As some of you may or may not know, there has been some back and forth between Coinkite and WalletScrutiny, myself, others on their dubious reproducible build claim. In short, we have had issues getting THEIR reproducibility procedure to result in a "SUCCESS". Both WS and myself have reached out to them both via email and on Twitter and the response we've received from them (and NVK specifically) have been disappointing to say the least. From stating that we don't know what we're doing, to constantly pointing us to their guide which we had already said we had used, to outright threatening us with a lawsuit it's been absolutely abhorrent.
My only intention in contacting them about this issue was to highlight it and if possible, help them fix it or fix/edit their documentation to ensure everyone can get "SUCCESS". I wanted Coinkite to succeed. carl_dong and WalletScrutiny have since figured out what the issue was and have posted about it. For months this has been an issue and NVK has spent all of his time threatening and bullying anyone that pointed it out instead of doing what carl_dong and WS did and figuring out how to fix it. This is very telling and why I will never do business with them again. The fact that the ColdCard repo does NOT have their Issue tracker enabled is VERY telling and in retrospect should've been a red flag.
In conclusion, I would say this is a sort of PSA. Do you research and don't trust, verify. Seems like many in the community are always saying this ("dont trust, verify") yet few do. While ColdCard's hardware may be good, their owner and their practices are sketchy and that's a huge red flag.