Pages:
Author

Topic: Verifiable builds need attention. Only 3 of 68 Android wallets are verifiable (Read 598 times)

full member
Activity: 1092
Merit: 227
First of all thank you for the great work you are doing with the wallet scrutiny, I just stumbled upon your thread while I was reading through this section. It is amazing how you started your journey since 2019 and have already sirupted lot of information about various wallets. I think CoinBase is now even worst at this point. The user base is has outgrown the previously published number which means there are more and more users who just want to use nice looking apps, with easy to handle request. I mean pick a wallet which is non custodial, they have basic UI, (though its advancing) people are not used to it somehow. May be they like to share their private keys with the custodial wallets. Sadly the number of such wallets is huge which makes us think there is such under education about the "Not your keys, not your bitcoin".

So because they point out that a custodial wallet is custodial, that custodial wallet attempted frivolous legal action because they didn't like someone pointing out that they are custodial? Roll Eyes
We should clearly name those custodial wallets and tell more people to avoid using them.
WalletScrutiny received this legal actions two times so far, first time it was from Mercado Bitcoin, and now they received it from Foxbit.
Both of this services are located in Brazil, that makes me think there is some connection between them, and this was targeted attack.

I am sure this is targeted attack only. They are just trying to take down the information and do not want to get hampered with their brand. This is what makes them afraid. Since you are openly stating the information about the custodial wallets they would lose the client base. Not sure how you are going to fight back but definitely under information acts this isn't illegal. Good luck.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
MercadoBitcoin's review was removed due to a DMCA takedown notice and I had forgotten to put it back up until the Foxbit takedown notice.

Today the latter just had its deadline to take court action expired, so I will re-instantiate it, too.

Excuse me, but what the fuck is going on? Are some companies apparently angry at your website or something? Huh
legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
MercadoBitcoin's review was removed due to a DMCA takedown notice and I had forgotten to put it back up until the Foxbit takedown notice.

Today the latter just had its deadline to take court action expired, so I will re-instantiate it, too.
legendary
Activity: 2212
Merit: 7064
So because they point out that a custodial wallet is custodial, that custodial wallet attempted frivolous legal action because they didn't like someone pointing out that they are custodial? Roll Eyes
We should clearly name those custodial wallets and tell more people to avoid using them.
WalletScrutiny received this legal actions two times so far, first time it was from Mercado Bitcoin, and now they received it from Foxbit.
Both of this services are located in Brazil, that makes me think there is some connection between them, and this was targeted attack.
hero member
Activity: 630
Merit: 510
WalletScrutiny website was recently shut down due to a DMCA takedown notice, and we it was unavailable for few days but now it's working again.
I don't know why anyone would have a problem with website like this, but maybe some closed source wallets and centralized exchanges are involved with this.
If you want to follow what happened follow their twitter account @WalletScrutiny.
The power of these "custodial exchanges" and the time that a lawyer took to litigation and all this for open source code?
I will download the website files, run it offline, and will everywhere give Foxbit (which was the reason for DCMA) a negative rating. Cool

187 wallet with No Source! and 591 Custodial! All this in a decentralized industry.
legendary
Activity: 2268
Merit: 18771
So because they point out that a custodial wallet is custodial, that custodial wallet attempted frivolous legal action because they didn't like someone pointing out that they are custodial? Roll Eyes

What incredibly scummy and shady behavior, but unfortunately anyone who is already using a custodial wallet is unlikely to swayed by said behavior.
legendary
Activity: 2212
Merit: 7064
WalletScrutiny website was recently shut down due to a DMCA takedown notice, and we it was unavailable for few days but now it's working again.
I don't know why anyone would have a problem with website like this, but maybe some closed source wallets and centralized exchanges are involved with this.
If you want to follow what happened follow their twitter account @WalletScrutiny.
legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
Some people also reported that NVK blocked them on twitter so they can't comment on any of coldcard twitter posts, and he is hating all other hardware wallet devices...

