walletbeat

Pushed some updates to https://wallet.page yesterday and I wanted to let you know that : 

REPRODUCIBILITY MATTERS : ability to reproduce firmware builds from source will be a criterion

reproducibility matters for clients too👀
@nethermind 
 
check the🧵

Very cool work from @niard.
The software supply chain rabbit hole can go further!
Stage 0️⃣: Open source [most wallets are here today]
Stage 1️⃣: Reproducible builds [what /walletbeat will look for]
Stage 2️⃣: Onchain build hashes
Stage 3️⃣: Onchain TUF-like update availability warrant canaries

Contributor @ /walletbeat.

Censorship resistance requires privacy.

Stage 0️⃣ solves for the bare minimum: Can users know what software they are entrusting their private keys to?

Absolute must.

Stage 1️⃣ (reproducible builds) ensure that you are actually running the code that you see on the wallet's open-source repository. Not some backdoored version.

Otherwise, how do you even check? You'd need to build it from source, which most users don't (and shouldn't have to) know how.

Stage 3️⃣ is about putting software 𝘂𝗽𝗱𝗮𝘁𝗲 𝗮𝘃𝗮𝗶𝗹𝗮𝗯𝗶𝗹𝗶𝘁𝘆 information onchain.

Otherwise, you could be running an official-but-ancient version that still has an unpatched vulnerability.

Blockchains' censorship resistance properties means that by putting that update information onchain, it makes it impossible for patched releases to be censored away from you.

TUF (The Update Framework) tries to get close to this and is used in other security-critical software packages like Tor Browser Bundle.

Stage 2️⃣ (onchain build hashes) ensures that the wallet software you are running matches the software that everyone 𝙚𝙡𝙨𝙚 is also running. Putting that onchain ensures all users see the same set of valid build hashes.

Otherwise, you could be running some version that you've been tricked into thinking is an official build, but actually isn't.

Current rabbit hole: subresource integrity (SRI) and static file names with deterministic hashes.

(Anyone know how to configure a bundler to name and export JavaScript variables with the same names and in the same order?)

We tried to, but the tooling is not being cooperative:
https://warpcast.com/darrylyeo/0xbcbb23b9

Options are to either figure out why and send upstream patches, or to make the build process run in a fully-reproducible sandbox like Hermit:

We tried to, but the tooling is not being cooperative:
https://warpcast.com/darrylyeo/0xbcbb23b9

Options are to either figure out why and send upstream patches, or to make the build process run in a fully-reproducible sandbox like Hermit: https://github.com/facebookexperimental/hermit

Reproducible builds should actually be standard for dapps as well! E.g. given the code of your dapp I can build the app and the the same CID as published on your ENS name. Probably requires some way for the dapp to specify the hash of the source repo used to make the build.

How do you handle this in walletbeat?