Retest ColdCard Review
ColdCard accounts (COLDCARDwallet & nvk) on twitter say that it's reproducible & review is incorrect:
That website is incorrect, just try yourself.
Yes he did, every single question he had was answered via email.
It is reproducible, just check GitHub. This researcher just didn’t know how. Many do it, including http://bitcoin.org
It is reproducible, this researcher just didn’t know how. It was addressed, you can try it yourself. Even folks from http://bitcoin.org have done it.
Can you publish the related email contents? as this should be public in github issues! but their repo don't have issues open
Also worth to ask other rebuilders like bitcoin.org or others to publish some write-ups or signed messages/buildinfo files, etc to attest reproducibility of some version.
started writing container to compile below but it require running container in container (such as podman in podman): https://www.redhat.com/sysadmin/podman-inside-container
podman build --pull --rm -t coldcard -f ContainerFile
FROM docker.io/alpine:edge RUN set -ex; \ apk update; \ apk add --no-cache \ podman \ git \ make; \ adduser -D appuser; \ ln -s /usr/bin/podman /usr/bin/docker USER appuser RUN set -ex; \ cd /home/appuser/; \ git clone https://github.com/Coldcard/firmware.git; WORKDIR /home/appuser/firmware/stm32
which cause some issues (running the
make repro in the container run by
podman run --rm -uroot --cap-add=sys_admin,mknod --security-opt seccomp=unconfined --security-opt label=disable --device /dev/fuse -ti coldcard).
probably easier will be to write Vagrantfile instead that will install docker (thus reproducible/repeatable running in VM)
also probably checking latest tag should be done after the clone (tags are not signed... https://github.com/Coldcard/firmware/tags)
But checking coldcard is very low priority for me (not OSS product, only source-available, no open issues in github
currently working on fdroid related stuff&apps.