Pages:
Author

Topic: Which hardware wallets are open source? (Read 477 times)

legendary
Activity: 2730
Merit: 7065
September 27, 2022, 02:27:38 AM
#29
What gives anyone the right to 'take software and redistribute it (maybe with some changes)' without 'giving back' as in: allowing others to also take this modified version of the software - either to improve the original codebase or to make another product out of it?
Everything and nothing. It sounds more like a question of morality and doing the right thing rather than are you allowed to do it. If something is public and free, then that's exactly what it should be so everyone can use it. I understand that's not the case with MIT licenses, I am just saying. A morally corrupted individual will take someone's free work, wrap it up differently, and sell it as their own.       

I do personally believe that Coinkite removed easily indentifiable references of using the Trezor library because of that, compared to Foundation Devices who are clear about it:
...
There are still some references in code comments, though...
https://github.com/Coldcard/firmware/search?q=trezor
Morally corrupted or morally deficient could be some of the ways I would describe such actions.
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
September 26, 2022, 02:20:38 PM
#28
You're not wrong, but e.g. their license would not permit them to copy a bug fix from a similar wallet, which is under MIT, due to this clause.
That's again political bullshit that doesn't have to be there. I understand why it is done that way. You have put restrains on your software that doesn't allow anyone to change it or redistribute it, and as a punishment, you aren't allowed to use anything we release either. Politics.
Don't know if that's your definition of politics, sure.
I think it's good that corporations can't just take FOSS code that people developed for free or made available free of charge and go sell it to customers for big money.
Keep in mind the 2 definitions of free: free as in freedom (free to use FOSS software, modify etc.) and free as in zero-cost (no licensing fees required).
Just like we value 'free' as in 'freedom' in Bitcoin in general; I believe that FOSS should really be the standard in this space.

What gives anyone the right to 'take software and redistribute it (maybe with some changes)' without 'giving back' as in: allowing others to also take this modified version of the software - either to improve the original codebase or to make another product out of it?

I didn't know that. So if I have a piece of software, it needs to be released under an MIT license for me to use any code from any other MIT licensed software?
Correct; that's pretty much the whole gist of the MIT license.

But wasn't ColdCard forked from Trezor's source code, which is also released under an MIT license?
I believe it just uses Trezor's crypto library, which is tried and tested, just like most other hardware wallet vendors. Because, well, it's tried and tested. But that requires the new product to be MIT, as well. Trezor just can't be bothered suing the Coinkite dev team, I guess, but they could easily do that, yes.
I do personally believe that Coinkite removed easily indentifiable references of using the Trezor library because of that, compared to Foundation Devices who are clear about it:

  • trezor-firmware Contains a copy of the Trezor source code in order to use Trezor's crypto library. We will likely make this into a git submodule soon to make it even easier to keep the library up to date.

There are still some references in code comments, though...
https://github.com/Coldcard/firmware/search?q=trezor
legendary
Activity: 2730
Merit: 7065
September 26, 2022, 01:58:19 PM
#27
You're not wrong, but e.g. their license would not permit them to copy a bug fix from a similar wallet, which is under MIT, due to this clause.
That's again political bullshit that doesn't have to be there. I understand why it is done that way. You have put restrains on your software that doesn't allow anyone to change it or redistribute it, and as a punishment, you aren't allowed to use anything we release either. Politics.
 
I didn't know that. So if I have a piece of software, it needs to be released under an MIT license for me to use any code from any other MIT licensed software? But wasn't ColdCard forked from Trezor's source code, which is also released under an MIT license?

Not having an MIT (or similar) license also doesn't permit users to fork the code to add features, fix bugs or continue supporting it after official vendor support ends.
Sadly, that's all true.
legendary
Activity: 1022
Merit: 1341
September 26, 2022, 12:48:24 PM
#26
It's really shocking that I'm just knowing that hardware wallets are of two types just like every other PC and mobile wallets, my thought was every hardware wallets are fully open source until a day ago thanks to this forum still but now which hardware wallet is open source?

