Does anyone know why Wallet Scrutiny can't reproduce Coldcard builds? \ stacker news ~bitcoin

pull down to refresh

Does anyone know why Wallet Scrutiny can't reproduce Coldcard builds?

957 sats \ 37 comments \ @k00b 21 Jun 2023 bitcoin

Wallet Scrutiny claims they can't reproduce builds for the Mk3. nvk says Wallet Scrutiny is either incompetent or malicious.

Does anyone know the full story? There doesn't seem to be much productive dialog going on which makes sense - they are calling each other scammers. Neither is a scammer afaict, so what gives?

view all related items

218 sats \ 5 replies \ @dannybuntu 22 Jun 2023

I don't recall any of us calling nvk a scammer. In fact, we try to be as professional about it as possible.

For the latest update:

Retest of Coldcard Mk2, 3 and 4 is finished. Mk4 is reproducible. Mk2 and 3 still bleed the compilation date into the binary. Looks benign but not reproducible.

0 sats \ 4 replies \ @k00b OP 22 Jun 2023

I don't recall any of us calling nvk a scammer.

You're right, my bad. It seems like nvk feels like he's being called a scammer.

1285 sats \ 1 reply \ @dannybuntu 23 Jun 2023

It's a technical issue - which is now resolved https://twitter.com/carl_dong/status/1671973538029346824

For a technical issue, you need technical responses. Not drama, insinuations, and allegations.

Carl Dong addressed that well.

It was a difference in methodology.

We've been called scammers, grifters, extortionists - every single month that we don't slap a "reproducible" sign on a coldcard. Talk about pressure.

You do know that we've been offered products to test - real hardware wallets - which we refused, on account that could affect our integrity?

In fact, some in the project do want to take the free samples - but we've had to say 'NO'.

0 sats \ 0 replies \ @Brunswick 23 Jun 2023

A publicly configured build server or versioned docker script that is used to generate any binaries should alleviate any concerns. It signing by the devs shouldnt cut it with most bitcoiners unless its reliably reproducible.

10 sats \ 1 reply \ @moneyball 23 Jun 2023

NVK is literally calling WS a scam https://twitter.com/nvk/status/1647573833014992896

0 sats \ 0 replies \ @dannybuntu 24 Jun 2023

He blocked all of our accounts so we can't respond. It's like having a knife to your back with blindfolds on.

And to be honest, we can't understand why he is behaving like this.

All he has to do, is:

sit down for 1 hour or so.
Look at what's wrong
Work with us to see how it can be fixed.

I guess, blocking-tweeting takes less than a minute.

349 sats \ 11 replies \ @benthecarman 21 Jun 2023

wallet scrutiny is run by samouria fan boys, so they dont like cold card

386 sats \ 1 reply \ @kepford 21 Jun 2023

I'm not a kid anymore and I see a lot of this stuff and think. Wow, these people need to grow up a little bit more and act like adults.

2 sats \ 0 replies \ @faithandcredit 22 Jun 2023

who?

25 sats \ 2 replies \ @k00b OP 21 Jun 2023

I must have missed some twitter beef.

0 sats \ 1 reply \ @ek 21 Jun 2023

But do you regret it?

22 sats \ 0 replies \ @k00b OP 22 Jun 2023

Not really, but it'd help this make sense.

1030 sats \ 0 replies \ @moneyball 22 Jun 2023

You have no idea what you're talking about

0 sats \ 0 replies \ @dannybuntu 24 Jun 2023

<sigh> You know what's funny?

I don't have samourai in my devices.
I don't know anyone - at least overtly - from Samourai.
I remember the previous verdict for Samourai was unreproducible. It was recently changed pending new findings. Check version history.
ColdCard's verdict has now been changed thanks to Carl Dong's work.

0 sats \ 3 replies \ @TonyGiorgio 22 Jun 2023

I thought they had the same problem with samourai for awhile too

2 sats \ 2 replies \ @moneyball 22 Jun 2023

They show Samourai as reproducible

0 sats \ 1 reply \ @TonyGiorgio 22 Jun 2023

They might now. But their feud has been for years and share similar concerns.

0 sats \ 0 replies \ @moneyball 23 Jun 2023

Well gee, maybe WS is improving over time

121 sats \ 1 reply \ @cointastical 22 Jun 2023

New pull request. Maybe it's resolved!

https://gitlab.com/walletscrutiny/walletScrutinyCom/-/merge_requests/472

113 sats \ 0 replies \ @dannybuntu 24 Jun 2023

It's now reproducible.

642 sats \ 13 replies \ @TonyGiorgio 22 Jun 2023

Wallet Scrutiny is a poor and malicious attempt at extorting funds from organizations to NOT attack their wallets. Originally spun up to talk shit about every other wallet except that of their former employer mycelium. Now you have to either pay or contribute to their incompetent marketing attacks to get them to remove the negative marks. They often refuse to go back and "reattempt" the reproduction because they are "so busy" attacking as many wallets as possible.

Want to see how easy it is to reproduce? Look at the comments here. https://twitter.com/nvk/status/1671582319327551502

I doubt they'll do anything about it. They don't like negative publicity showing how negligent they are and it only makes them ignore valid reproducible builds even more.

Reproducible builds is very important, but they've turned it into a political money grab.

