pull down to refresh
642 sats \ 13 replies \ @TonyGiorgio 22 Jun 2023 \ on: Does anyone know why Wallet Scrutiny can't reproduce Coldcard builds? bitcoin
Wallet Scrutiny is a poor and malicious attempt at extorting funds from organizations to NOT attack their wallets. Originally spun up to talk shit about every other wallet except that of their former employer mycelium. Now you have to either pay or contribute to their incompetent marketing attacks to get them to remove the negative marks. They often refuse to go back and "reattempt" the reproduction because they are "so busy" attacking as many wallets as possible.
Want to see how easy it is to reproduce? Look at the comments here. https://twitter.com/nvk/status/1671582319327551502
I doubt they'll do anything about it. They don't like negative publicity showing how negligent they are and it only makes them ignore valid reproducible builds even more.
Reproducible builds is very important, but they've turned it into a political money grab.
I can use the docker to get SUCCESS just like in those videos but the build files do not hash to the same values as those files downloaded from the Coldcard website. Is there something I'm missing?
reply
I guess it's because I don't have the Coinkite key to sign the build. So, the docker process is masking out the signature part and verifying there is no diff other than that? Is there an explanation of this somewhere we can read? On the Coinkite site it says you can read docs/notes-on-repro.md but that file does not exist for me.
reply
What I find really strange is the file size of my build for 2023-06-19T1627-v4.1.8 is 722944 for the firmware-signed.dfu but the file downloaded from Coinkite is 753981 even though the result of make repro is SUCCESS
For the MK4 latest build I was able to confirm the file size was the same. The file size should be identical even if the hash is off (due to the signature difference), right?
reply
Where is your evidence of this?
reply
Making such bold claims requires some evidence
reply
Much of what I said is common public knowledge that stems over years so I'm not sure what you would think is bold. If there's something in particular you found incorrect, let me know.
reply
I got a splitting headache reading this. So I'm saving my response for later. You are replying to Moneyball, Tony.
Do you know who that is?
Do you know who I am? Geez. I am going to take five or more before I reply to you.
It's just that time of the month.....
reply
Yeah he's the one funding your BS marketing attacks.
reply
Where is your evidence of this? "malicious attempt at extorting funds from organizations"
Where is your evidence of this? "Now you have to either pay or contribute to their incompetent marketing attacks to get them to remove the negative marks."
Where is your evidence of this? "They often refuse to go back and "reattempt" the reproduction because they are "so busy" attacking as many wallets as possible."
reply
Maybe he's referring to the time before Spiral and the Human Rights Foundation granted the grant to us.
Some 1 to 2 years ago, we did embark on a "campaign" (if you can call it that) to email funds to ask for a grant.
- Some replied, but the most common reply was either "No" or "What's in it for us?"
- As a non-profit, we couldn't answer the what's in it for them part."
- Then, through Leo's personal contacts (which I think is you), Spiral came to the rescue. (Thank you steve and Spiral)
- A few months later, then Human Rights Foundation responded - the bulk of which went to EB, the security researcher.
As to attacks, we do not conduct negative interactions with wallet providers and we make it a point to try to fill the role of outreach as professionally as possible. Like how customer service would do it.
Most of the interactions were on twitter, and many were on the Gitlab or Github issue pages.
That is, to the best of my knowledge of it went.
The acrimonious relationship was stirred by non other than NVK and his cohort.
I do not know why - and I really don't want to dig in further to the reasons as it is not my concern.
I just know that there were allegations which were in now deleted tweets, about the licensing issues ColdCard. I can't recall exactly, but the license for the coldcard was previously GPLv3. I think ColdCard changed it later on, because of more deleted tweets concerning another wallet provider.
There was even a now deleted post about some person shouting on twitter that OPEN SOURCE LOST THE WAR OR BATTLE or something like that.
reply
🦗🦗🦗
reply
Steve, I'm not just sitting on stacker news all day worried about digging up years of tweets, interactions, and website archives to point to why I believe what I believe about WS's integrity and ethics.
If you would like to fund me to scrutinize wallet scrutiny then I guess I can stop building to do that for you. Otherwise, I find the invested interest and attitude here pretty pointless to continue with this conversation before it gets worse for no reason.
I hope you take some time to reflect on why funding a wallet hit list that targets competitors with words like "provider puts your funds at risk" and "If we had more resources, we would update reviews more timely instead of assigning this meta verdict ;)" with a donation link to change the results. If you can't see why that's fucked up, then I don't know what else to say to you.
reply
Steve is new here.
reply