Content
@
https://warpcast.com/~/channel/walletbeat
0 reply
0 recast
0 reaction
polymutex
@polymutex.eth
Very cool work from @niard. The software supply chain rabbit hole can go further! Stage 0️⃣: Open source [most wallets are here today] Stage 1️⃣: Reproducible builds [what /walletbeat will look for] Stage 2️⃣: Onchain build hashes Stage 3️⃣: Onchain TUF-like update availability warrant canaries
1 reply
1 recast
4 reactions
polymutex
@polymutex.eth
Stage 0️⃣ solves for the bare minimum: Can users know what software they are entrusting their private keys to? Absolute must.
1 reply
0 recast
1 reaction
polymutex
@polymutex.eth
Stage 1️⃣ (reproducible builds) ensure that you are actually running the code that you see on the wallet's open-source repository. Not some backdoored version. Otherwise, how do you even check? You'd need to build it from source, which most users don't (and shouldn't have to) know how.
2 replies
0 recast
2 reactions
Joel
@joelthor.eth
Reproducible builds should actually be standard for dapps as well! E.g. given the code of your dapp I can build the app and the the same CID as published on your ENS name. Probably requires some way for the dapp to specify the hash of the source repo used to make the build. How do you handle this in walletbeat?
1 reply
0 recast
2 reactions
polymutex
@polymutex.eth
We tried to, but the tooling is not being cooperative: https://warpcast.com/darrylyeo/0xbcbb23b9 Options are to either figure out why and send upstream patches, or to make the build process run in a fully-reproducible sandbox like Hermit: https://github.com/facebookexperimental/hermit
1 reply
1 recast
2 reactions
Joel
@joelthor.eth
Could imagine yes.
0 reply
0 recast
1 reaction
