polymutex on Farcaster

Content pfp

https://warpcast.com/~/channel/walletbeat

0 reply

0 recast

0 reaction

polymutex pfp

Very cool work from @niard. The software supply chain rabbit hole can go further! Stage 0️⃣: Open source [most wallets are here today] Stage 1️⃣: Reproducible builds [what /walletbeat will look for] Stage 2️⃣: Onchain build hashes Stage 3️⃣: Onchain TUF-like update availability warrant canaries

1 reply

1 recast

4 reactions

polymutex pfp

Stage 0️⃣ solves for the bare minimum: Can users know what software they are entrusting their private keys to? Absolute must.

1 reply

0 recast

1 reaction

polymutex pfp

Stage 1️⃣ (reproducible builds) ensure that you are actually running the code that you see on the wallet's open-source repository. Not some backdoored version. Otherwise, how do you even check? You'd need to build it from source, which most users don't (and shouldn't have to) know how.

2 replies

0 recast

2 reactions

polymutex pfp

Stage 2️⃣ (onchain build hashes) ensures that the wallet software you are running matches the software that everyone 𝙚𝙡𝙨𝙚 is also running. Putting that onchain ensures all users see the same set of valid build hashes. Otherwise, you could be running some version that you've been tricked into thinking is an official build, but actually isn't.

2 replies

0 recast

1 reaction

polymutex pfp

Stage 3️⃣ is about putting software 𝘂𝗽𝗱𝗮𝘁𝗲 𝗮𝘃𝗮𝗶𝗹𝗮𝗯𝗶𝗹𝗶𝘁𝘆 information onchain. Otherwise, you could be running an official-but-ancient version that still has an unpatched vulnerability. Blockchains' censorship resistance properties means that by putting that update information onchain, it makes it impossible for patched releases to be censored away from you. TUF (The Update Framework) tries to get close to this and is used in other security-critical software packages like Tor Browser Bundle.

0 reply

0 recast

1 reaction

Joel pfp

This actually already happens for solidity, but most people don't know about it. Hopefully we can have better tooling around it. Ref: https://docs.sourcify.dev/blog/talk-about-onchain-metadata-hash/ https://x.com/joelthorst/status/1922220424676704489

0 reply

1 recast

1 reaction