Which of them? You would have name the two types of hardware wallets which you have known for others that do not know would come to know it from you. The senior men have given you links and some of the open source wallets.  If you like to read article, you can read this to learn more [BTCDirect] and also use Google to make more research and read more on it.  

The following are some of the open source Cryptocurrencies wallets. Copay , MyEtherWallet, mSIGNA,  Electrum is one of the best for now. You can read more on https://opensource.com/article/18/7/crypto-wallets they are all well explained there. Since you have not gotten enough experience on wallets please be careful when using open source wallets.
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
September 26, 2022, 10:04:20 AM
#25
But allowing/not allowing you to use the source code, making something out of it yourself, and redistributing it, doesn't affect your use of the hardware wallet and it's software. Again, assuming you can verify that everything is as it should be.
You're not wrong, but e.g. their license would not permit them to copy a bug fix from a similar wallet, which is under MIT, due to this clause.
Especially looking at something like the Trezor crypto library, which is shared by a lot of hardware wallets and that is / needs to be updated from time to time, I can see how this may cause security issues.
However, mk1 to mk3 are not reproducible by WalletScrutiny as of today (09/25/2022)!
I think this is the case with many other wallets listed on WalletScrutiny right now, maybe they need more time to update and test latest released wallet versions.
WalletScrutiny doesn't have big team of people, so we can't expect them to be up to date all the time, but I think they accept help from volunteers.
True; we can donate though, so they can take a bit more time out of their day to do this free service and update wallets more frequently.
legendary
Activity: 2212
Merit: 7064
September 26, 2022, 09:49:57 AM
#24
However, mk1 to mk3 are not reproducible by WalletScrutiny as of today (09/25/2022)!
I think this is the case with many other wallets listed on WalletScrutiny right now, maybe they need more time to update and test latest released wallet versions.
WalletScrutiny doesn't have big team of people, so we can't expect them to be up to date all the time, but I think they accept help from volunteers.
There is also an option of using alternative to WalletScrutiny, called BitcoinBinary but note that this website is owned by ColdCard Wink
https://bitcoinbinary.org/
legendary
Activity: 2730
Merit: 7065
September 26, 2022, 02:53:15 AM
#23
Do keep in mind that if ColdCard were reproducible, there may be a point considering it (even though the non-open source license is like, super fishy and anti-Bitcoin and everything).
However, mk1 to mk3 are not reproducible by WalletScrutiny as of today (09/25/2022)!
I was talking about the Mk4 only. Wallet Scrutiny has still not finalized their review for this device and it's tagged as Under Development right now. I am curious what the final verdict will be like once they do.

This means whatever compiled firmware binary you are installing to your device, may be compiled from entirely different source code!
I can't state this enough: open-source code is nothing without verifiable builds. Do not trust - verify.
No arguments there. We agree on the importance of the verifiability of the code. If you want to verify the builds and there is a way to do that, that's what I would focus on. That's where you will see if you are using the real thing or not.

The choice to allow/disallow the redistribution of the code through an open-source license is politics. It doesn't affect the security and verifiability of the hardware wallet (assuming you can build the code from its source). That's why I feel like it's important to distinguish the two. People can consider that to be the wrong approach and I don't disagree. But allowing/not allowing you to use the source code, making something out of it yourself, and redistributing it, doesn't affect your use of the hardware wallet and it's software. Again, assuming you can verify that everything is as it should be.
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
September 25, 2022, 03:03:41 PM
#22
ColdCard is a good example of a trusted wallet that does not use open source licensing for it's firmware.  The software is still transparent, allowing for the community to review it.  However, ColdCard's firware licensing prohibits redistribution of the software (or firmware, in this case.)  This is designed to protect Coinkite's intellectual property, while allowing for the community to verify it is safe to use.
I remember there was some talk about this back when the Mk4 was released and many users were against such a way of licensing. Even though ColdCard's don't qualify to be called open-source, those who want to review it and understand the code can do so. That should be the main focus point if you don't want to use close-source software. Other peculiarities and licensing characteristics that restrict the redistribution of the software shouldn't be something the end-user needs to care about.   
Do keep in mind that if ColdCard were reproducible, there may be a point considering it (even though the non-open source license is like, super fishy and anti-Bitcoin and everything).
However, mk1 to mk3 are not reproducible by WalletScrutiny as of today (09/25/2022)!

