Warpcast

🐟 Snappa | picosub.artlu.xyz | SassyHash.artlu.xyz

Find me with my same PFP on GH

It's not only on the device, I just logged in with a fresh emulator.

Clearly, it's stored persistently.

In the best-case scenario, it's encrypted with the user-provided seed as a password, and the seed is never stored at Merkl.

But again, without the full source code of the backend + client, it's just: "trust me, bro", for all we know, even the seed could have been stored.

Software developer, open source enthusiast, privacy advocate.

Clear Wallet Open-source privacy focused wallet: https://clear-wallet.flashsoft.eu/


even open source the code, dev can deploy different version on prod


so no trust, only verify

Building @recaster-fc and other farcaster tools

There are ways to provide proofs: 

1 you can automate deploys, and use a third-party provider that you don't control to provide the commit for the code.

For example, if Cloudflare says that worker x is deployed from commit Y, it would require Cloudflare to be compromised. 

2 Remote Attestation (Hardware-Assisted Proof)
Using specialized hardware features, such as Trusted Platform Modules (TPMs) or secure enclaves (like Intel SGX, AMD SEV, ARM TrustZone), to cryptographically prove the integrity of the software stack running on a server.

3 Third-Party Certifications
You basically pay a trusted service to regularly inspect and publish certificates of your running code. 

IMO, even just open-sourcing without direct proof of deployment code is still much more trustworthy than proprietary code.