215 sats \ 2 replies \ @dash 22 Jun 2023

I can use the docker to get SUCCESS just like in those videos but the build files do not hash to the same values as those files downloaded from the Coldcard website. Is there something I'm missing?

209 sats \ 1 reply \ @dash 22 Jun 2023

I guess it's because I don't have the Coinkite key to sign the build. So, the docker process is masking out the signature part and verifying there is no diff other than that? Is there an explanation of this somewhere we can read? On the Coinkite site it says you can read docs/notes-on-repro.md but that file does not exist for me.

209 sats \ 0 replies \ @dash 22 Jun 2023

What I find really strange is the file size of my build for 2023-06-19T1627-v4.1.8 is 722944 for the firmware-signed.dfu but the file downloaded from Coinkite is 753981 even though the result of make repro is SUCCESS

For the MK4 latest build I was able to confirm the file size was the same. The file size should be identical even if the hash is off (due to the signature difference), right?

12 sats \ 9 replies \ @moneyball 22 Jun 2023

Where is your evidence of this?

0 sats \ 8 replies \ @moneyball 22 Jun 2023

Making such bold claims requires some evidence

30 sats \ 7 replies \ @TonyGiorgio 22 Jun 2023

Much of what I said is common public knowledge that stems over years so I'm not sure what you would think is bold. If there's something in particular you found incorrect, let me know.

10 sats \ 1 reply \ @dannybuntu 22 Jun 2023

I got a splitting headache reading this. So I'm saving my response for later. You are replying to Moneyball, Tony.

Do you know who that is?

Do you know who I am? Geez. I am going to take five or more before I reply to you.

It's just that time of the month.....

40 sats \ 0 replies \ @TonyGiorgio 22 Jun 2023

Yeah he's the one funding your BS marketing attacks.

0 sats \ 3 replies \ @moneyball 23 Jun 2023

Where is your evidence of this? "malicious attempt at extorting funds from organizations"

Where is your evidence of this? "Now you have to either pay or contribute to their incompetent marketing attacks to get them to remove the negative marks."

Where is your evidence of this? "They often refuse to go back and "reattempt" the reproduction because they are "so busy" attacking as many wallets as possible."

0 sats \ 0 replies \ @dannybuntu 24 Jun 2023

Maybe he's referring to the time before Spiral and the Human Rights Foundation granted the grant to us.

Some 1 to 2 years ago, we did embark on a "campaign" (if you can call it that) to email funds to ask for a grant.

Some replied, but the most common reply was either "No" or "What's in it for us?"
As a non-profit, we couldn't answer the what's in it for them part."
Then, through Leo's personal contacts (which I think is you), Spiral came to the rescue. (Thank you steve and Spiral)
A few months later, then Human Rights Foundation responded - the bulk of which went to EB, the security researcher.

As to attacks, we do not conduct negative interactions with wallet providers and we make it a point to try to fill the role of outreach as professionally as possible. Like how customer service would do it.

Most of the interactions were on twitter, and many were on the Gitlab or Github issue pages.

That is, to the best of my knowledge of it went.

The acrimonious relationship was stirred by non other than NVK and his cohort.

I do not know why - and I really don't want to dig in further to the reasons as it is not my concern.

I just know that there were allegations which were in now deleted tweets, about the licensing issues ColdCard. I can't recall exactly, but the license for the coldcard was previously GPLv3. I think ColdCard changed it later on, because of more deleted tweets concerning another wallet provider.

There was even a now deleted post about some person shouting on twitter that OPEN SOURCE LOST THE WAR OR BATTLE or something like that.

0 sats \ 1 reply \ @moneyball 23 Jun 2023

🦗🦗🦗

0 sats \ 0 replies \ @TonyGiorgio 24 Jun 2023

Steve, I'm not just sitting on stacker news all day worried about digging up years of tweets, interactions, and website archives to point to why I believe what I believe about WS's integrity and ethics.

If you would like to fund me to scrutinize wallet scrutiny then I guess I can stop building to do that for you. Otherwise, I find the invested interest and attitude here pretty pointless to continue with this conversation before it gets worse for no reason.

I hope you take some time to reflect on why funding a wallet hit list that targets competitors with words like "provider puts your funds at risk" and "If we had more resources, we would update reviews more timely instead of assigning this meta verdict ;)" with a donation link to change the results. If you can't see why that's fucked up, then I don't know what else to say to you.

0 sats \ 0 replies \ @nvk 22 Jun 2023

Steve is new here.

12 sats \ 1 reply \ @03365d6a53 21 Jun 2023

no, but the process might have been settled more amicably if it were possible to discuss in a github issue than on twatter

but issues in their repo are disabled, it seems: https://github.com/Coldcard/firmware

0 sats \ 0 replies \ @nvk 22 Jun 2023

Everyone else can build except the "experts"

1 sat \ 0 replies \ @numbskull 22 Jun 2023 freebie

I can’t reproduce my mk3 either, I tried to use it today and it says bricked. How on earth did it happen? I just bought it recently for 200$ .I didn’t do any manipulations with it whatsoever. Are they doing it on purpose,so I upgrade to newer versions? Plus I donated 1000 sats to SN , so I have 0 sats . You guys send me some sats for posting,ok