https://walletscrutiny.com/hardware/coinkite.coldcard.mk1/
https://walletscrutiny.com/hardware/coinkite.coldcard.mk2/
https://walletscrutiny.com/hardware/coldcardMk3/

This means whatever compiled firmware binary you are installing to your device, may be compiled from entirely different source code!
I can't state this enough: open-source code is nothing without verifiable builds. Do not trust - verify.
WalletScrutiny does verify and find that ColdCard builds are not created from the latest version of the source code CoinKite provides.

Also, do be aware that checksums don't give you a hint about how much has been changed, just that something changed. It can range from a single variable change in the source code to giving you fully NSA-backdoored binaries.
legendary
Activity: 2730
Merit: 7065
September 25, 2022, 10:48:20 AM
#21
ColdCard is a good example of a trusted wallet that does not use open source licensing for it's firmware.  The software is still transparent, allowing for the community to review it.  However, ColdCard's firware licensing prohibits redistribution of the software (or firmware, in this case.)  This is designed to protect Coinkite's intellectual property, while allowing for the community to verify it is safe to use.
I remember there was some talk about this back when the Mk4 was released and many users were against such a way of licensing. Even though ColdCard's don't qualify to be called open-source, those who want to review it and understand the code can do so. That should be the main focus point if you don't want to use close-source software. Other peculiarities and licensing characteristics that restrict the redistribution of the software shouldn't be something the end-user needs to care about.   
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
September 23, 2022, 12:21:36 PM
#20
It's really shocking that I'm just knowing that hardware wallets are of two types just like every other PC and mobile wallets, my thought was every hardware wallets are fully open source until a day ago thanks to this forum still but now which hardware wallet is open source?

I, myself had some confusion about this until a few months ago when I was doing some research about Coinkite's ColdCard hardware wallet.  The thing to keep in mind is that the term "open source" specifically applies to the licensing of an application.  There are several licensing structures that qualify as "open source" but one of the most common is the MIT License.  Essentially, open source licensing is very permissive, i.e. one can copy the software, change it, redistribute it, even profit from it without fear of legal repercussions.

ColdCard is a good example of a trusted wallet that does not use open source licensing for it's firmware.  The software is still transparent, allowing for the community to review it.  However, ColdCard's firware licensing prohibits redistribution of the software (or firmware, in this case.)  This is designed to protect Coinkite's intellectual property, while allowing for the community to verify it is safe to use.

Ledger is another example; their firmware is not open source, and as far as I know, it's not available for review.  Ledger uses a secure element, and I assume they are concerned that if they disclose the firmware that someone could use for it malicious purposes.  However, Ledger Live, the desktop application, is open source and adheres to the MIT License.

Personally, I'm partial to open source hardware wallets and I also recommend the Trezor, which I own and use regularly.  I do also own and use a ColdCard.  The important thing is to know what you're dealing with and assess your own comfort level with the device you choose.
sr. member
Activity: 686
Merit: 403
September 23, 2022, 10:38:20 AM
#19
Look like targeted ads Cheesy


What do you mean by targeted ads?
full member
Activity: 310
Merit: 151
Hardware and open source software solutions.
Look like a targeted ads  Cheesy

legendary
Activity: 2730
Merit: 7065
March 26, 2022, 03:59:51 AM
#17
They have shipping facility for the world but there is policy differentiation depending on the country you want to order for the bitbox02

Quote
The majority of our orders are shipped 'Duties & Taxes Paid (DDP)', which means we pay your country's import taxes & duties for you.

If DDP isn't available for your destination country, the order will be shipped DDU which means you will have to pay any applicable import duties & taxes to your local authorities.

During checkout, on the page where you choose your shipping method, our webshop will show you if DDP is available for your destination country.