#metoo
legendary
Activity: 2212
Merit: 7064
Cringy :/ I used the term "open source" in a sloppy way, too but once somebody complained, I replaced it everywhere with "public source", as that is what I need to reproduce binaries.
I don't know why NVK is pushing this open source label so hard, but it's crystal clear that you can't have common clause license in your code and still advertise code of your device as open source.
Some people also reported that NVK blocked them on twitter so they can't comment on any of coldcard twitter posts, and he is hating all other hardware wallet devices...
Quote
Is this “Open Source”?
No.
https://commonsclause.com/
legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
btw ColdCard wallet is not open source anymore, but he still claims differently on his website... maybe he will change that in future also Smiley

Cringy :/ I used the term "open source" in a sloppy way, too but once somebody complained, I replaced it everywhere with "public source", as that is what I need to reproduce binaries.

As long as the site is not created to advertise certain project(s) and as long as they are giving correct information instead of falsified claims, things can remain healthy otherwise that's another case of why centralized "review" sites are generally bad.

WalletScrutiny is certainly not created to advertise any specific products. I did work for Mycelium before but I quit because of this conflict of interest and I'm pretty open about my disagreements in direction when it comes to shitcoins. Ideally WS would be easy to fork though but I don't dare yet to make the reviews themselves creative commons or something. The framework and tools are open source already though.
legendary
Activity: 3472
Merit: 10611
I don't think there is anything wrong with some (healthy) competition and it can help improve both of your websites.
As long as the site is not created to advertise certain project(s) and as long as they are giving correct information instead of falsified claims, things can remain healthy otherwise that's another case of why centralized "review" sites are generally bad.
legendary
Activity: 2212
Merit: 7064
I feel like bitcoinbinary was launched as a reaction to WalletScrutiny's review of ColdCard. It's @NVK's project.
Yeah it's his project, and he even ''donated'' himself, but it appears he now removed that info from the page bottom (maybe because of my remarks), however it was archived on time Coinkite = Coldcard = NVK Smiley
I don't think there is anything wrong with some (healthy) competition and it can help improve both of your websites.

btw ColdCard wallet is not open source anymore, but he still claims differently on his website... maybe he will change that in future also Smiley


https://coldcard.com/
legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
I feel like bitcoinbinary was launched as a reaction to WalletScrutiny's review of ColdCard. It's @NVK's project.
legendary
Activity: 2212
Merit: 7064
There is one alternative website I found for WalletScrutiny and it is called bitcoinbinary.org, interesting part is that one of bitcointalk moderators achow101 was testing wallets and participating in this exercise,
I don't know if this website is sponsored by Coinkite aka Coldcard, but they did receive 0.025 BTC donation from them and githuib page is posted on Coinkite github,
so it looks like ColdCard wanted to proved how their code is still reproducible even if it's not open source anymore.
Conclusion is that many wallets have bad documentation or incorrect build instructions so they couldn't be reproduced.


Github: https://github.com/coinkite/bitcoinbinary.org
Website: https://bitcoinbinary.org/

legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
...
How exactly are you testing Hardware Wallets?
I guess you first need to have actual device in your hand (purchased or received for testing from manufacturer) and then try to reproduce the code.

We look at claims about the functionality of the device to see if it falls into any of the k.o. criteria like not having a screen to verify what you approve. Then we look for the source code and the binary. If the source code compiles into the binary, the wallet is reproducible. Check out our full methodolgy.

So ... if you want to help, there is a ton to do from simple triage to compilation to design to spreading the word. Wink
I am helping in spreading the word about WalletScrutiny and I am monitoring hardware wallet changes, especially if they claim they are open source.
You can track that in my topics that is updated on regular basis like this one for example: LIST - Open Source Hardware Wallets.

I think we have all the products you list. We have to review most of them still.
legendary
Activity: 2212
Merit: 7064
...
How exactly are you testing Hardware Wallets?
I guess you first need to have actual device in your hand (purchased or received for testing from manufacturer) and then try to reproduce the code.

