open-source world, you would be able to take any such code, modify it, better it, change it, put it in your product, and sell that product. If someone finds what you did useful, they could take your code and do the same, or just copy it in its entirety with no or minor changes. Coldcard doesn't allow anyone to use their codebase in the products they will later sell. But the funny part is that they built their own hardware wallets on open-source code written by others.

How many updates are really needed in an airgapped wallet like the Coldcard? It only supports Bitcoin and is a simple signing device of transactions that are later exported and broadcasted elsewhere. Are your devices not working as they should for some reason that would warrant a fix in the form of an update?

I use a ColdCard but am thinking of moving to something else.
They seem to be dropping support for older HW and I really don't like the attitude of 'just buy a new one'
The Mk1 and Mk2 are no longer getting updates and the Mk3 is barley getting any.

So I had a 1 and then a 2 and now a 3. Sorry, you are not getting my money for a 4 or anything else. When it dies I'll move to something else.
Not saying that it would be better, but not even giving a you bought a bunch over the years here is a nice deal on a new one discount, just irks me.

-Dave

Reproducible is far far better than closed source but not quite as optimal as fully open source. Fully open source incentivizes a larger pool of actors to scrutinize the code and build/fix/improve it as needed. Nothing is stopping anybody from examining and playing around with a source verifiable code, but without the financial incentive to use and build upon the code there won't be as many people spending their time.

Even Bitcoin Core has flaws and vulnerabilities which are identified, or even on occasion not identified before they were exploited, despite significantly more pairs of eyes on its code than on the code of an individual wallet. Despite how technically competent an individual reviewer is, more reviewers will always be safer. And you will get more reviewers if your code is open source and those reviewers have an incentive to spend their time examining your code.

I don't disagree with any of that, but their code is still not open source and to call it such is simply incorrect.

Read my previous replies in this thread. The source code is reproducible but it is not open source.

While others already clarify why CC isn't open source, i'd like to mention "Free" in FOSS actually refer to freedom or liberty, not money.

I was thinking Coldcard is open source but it is not. I check this site that says their source code is reproducible: https://walletscrutiny.com/hardware/coldcardMk4/

Is reproducible does not mean it is open source or the site is not correct about it.

A few thoughts. Firstly, no objections to anything in your post. But, Coldcard's license doesn't stop anyone from sharing their ideas or suggesting modifications to Coinkite. What they can't do is create their own products based on that code and sell it. This is a douchebag move by their team , I have no doubt about that. If you don't want to have anything to do with Coinkite or their developers, that's fine. But you could work on the code if you wanted to. And the end-user who is not interested in building and selling software, but verifying it and checking the code, can do that. 

Do you think that ordinary wallet user like, let's say n0nce, requires outside  help to  review the code himself?

Do you think that he will not flag bugs (if any)  in the code  and be silent on his finding?

You don’t need a lot of  skilled wallet users, just a few is enough  to make the presence of  any bugs  available to community.


rather, they will scrutinize the code with alacrity to blow the trumpet of found bugs.

An ordinary wallet user does not have the requisite knowledge or ability to review the code themselves, and thus they rely on the community doing it for them and publicly flagging up any bugs, vulnerabilities, suspicious or malicious code. And code which is not open source and therefore prevents other projects, companies, developers, etc., from using that code in their products means that none of these projects, companies, developers, etc., will bother looking at the code, probing the limits of the code, building on top of the code, and so forth. Why would they waste their time going through the GitHub of a "source verifiable" project knowing they can't do anything with that code, when they could spend their time going through the GitHub of an "open source" project knowing they can use that code for anything they like?

"Source accessible" or "source verifiable" simply means fewer people will be looking at the code than they would if it were open source. And for the ordinary wallet user, this is what matters.

Supporting this point. Consider the perspective of an ordinary wallet user whose sole concern is the availability of  code for scrutiny and verification. To such a user, referring to the Commons Clause attached to the MIT license accompanied CC product appears to be nothing more than a sheer casuistic. From their standpoint, all they seek is open access to the code, making the presence of the Commons Clause seem irrelevant.

Coldcard is an absolute beast of a wallet, definitely one of the best out there but you really need to know what you're doing with it. It's not for beginners - or rather it's not for beginners who don't want to take things slow and patiently and learn. It doesn't hold your hand like Ledger or Trezor and it has so many options and features that if you don't understand what you're doing and just press buttons you can really fuck yourself up.

There was somebody in a Reddit thread the other day that opted not to use Coldcard's TRNG (default option) and instead selected to generate their own entropy via dice rolls. When doing so you must use at least 99 dice rolls to generate sufficient entropy - but this person used ONE roll, and because of this, the entropy was at an absolute minimum which will generate one of only 6 possible seeds which are obviously monitored by bots hoping to catch such a mistake and his funds were swept.

Coldcard does have warnings throughout this process but you still need to be aware of what you're doing. Most people just mash the "ok" button at every prompt and read nothing. There's also another option to let the TRNG generate the seed and then "mix in" dice rolls. So 3 different ways to generate a seed with it and you need to understand each one. Compare this to Ledger where the entire setup process is completely braindead and simple.

Yes. It is source verifiable. It is not open source.

Then you can explain that difference, but calling Coldcard open source when it's not is simply incorrect.

