I don't recall any of us calling nvk a scammer. In fact, we try to be as professional about it as possible.
For the latest update:
Retest of Coldcard Mk2, 3 and 4 is finished. Mk4 is reproducible. Mk2 and 3 still bleed the compilation date into the binary. Looks benign but not reproducible.
reply
I don't recall any of us calling nvk a scammer.
You're right, my bad. It seems like nvk feels like he's being called a scammer.
reply
It's a technical issue - which is now resolved https://twitter.com/carl_dong/status/1671973538029346824
For a technical issue, you need technical responses. Not drama, insinuations, and allegations.
Carl Dong addressed that well.
It was a difference in methodology.
We've been called scammers, grifters, extortionists - every single month that we don't slap a "reproducible" sign on a coldcard. Talk about pressure.
You do know that we've been offered products to test - real hardware wallets - which we refused, on account that could affect our integrity?
In fact, some in the project do want to take the free samples - but we've had to say 'NO'.
reply
A publicly configured build server or versioned docker script that is used to generate any binaries should alleviate any concerns. It signing by the devs shouldnt cut it with most bitcoiners unless its reliably reproducible.
reply
reply
He blocked all of our accounts so we can't respond. It's like having a knife to your back with blindfolds on.
And to be honest, we can't understand why he is behaving like this.
All he has to do, is:
  1. sit down for 1 hour or so.
  2. Look at what's wrong
  3. Work with us to see how it can be fixed.
I guess, blocking-tweeting takes less than a minute.
reply
wallet scrutiny is run by samouria fan boys, so they dont like cold card
reply
I'm not a kid anymore and I see a lot of this stuff and think. Wow, these people need to grow up a little bit more and act like adults.
reply
I must have missed some twitter beef.
reply
But do you regret it?
reply
Not really, but it'd help this make sense.
reply
You have no idea what you're talking about
reply
<sigh> You know what's funny?
  1. I don't have samourai in my devices.
  2. I don't know anyone - at least overtly - from Samourai.
  3. I remember the previous verdict for Samourai was unreproducible. It was recently changed pending new findings. Check version history.
  4. ColdCard's verdict has now been changed thanks to Carl Dong's work.
reply
I thought they had the same problem with samourai for awhile too
reply
They show Samourai as reproducible
reply
They might now. But their feud has been for years and share similar concerns.
reply
Well gee, maybe WS is improving over time
reply
reply
It's now reproducible.
reply
Wallet Scrutiny is a poor and malicious attempt at extorting funds from organizations to NOT attack their wallets. Originally spun up to talk shit about every other wallet except that of their former employer mycelium. Now you have to either pay or contribute to their incompetent marketing attacks to get them to remove the negative marks. They often refuse to go back and "reattempt" the reproduction because they are "so busy" attacking as many wallets as possible.
Want to see how easy it is to reproduce? Look at the comments here. https://twitter.com/nvk/status/1671582319327551502
I doubt they'll do anything about it. They don't like negative publicity showing how negligent they are and it only makes them ignore valid reproducible builds even more.
Reproducible builds is very important, but they've turned it into a political money grab.
reply
I can use the docker to get SUCCESS just like in those videos but the build files do not hash to the same values as those files downloaded from the Coldcard website. Is there something I'm missing?
reply
I guess it's because I don't have the Coinkite key to sign the build. So, the docker process is masking out the signature part and verifying there is no diff other than that? Is there an explanation of this somewhere we can read? On the Coinkite site it says you can read docs/notes-on-repro.md but that file does not exist for me.
reply
What I find really strange is the file size of my build for 2023-06-19T1627-v4.1.8 is 722944 for the firmware-signed.dfu but the file downloaded from Coinkite is 753981 even though the result of make repro is SUCCESS
For the MK4 latest build I was able to confirm the file size was the same. The file size should be identical even if the hash is off (due to the signature difference), right?
reply
Where is your evidence of this?
reply
Making such bold claims requires some evidence
reply
Much of what I said is common public knowledge that stems over years so I'm not sure what you would think is bold. If there's something in particular you found incorrect, let me know.
reply
I got a splitting headache reading this. So I'm saving my response for later. You are replying to Moneyball, Tony.
Do you know who that is?
Do you know who I am? Geez. I am going to take five or more before I reply to you.
It's just that time of the month.....
reply
Yeah he's the one funding your BS marketing attacks.
reply
Where is your evidence of this? "malicious attempt at extorting funds from organizations"
Where is your evidence of this? "Now you have to either pay or contribute to their incompetent marketing attacks to get them to remove the negative marks."
Where is your evidence of this? "They often refuse to go back and "reattempt" the reproduction because they are "so busy" attacking as many wallets as possible."
reply
Maybe he's referring to the time before Spiral and the Human Rights Foundation granted the grant to us.
Some 1 to 2 years ago, we did embark on a "campaign" (if you can call it that) to email funds to ask for a grant.
  • Some replied, but the most common reply was either "No" or "What's in it for us?"
  • As a non-profit, we couldn't answer the what's in it for them part."
  • Then, through Leo's personal contacts (which I think is you), Spiral came to the rescue. (Thank you steve and Spiral)
  • A few months later, then Human Rights Foundation responded - the bulk of which went to EB, the security researcher.
As to attacks, we do not conduct negative interactions with wallet providers and we make it a point to try to fill the role of outreach as professionally as possible. Like how customer service would do it.
Most of the interactions were on twitter, and many were on the Gitlab or Github issue pages.
That is, to the best of my knowledge of it went.
The acrimonious relationship was stirred by non other than NVK and his cohort.
I do not know why - and I really don't want to dig in further to the reasons as it is not my concern.
I just know that there were allegations which were in now deleted tweets, about the licensing issues ColdCard. I can't recall exactly, but the license for the coldcard was previously GPLv3. I think ColdCard changed it later on, because of more deleted tweets concerning another wallet provider.
There was even a now deleted post about some person shouting on twitter that OPEN SOURCE LOST THE WAR OR BATTLE or something like that.
reply
🦗🦗🦗
reply
Steve, I'm not just sitting on stacker news all day worried about digging up years of tweets, interactions, and website archives to point to why I believe what I believe about WS's integrity and ethics.
If you would like to fund me to scrutinize wallet scrutiny then I guess I can stop building to do that for you. Otherwise, I find the invested interest and attitude here pretty pointless to continue with this conversation before it gets worse for no reason.
I hope you take some time to reflect on why funding a wallet hit list that targets competitors with words like "provider puts your funds at risk" and "If we had more resources, we would update reviews more timely instead of assigning this meta verdict ;)" with a donation link to change the results. If you can't see why that's fucked up, then I don't know what else to say to you.
reply
Steve is new here.
reply
no, but the process might have been settled more amicably if it were possible to discuss in a github issue than on twatter
but issues in their repo are disabled, it seems: https://github.com/Coldcard/firmware
reply
Everyone else can build except the "experts"
reply
I can’t reproduce my mk3 either, I tried to use it today and it says bricked. How on earth did it happen? I just bought it recently for 200$ .I didn’t do any manipulations with it whatsoever. Are they doing it on purpose,so I upgrade to newer versions? Plus I donated 1000 sats to SN , so I have 0 sats . You guys send me some sats for posting,ok