Comments (9)
No worries. It is unfortunate this happened, but alerting users to hold off with updating in such a case is exactly what your project should be doing.
I agree, there should have an automated way to make sure the APK is verifiable before we submit it to the playstore. Let's have a chat about that in your repository.
from airgap-vault.
it shouldn't add to your stress levels
I agree and I appreciate you see it like that but others don't and with 165 wallet apps out there and none getting shunned over any such issue leaves less committed players attack me on Twitter without problem. Look how Samourai have tons of fan-boys despite them being hostile to any form of scrutiny and openly reject rebuildability.
I want to establish something with patience and therefore the top category is green despite there not being any wallet that has
- an independent and solid bug bounty program
- committed to decelerate their release process so security researchers can do their thing
I don't know how smaller and not-for-profit open source projects could live up to such standards but without scrutiny, nobody should trust any wallet. I have some ideas how to raise the bar further but for now I hope to see more apps to join the ranks of reproducible wallets.
from airgap-vault.
Hi, thanks for reaching out. That shouldn't be the case.
I'll investigate ASAP and get back to you.
from airgap-vault.
It's 2am here. Sorry I probably will not update the site without sleeping a bit first.
Also sorry for publishing such alerts without checking back with you but it's kind of a race if the new release was bad, which I assume it is not but just in principle. I worded the tweet carefully.
I hope we get to a point where new releases can get checked for rebuildability earlier. I'm still figuring out how that could best be done. I guess ideally projects would add the build with or without signature to their repo or another place where a script can easily find it. Then hopefully rebuild issues would get sorted out before Google approves the release.
from airgap-vault.
So I finally had time to look at this and I found 2 issues:
-
We recently changed from using
cordova
tocapacitor
. While the main build still happens in the docker and doesn't have to be changed in your script, the replacement of the version number is now in a different place. I fixed that in this PR: https://gitlab.com/walletscrutiny/walletScrutinyCom/-/merge_requests/63 -
Regarding the reproducibility of the latest version: It looks like the reason for this was a simple commit hash mixup. We created the tag for
3.3.0
a week ago when we submitted the APK to the playstore, but we then found an issue with that release and created an updated version, which we released to the play store last friday. I did not remember that we had already released the3.3.0
tag, so that tag was referencing an old commit hash. I re-created the tag to point to the correct commit.
We'll try to improve the handling of tags/releases in the future, also regarding signing tags: #20
I hope that fixes the issue and you can update our status to reproducible again. :)
from airgap-vault.
Thanks for the MR. It worked. Website is updated.
Please consider commenting on this issue in order to prevent such down-times. I get stressed when I have to warn of rebuild issues as they usually are not actually big issues. And some wallets react less relaxed than you guys, too, adding to the stress. I'd hope to get to a point where each wallet does the necessary changes to the test script before I or any rebuilder might get to deal with the new release and ideally I would get the apk stripped of its signature as soon as it's built. This would be for later when failed rebuilds trigger actual warnings to users that care. Now, nobody cares yet.
from airgap-vault.
Thanks for updating the website and we will comment on your issue.
EDIT: Maybe just to add to your comment. We are planning to integrate some kind of automatic step to make sure the build is reproducible. But I would consider it our responsibility to make sure our builds are verifiable in any case, so if they are not because of a build script change or a tag issue (like it was in our case), it shouldn't add to your stress levels, at least not from our side.
from airgap-vault.
I would definitely like to see how we can raise the bar even further. But you're probably right, first the wallets in the non-reproducible list should be convinced to make the effort to become reproducible.
One last thing, could you maybe send out another tweet saying that 3.3.0 is now reproducible?
from airgap-vault.
One last thing, could you maybe send out another tweet saying that 3.3.0 is now reproducible?
Yes, sorry, wanted to do that anyway. Multitasking ...
from airgap-vault.
Related Issues (20)
- apk 3.23.1 has broken labels HOT 2
- new seed - no entropy from drawing - stuck ...
- Scan this (address) QR code with Metamask does not work HOT 3
- add support for keplr wallet HOT 1
- APK not installing HOT 5
- Support URL Schema Redirect for Companion App HOT 1
- Build reproduction steps
- Request to add support for Avalanche P-chain (for staking). HOT 1
- Use `--output-hashing none` to prevent random names for built main.js HOT 3
- Unable to enable the BIP39 Passphrase on the Android Vault version? HOT 1
- Issue Signing on Optimism HOT 29
- Can you create a Wagmi connector to support the AirGap Vault wallet? HOT 1
- 可以支持中文助记词吗 HOT 1
- Will airgap-vault support stx (stx-i-stack) chain? HOT 1
- publickey check failed. HOT 2
- When the Vault will support OKX Web3 wallet?
- Electrum PSBT QR incompatible code HOT 1
- airgap-vault crashes when generating new seed on a phone with no audio.
- Airgap-vault AppImage.
- keystone QR format compatibility HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from airgap-vault.