Content
@
https://warpcast.com/~/channel/walletbeat
0 reply
0 recast
0 reaction
polymutex
@polymutex.eth
Very cool work from @niard. The software supply chain rabbit hole can go further! Stage 0️⃣: Open source [most wallets are here today] Stage 1️⃣: Reproducible builds [what /walletbeat will look for] Stage 2️⃣: Onchain build hashes Stage 3️⃣: Onchain TUF-like update availability warrant canaries
1 reply
1 recast
4 reactions
polymutex
@polymutex.eth
Stage 0️⃣ solves for the bare minimum: Can users know what software they are entrusting their private keys to? Absolute must.
1 reply
0 recast
1 reaction
polymutex
@polymutex.eth
Stage 1️⃣ (reproducible builds) ensure that you are actually running the code that you see on the wallet's open-source repository. Not some backdoored version. Otherwise, how do you even check? You'd need to build it from source, which most users don't (and shouldn't have to) know how.
2 replies
0 recast
2 reactions
polymutex
@polymutex.eth
Stage 2️⃣ (onchain build hashes) ensures that the wallet software you are running matches the software that everyone 𝙚𝙡𝙨𝙚 is also running. Putting that onchain ensures all users see the same set of valid build hashes. Otherwise, you could be running some version that you've been tricked into thinking is an official build, but actually isn't.
2 replies
0 recast
1 reaction
Joel
@joelthor.eth
This actually already happens for solidity, but most people don't know about it. Hopefully we can have better tooling around it. Ref: https://docs.sourcify.dev/blog/talk-about-onchain-metadata-hash/ https://x.com/joelthorst/status/1922220424676704489
0 reply
1 recast
1 reaction
