I would love to expand WalletScrutiny to Linux but how?

Leo Wandersleb leo at LeoWandersleb.de
Sat Aug 1 05:51:31 UTC 2020


Hi list,

since weeks I have ideas on how to expand WalletScrutiny.com from only
monitoring Android Bitcoin wallets to also monitoring Linux wallets for
reproducibility.

On general Linux, reproducibility is much more a topic than on Android so I hope
to find it much more here but most see reproducibility as a tool a user can use
to reassure himself that a binary he downloaded was compiled from a certain
source code. The scope of WalletScrutiny is slightly more ambitious: I hope to
catch as early as possible any rogue update that would have a huge impact else.
Protect the user that is ignorant to the topic of reproducibility.

On Android there is:

* effectively one repository of binaries (Google Play). Alternative repositories
(FDroid, Amazon, ...) account for probably still less than 1% of the market.
* updates are pinned to a release manager's private key as the user cannot
install an update that is not signed by the same key as all the previous versions.

On Linux there is:

* The provider's website's download link.
* Significantly more than one relevant Linux, each with their own app repository
and maintainers.
* Snap as an attempt at providing apps to multiple Linux flavors.
* Secondary websites.
* No pinning to a signing key unless the app has a self-update feature which is
scary, too.

On Android many developers reacted allergic to their app not being reproducible.
"After all they develop it for free as open source." and when I say "proof it!",
they usually don't turn more friendly but I try to distinguish between the
developer who owes me nothing and the release maintainer who should have some
accountability when providing a wallet application to the general public. In
that sense, I don't care too much about the developer but about thee who press
the compile button to then share that binary with users to safe-guard funds. The
project would have to list wallets sliced by release managers and repositories.
"wallet X as obtained from from walletx .org" vs. "... as obtained from debian" ...

There is a long way ahead to cover any significant amount of wallet users as
that requires learning about accountability in the various repositories,
poisoning detection, etc.

If you think you know how to spread the word about reproducibility in the
context of Bitcoin wallets through WalletScrutiny, your contributions are highly
welcome on [this
PR](https://gitlab.com/walletscrutiny/walletScrutinyCom/-/merge_requests/68) or
its repository in general.

Kind Regards,

Leo Wandersleb



More information about the rb-general mailing list