So ... if you want to help, there is a ton to do from simple triage to compilation to design to spreading the word. Wink
I am helping in spreading the word about WalletScrutiny and I am monitoring hardware wallet changes, especially if they claim they are open source.
You can track that in my topics that is updated on regular basis like this one for example: LIST - Open Source Hardware Wallets.

legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
Hi dkbit98,

WalletScrutiny is a ton of work and we are a small team, only.

In our Methodology you can read our priorities:

Quote
1. Re-evaluate new releases of Reproducible   wallets as they become available. If users opt for a wallet because it is reproducible, they should be waiting for this re-evaluation before updating.

Today I tested the latest releases of AirGap Vault and Green Wallet. Today, Green was a bit more work than usual.

Quote
2. Check if any of the Unreproducible!   wallets updated their issues on their repositories.

We really hope to see more reproducible products, so we always have an eye on the dozens of open issues.

Quote
3. Make general improvements of the platform

That is the a catch-all for improving scripts, design and often just investigations. It's probably the bulk of the work.

Quote
4. Evaluate the most relevant Development   wallets

For Android we have a good proxy for relevance - downloads. For iPhone we don't and neither for hardware wallets.

Unfortunately we are not progressing in the top category as fast as I wish we would but that has to do with severe lack of people to work with code. The k.o. criteria (custodial, bad interface, defunct, ...) are verdicts relatively inexperienced Bitcoiners can come to but when it comes to reproducing a wallet, it's mostly on me. Emanuel also does play with code and does a ton of work but refuses to open merge requests, so writing the difficult reviews is all on one person that also looks into all the other stuff.

So ... if you want to help, there is a ton to do from simple triage to compilation to design to spreading the word. Wink
legendary
Activity: 2212
Merit: 7064
WalletScrutiny website added many hardware wallets on their website and only four of them had reproducible codes, Trezor model One, Trezor model T, BitBox02 and KeepKey.
I was a bit surprised to see that ColdCard wallet is still under development, but maybe @giszmo and his team didn't have enough time to finish testing for ColdCard and other wallets that known to be Open Source.
They made several categories like Defunct (feature many dead wallets), No Source (Ledger), Bad Interface (Coldlar, Secalot, Bepal), Leaks Keys (Opendime), Development (ColdCard and many other wallets), and No BTC category.
I noticed some hardware wallets are missing from the list, like Keystone that should be open source, and it is now replacing defunct Cobo hardware wallet.
Clicking on each wallet is showing small window with basic information, price, size, review date, links and detailed full analysis report.


https://walletscrutiny.com/?verdict=all&platform=hardware

I have the give props to giszmo and his team for keeping their promise and doing this huge work of adding hardware wallets like they promised.
legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
If you think like that than you should not consider Lightning Network Bitcoin as a real Bitcoin and any wallet that is using LN (custodial or not) should not be on WalletScrutiny website.
Bitcoin Blue wallet is not custodial, and you can create separate page for all Lightning Network wallets and other second layer solutions if you want.
LN Blue wallet wallet can be custodial and non-custodial and there are many shitcoins that can work with LN and not just Bitcoin.
Just my suggestion.

LN Blue wallet is by default custodial and does not warn the user.

I see your point for LN-only wallets like Phoenix but else, the protocol not being as good as Bitcoin in the presence of an actual non-custodial Bitcoin account doesn't make the wallet custodial. Maybe Phoenix is "not a BTC wallet" but certainly not custodial.
legendary
Activity: 2212
Merit: 7064
...

If you think like that than you should not consider Lightning Network Bitcoin as a real Bitcoin and any wallet that is using LN (custodial or not) should not be on WalletScrutiny website.
Bitcoin Blue wallet is not custodial, and you can create separate page for all Lightning Network wallets and other second layer solutions if you want.
LN Blue wallet wallet can be custodial and non-custodial and there are many shitcoins that can work with LN and not just Bitcoin.
Just my suggestion.
Pages:
Jump to: