Topic: Coinkite ColdCard Mk4 Review (Read 307 times)

You seem very angry, just don't use CC.

There was not Trezor "clonning", you maybe unware that we also contributed to mod-crypto. That was the only lib shared with trezor, many share that lib few years back. It is the norm in any industry to share the same crypto libs, we have since moved to libsec256k1 maintained by core.

You cloned and used parts of original Trezor open source code, and that is ok because they are the first original hardware wallet, and now you are bitching that someone else used and changed your open source code.
I found that extremely egoistic and hypocritical, but you can do whatever you want, it's your product.
Passport released everything including hardware as open source, and they used totally different hardware than Coldcard, so you are obviously going in totally different directions.
Good luck to both of you.

That wouldn't be possible there are thousands of contributors, all would have to agree. CC is largely single source (us), the very few external contributors had no objection.  

Would you care to elaborate about that cloned product?
I heard rumors about a wallet that I really like, so looked into that, compared code bases and didn't find them to be identical or similar at all.
Also lots of changes and features that ColdCard doesn't even have, so that can't be it. I'm intrigued to see who actually made a CC clone.

The intention is Commercial Limitation; ie cloning the whole code base and starting a competing product as it was done ^{[emphasis mine]}.

That wouldn't be possible there are thousands of contributors, all would have to agree. CC is largely single source (us), the very few external contributors had no objection.  

Imagine Bitcoin developers started changing BTC open source code to CC after first shitcoin forks showed up  

Someone could correct me if I am wrong, but I think that you also didn't release your Seed XOR (version of Shamir Secret Sharing) as open source, just showing how wrong your thinking is.
But hey, do whatever you think is best for your product, if you are selling better than ever like you say, you have nothing to complain about.

We found a balance with MIT+CC, you can indeed fork, change it, sell it, the intention is Commercial Limitation; ie cloning the whole code base and starting a competing product as it was done. Funny enough little on the hard stuff we built that was clone has changed on the fork.

I don't presume to speak for Nvk, but I doubt he would get bent out of shape over forking for personal use or in an attempt to improve the code; i.e. add features or enhance security.  Sure, there's no financial incentive to do so, but that doesn't stop people from donating their time for open-source projects that also don't offer incentives.  I'm not a coder, but if someone were to fork the firmware to include support for XMR, I'd be all over that.  

I've been reading up on Common Clause licensing, and it seems many knowledgeable folks are predicting it's days are numbered.  I still don't know how it differs from Creative Commons, but one article suggested that'll be the preferred licensing in the near future for developers that want to be transparent, but restrict the competition from monetizing their work.

Let's fork the damn thing and see what happens.
I remember someone was saying last year that NVK and his legal team has lawsuits ready for anyone that tries to fork coldcard again, so good luck with that.

For Coldcard it's not Creative Commons, it's Common Clause license, there is a difference, and I don't see anything good about that, except ego of single developer being blown up.

Yes you can, I can, DireWolfM14 can anyone can fork it, clone it and do just about whatever you want with it.
You just can't do it for commercial reasons.

Side note, over the last 6 months or so I am really starting to see a greater use for the CreativeCommons license.

You will never have this for ColdCard wallet now after they changed their source code license so you can only view it and not fork it.

-->This is not just about Coldcard, but all hardware wallets. Keep adding bloat and stuff will go wrong.<--

It's only 4MB of memory, but that's plenty for PSBT or wallet files.  And, it's a whole 10% of the HUGE hard drive I bought back in 1989.

I am starting to think they could made all this fuss and fix just to promote this new Virtual Disk feature, because they are very excited about this.

While optimizing performance, we noticed a math bug in the way disk size was calculated. A value was 8196 which should have been 8192. The result is four blocks (512 bytes each) past the end of the “virtual” disk were accessible. Due to the design of our hardware, this is an isolated area in a memory chip called the PSRAM. The extra 2k bytes of accessible memory wrap around to the bottom of the PSRAM, where we store the PSBT during the signing process. No other part of the address map is exposed by this bug.

We were not able to find a means to exploit this bug. The 2k of memory already is available for read/write over the USB port. We allow uploads (and downloads) of PSBT into exactly that area.

Further into the audit, we examined the related subsystems for other issues. We found a few, very-limited logic bugs in the in the Micropython and ST Microsystems open-source code that is related to disk emulation. Our conclusion was those were of no impact, but important to improve the overall hardening in this release. In our experience this class of bugs could lead to vulnerabilities, and should be fixed.

We are still very excited about the Virtual Disk as a means for people using the device without computers (phone-first world). As you know we are a paranoid user-first, so any USB feature should always be disabled by default. And air-gap hardware wallet operation—as we pioneered—is still king.

Although this was an internal discovery, we still like to practice Responsible Disclosure.

It still means it's open-source then.

- BIP85 derived passwords+NFC
- Sign txn w/ missing foreign UTXOs
- Easier QRs scan in bright light
- Fix:Multisig registration order does NOT matter
- Add:importing multisig f/ descriptor
- Add:Addr explorer shows "change"
...

Oh, I get it. So the code is publicly available and you can inspect and verify it if you want. But you are not allowed to use their code for your own software needs and forks. That's OK. It still means it's open-source then. It's an unorthodox way to go about things, but that's their decision.

It's interesting that they are still claiming on their website that the source code is verifiable and open-source. Is it just the firmware that is closed-source or is everything else close-source?