Sorry, seeing this in my notifications now.
I agree it’s hard to know what’s newly added to the code without understanding what it does and if it’s malicious in nature.
I often do read through new commits that get tagged into a release for some open source projects, but it hasn’t been the case for ColdCard.
Generally you can’t trust any code until you verify what it does and it’s functional purpose. Open Source by nature doesn’t mean secure or private. It needs audits and validation. However, I think the purpose of the build verification is to add a layer of certainty that the signed build of the firmware is atleast same as what we can build ourselves.
ezofox / Ezofox
npub16j…szk52
2023-05-26 13:15:48
in reply to nevent1q…x4lf
Author Public Key
npub16jzr7npgp2a684pasnkhjf9j2e7hc9n0teefskulqmf42cqmt4uqwszk52Published at
2023-05-26 13:15:48Event JSON
{
"id": "28b67ded44f9f68367fd07d07bc06e4ac297ddd7e328a846a298a2677982ecdb",
"pubkey": "d4843f4c280abba3d43d84ed7924b2567d7c166f5e72985b9f06d355601b5d78",
"created_at": 1685106948,
"kind": 1,
"tags": [
[
"e",
"3d3e67f8ddd2448c28a73906de2e4c1b6436d3834883ed18e4a9aae4dde0b9e8",
""
],
[
"e",
"af4f5dc67eae9847462a0d3ed1ae0306c1f5ac320d878684123a7cda11df2588"
],
[
"p",
"be49045474d8234adbd38dff67bbb9ae2a6d0696bf809e44e9cd12aac0ea6318"
]
],
"content": "Sorry, seeing this in my notifications now. \n\nI agree it’s hard to know what’s newly added to the code without understanding what it does and if it’s malicious in nature. \n\nI often do read through new commits that get tagged into a release for some open source projects, but it hasn’t been the case for ColdCard. \n\nGenerally you can’t trust any code until you verify what it does and it’s functional purpose. Open Source by nature doesn’t mean secure or private. It needs audits and validation. However, I think the purpose of the build verification is to add a layer of certainty that the signed build of the firmware is atleast same as what we can build ourselves.",
"sig": "b2373daa78683889357121212d85d1701c362c2aca682f33ac97ae941bf1a784c560efd157b541dff3c1d374fc7aa6335be0cd5bb4069eab98ab85f60c8697d0"
}