Check here for your country: shipping policy for Bitbox02
The shipping information section isn't exactly helpful. Judging by the information they provided, they pay for the duties and taxes if the HW is shipped to the European Union, United States, and the rest of the world. One might think it's all DDP. You have to pay close attention to what it says during checkout so you don't get a surprise call from a customs officer.

Their shipping fees aren't expensive. Depending on where you are in the EU, the standard fees are €4-9.   
legendary
Activity: 1974
Merit: 2124
March 22, 2022, 07:20:50 AM
#16
Where I live, the BitBox02 is available on Amazon trough the official store of the producer.
I am not sure this is the case worldwide.
They have shipping facility for the world but there is policy differentiation depending on the country you want to order for the bitbox02

Quote
The majority of our orders are shipped 'Duties & Taxes Paid (DDP)', which means we pay your country's import taxes & duties for you.

If DDP isn't available for your destination country, the order will be shipped DDU which means you will have to pay any applicable import duties & taxes to your local authorities.

During checkout, on the page where you choose your shipping method, our webshop will show you if DDP is available for your destination country.

Check here for your country: shipping policy for Bitbox02

You can have the bitcoin edition or multi edition supporting ETH,litecoin and ERC-20 tokens at the price of €119 if you have no tax duties to be paid for.

The additional combo bundle of protection like stellwallets and backup cards can also be of use in case you need to store your seed phrases but there are much better options to backup them safely.So do the full research for you first of all.
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
March 22, 2022, 02:00:30 AM
#15
Can one purchase this hardware wallet on Amazon store or Newegg? Also can you drop me the official link to this wallet website thank you.
BitBox02 official website: https://shiftcrypto.ch/bitbox02/. You can also buy directly from the official website.
legendary
Activity: 2268
Merit: 16328
Fully fledged Merit Cycler - Golden Feather 22-23
March 21, 2022, 02:11:32 PM
#14
Where I live, the BitBox02 is available on Amazon trough the official store of the producer.
I am not sure this is the case worldwide.

The link is literally on my previous post.

sr. member
Activity: 686
Merit: 403
March 21, 2022, 01:04:05 PM
#13
Bitbox02 by ShiftCrypto is open source:
/cut/

Yes, the Bitbox hardware wallet is already on the [ LIST] Open Source Hardware Wallets compiled by dkbit98. According to their official website, the BitBox02 firmware was audited by Census Labs along with consulting done by multiple third-party security firms.

Can one purchase this hardware wallet on Amazon store or Newegg? Also can you drop me the official link to this wallet website thank you.
full member
Activity: 1008
Merit: 139
★Bitvest.io★ Play Plinko or Invest!
March 18, 2022, 06:18:19 AM
#12
Bitbox02 by ShiftCrypto is open source:
/cut/

Yes, the Bitbox hardware wallet is already on the [ LIST] Open Source Hardware Wallets compiled by dkbit98. According to their official website, the BitBox02 firmware was audited by Census Labs along with consulting done by multiple third-party security firms.
legendary
Activity: 2268
Merit: 16328
Fully fledged Merit Cycler - Golden Feather 22-23
March 17, 2022, 05:26:12 PM
#11
Bitbox02 by ShiftCrypto is open source:

https://shiftcrypto.ch/bitbox02/security-features/

Quote
Open-source
Hide nothing by open sourcing everything, including the firmware on the BitBox02, the BitBoxApp, and x rays of the hardware, schematics.

Link to GitHub Repository:
https://github.com/digitalbitbox/

legendary
Activity: 2702
Merit: 4002
March 17, 2022, 06:14:47 AM
#10
It's really shocking that I'm just knowing that hardware wallets are of two types just like every other PC and mobile wallets, my thought was every hardware wallets are fully open source until a day ago thanks to this forum still but now which hardware wallet is open source?
The fact that the wallet is fully open source will not benefit you as a newbie coder, but rather the number of people who have reviewed it and whether you trust their feedback or not, otherwise you will need to do it yourself.

So make sure that the wallet uses the same source code, look for people who review those codes or choose someone you trust otherwise, being an open or closed wallet is one thing for you.

If you don't want to bother your head, follow the tips above, but knowing more things won't hurt you.
Pages:
Jump to: