Wallet Scrutiny claims they can't reproduce builds for the Mk3. nvk says Wallet Scrutiny is either incompetent or malicious.
Does anyone know the full story? There doesn't seem to be much productive dialog going on which makes sense - they are calling each other scammers. Neither is a scammer afaict, so what gives?
I don't recall any of us calling nvk a scammer. In fact, we try to be as professional about it as possible.
For the latest update:
view on twitter.comYou're right, my bad. It seems like nvk feels like he's being called a scammer.
It's a technical issue - which is now resolved https://twitter.com/carl_dong/status/1671973538029346824
For a technical issue, you need technical responses. Not drama, insinuations, and allegations.
Carl Dong addressed that well.
It was a difference in methodology.
We've been called scammers, grifters, extortionists - every single month that we don't slap a "reproducible" sign on a coldcard. Talk about pressure.
You do know that we've been offered products to test - real hardware wallets - which we refused, on account that could affect our integrity?
In fact, some in the project do want to take the free samples - but we've had to say 'NO'.
A publicly configured build server or versioned docker script that is used to generate any binaries should alleviate any concerns. It signing by the devs shouldnt cut it with most bitcoiners unless its reliably reproducible.
NVK is literally calling WS a scam https://twitter.com/nvk/status/1647573833014992896
He blocked all of our accounts so we can't respond. It's like having a knife to your back with blindfolds on.
And to be honest, we can't understand why he is behaving like this.
All he has to do, is:
I guess, blocking-tweeting takes less than a minute.
wallet scrutiny is run by samouria fan boys, so they dont like cold card
I'm not a kid anymore and I see a lot of this stuff and think. Wow, these people need to grow up a little bit more and act like adults.
who?
I must have missed some twitter beef.
But do you regret it?
Not really, but it'd help this make sense.
You have no idea what you're talking about
<sigh>
You know what's funny?I thought they had the same problem with samourai for awhile too
They show Samourai as reproducible
They might now. But their feud has been for years and share similar concerns.
view on twitter.comWell gee, maybe WS is improving over time
New pull request. Maybe it's resolved!
https://gitlab.com/walletscrutiny/walletScrutinyCom/-/merge_requests/472
It's now reproducible.
Wallet Scrutiny is a poor and malicious attempt at extorting funds from organizations to NOT attack their wallets. Originally spun up to talk shit about every other wallet except that of their former employer mycelium. Now you have to either pay or contribute to their incompetent marketing attacks to get them to remove the negative marks. They often refuse to go back and "reattempt" the reproduction because they are "so busy" attacking as many wallets as possible.
Want to see how easy it is to reproduce? Look at the comments here. https://twitter.com/nvk/status/1671582319327551502
I doubt they'll do anything about it. They don't like negative publicity showing how negligent they are and it only makes them ignore valid reproducible builds even more.
Reproducible builds is very important, but they've turned it into a political money grab.
I can use the docker to get SUCCESS just like in those videos but the build files do not hash to the same values as those files downloaded from the Coldcard website. Is there something I'm missing?
I guess it's because I don't have the Coinkite key to sign the build. So, the docker process is masking out the signature part and verifying there is no diff other than that? Is there an explanation of this somewhere we can read? On the Coinkite site it says you can read docs/notes-on-repro.md but that file does not exist for me.
What I find really strange is the file size of my build for 2023-06-19T1627-v4.1.8 is 722944 for the firmware-signed.dfu but the file downloaded from Coinkite is 753981 even though the result of make repro is SUCCESS
For the MK4 latest build I was able to confirm the file size was the same. The file size should be identical even if the hash is off (due to the signature difference), right?
Where is your evidence of this?
Making such bold claims requires some evidence
Much of what I said is common public knowledge that stems over years so I'm not sure what you would think is bold. If there's something in particular you found incorrect, let me know.
I got a splitting headache reading this. So I'm saving my response for later. You are replying to Moneyball, Tony.
Do you know who that is?
Do you know who I am? Geez. I am going to take five or more before I reply to you.
It's just that time of the month.....
Yeah he's the one funding your BS marketing attacks.
Where is your evidence of this? "malicious attempt at extorting funds from organizations"
Where is your evidence of this? "Now you have to either pay or contribute to their incompetent marketing attacks to get them to remove the negative marks."
Where is your evidence of this? "They often refuse to go back and "reattempt" the reproduction because they are "so busy" attacking as many wallets as possible."
Maybe he's referring to the time before Spiral and the Human Rights Foundation granted the grant to us.
Some 1 to 2 years ago, we did embark on a "campaign" (if you can call it that) to email funds to ask for a grant.
As to attacks, we do not conduct negative interactions with wallet providers and we make it a point to try to fill the role of outreach as professionally as possible. Like how customer service would do it.
Most of the interactions were on twitter, and many were on the Gitlab or Github issue pages.
That is, to the best of my knowledge of it went.
The acrimonious relationship was stirred by non other than NVK and his cohort.
I do not know why - and I really don't want to dig in further to the reasons as it is not my concern.
I just know that there were allegations which were in now deleted tweets, about the licensing issues ColdCard. I can't recall exactly, but the license for the coldcard was previously GPLv3. I think ColdCard changed it later on, because of more deleted tweets concerning another wallet provider.
There was even a now deleted post about some person shouting on twitter that OPEN SOURCE LOST THE WAR OR BATTLE or something like that.
🦗🦗🦗
Steve, I'm not just sitting on stacker news all day worried about digging up years of tweets, interactions, and website archives to point to why I believe what I believe about WS's integrity and ethics.
If you would like to fund me to scrutinize wallet scrutiny then I guess I can stop building to do that for you. Otherwise, I find the invested interest and attitude here pretty pointless to continue with this conversation before it gets worse for no reason.
I hope you take some time to reflect on why funding a wallet hit list that targets competitors with words like "provider puts your funds at risk" and "If we had more resources, we would update reviews more timely instead of assigning this meta verdict ;)" with a donation link to change the results. If you can't see why that's fucked up, then I don't know what else to say to you.
Steve is new here.
no, but the process might have been settled more amicably if it were possible to discuss in a github issue than on twatter
but issues in their repo are disabled, it seems: https://github.com/Coldcard/firmware
Everyone else can build except the "experts"
I can’t reproduce my mk3 either, I tried to use it today and it says bricked. How on earth did it happen? I just bought it recently for 200$ .I didn’t do any manipulations with it whatsoever. Are they doing it on purpose,so I upgrade to newer versions? Plus I donated 1000 sats to SN , so I have 0 sats . You guys send me some sats for posting,ok