Ledger also claimed that they were moving to open source, and then created a new license for their code called "Source Code Accessibility License" which is also not open source. "Open source doesn’t just mean access to the source code."

And yet, this is exactly what Coldcard did to Trezor code: https://nitter.cz/PavolRusnak/status/1022107617328619520#m. Why is it OK for Coldcard to use other people's code, but its not OK for other people to use Coldcard's code?

They took the code to lower levels.
I don't know how many times I have to repeat this, but Coldcard firmware is NOT open source!
They changed the code to Common Clause, that can be verified, and they only change this on their website after big complains from community members.
Coldcard basically false advertised their product as open source for some time, and I have proofs for that.
I cam not saying they have a bad product, but their owner NVK looks like a ego freak.

Here is Before and After photos:



https://commonsclause.com/

End of story.

Wow, glad to see you here, I didn't know if you were on this forum.
By the way, I have mentioned that your GUI is different from Colcard and I don't say your hardware is copy/paste. You improved GUI side of ColdCard and made your wallet easier to use, what I said above was only about code. Your wallet has camera also, it's good, no one says it's bad. I often recommend your wallet and CC to people.

I just want to explain that ColdCard's source is available for anyone to use and verify, that's all that matters for users. When people simply say ColdCard isn't open source, it looks like ColdCard and Ledger are comperable in terms of status of their code. Both of them are not open source but there is a huge difference. Ledger is closed-source, no one can check what code their Ledger runs but ColdCard is not open source in a sense that they don't allow competitors to simply copy their work, on another hand, anyone can see and verify the code. This doesn't make them bad and doesn't ruin their reputation. In a business where you work days and nights to write a code and there is a danger that rich businessman will copy and paste your code and sell a clone but dive you because of money and better marketing, I think it's okay to protect yourself from this danger.

I am not going to tolerate anyone saying Passport is a "copy-paste"; at this point it is a ridiculous statement. As we've said many times before, we ported parts of the codebase to a fresh MicroPython repo.

It is impossible for Passport to be a copy-paste because it's completely different hardware with different hardware features. We have an entire GUI as well. Take 5 minutes to do a diff between our repos and you will quickly see that it's a load of nonsense. It's blatant slander by NVK and team.

You cannot seriously try to compare Coldcard to Nikola Tesla when they simply started a MicroPython project, pulled in Trezor's crypto libraries, added a secure element, and wrote some PSBT code. Everyone is building on top of everyone else; that is how open source is supposed to work.

Yes, we discussed it before and I remember it very well, I read all of your posted sources too.
Yes, they used but Coldcard is not a Trezor's copy/paste while Passport is CC's copy/paste. Passport is the reason why CC is not open-source.

You put endless work to improve your product, then Passport copy/pastes it and both of you are on the same level. The difference is, you do the work and they gain the benefits. We can compare CC and Passport to Nikola Tesla and Thomas Edison.

Bitcoin is not the first cryptocurrency but somehow it become massively popular and none copy/pasted altcoins or even improved altcoins took it over and it's a little strage for me. Bitcoin users usually say that what they love about bitcoin is its decentralized nature and anonymity (it's not) and then my question is, why choose Bitcoin when you have Monero?
By the way Satoshi has mined lots of bitcoins for himself, so, what he has to worry about?

---

My point is that the fact that ColdCard is a source verifiable doesn't make it any bad, I would use this wallet at any time because it's superior compared to other mainstream wallets.
Will Coldcard improve its product if they gain financial profit? Sure. Is the source open and can anyone read it and verify? Yes, that's what's important for me, as a wallet owner. Do you want to learn more about bitcoin hardware wallet softwares? You can read every single line of their source code anytime you wish, so, you can learn from them and come up with your product if it's better and not totally based on their source code.

No, they don't. A quote from their license, with emphasis added:

How about the source of the people who wrote the Commons Clause license Coldcard use in the first place:

MIT with Commons Clause attached, which makes it not open source.

Very reasonable that they forbid to sell purely  their  code, but they allow to use it in any other commercial product and sell  those products based on their software. Again, according to the   definition of  MIT-licence the software which is liable to it  is open source. I have never encountered the contradictions to this coming  from reputable sources.

FOSS and open source are two different things.


Code clearly states: MIT licence.

We discussed this before, and my point remains the same: Coldcard used a huge variety of open source libraries and code when they built their device. To turn around and prevent people doing the same for their code is hypocrisy.

If you are worried about someone building on top of your code and making a better product, the solution is to improve your own product, not stifle development and innovation, which is bad for everyone.

Where would bitcoin be now if Satoshi had released bitcoin under a "source verifiable" license but prevented other people from developing on top of it?

It categorically isn't. They add the "Commons Clause" license, meaning they are not open source. Even the Coldcard website doesn't claim they are open source - they are source verifiable.

License: MIT


Being under MIT licence ColsCard code is allowed to be used virtually with no restriction.  According to fossa.com  MIT-licence-code can be used in any software, including commercial one, can be   modified and redistributed. Two miserable restrictions:  "you can’t hold the code author(s) legally liable for any reason. You also can’t delete the copyright notice and original license from your version of the code".

What is your problem with MIT licence?


I have the opposite view. Being under MIT licence it's open source.