nerd2ninja; 🥪 on Nostr: "The wallet pings an onion URL to check for a new version" So let me tell you how ...
"The wallet pings an onion URL to check for a new version"
So let me tell you how this can all go wrong.
From clearnet to Tor username resuse, to social engineering attacks (and lastly actual exploits" there are a lot of ways to reveal the identity of the developers and get into the server that hosts the updated program.
If a whole userbase that doesn't want their ID tied to their Bitcoin transactions is using this software for that purpose, and among that userbase is a criminal of any sort, then a malicious update to deanonymize the entire userbase is a real and persistent threat.
So let me tell you how this can all go wrong.
From clearnet to Tor username resuse, to social engineering attacks (and lastly actual exploits" there are a lot of ways to reveal the identity of the developers and get into the server that hosts the updated program.
If a whole userbase that doesn't want their ID tied to their Bitcoin transactions is using this software for that purpose, and among that userbase is a criminal of any sort, then a malicious update to deanonymize the entire userbase is a real and persistent threat.
quoting nevent1q…q5qvI've finished comparing the released Ashigaru code with
Samourai Wallet.
I did this for my own, personal usage, but it might serve others. Feel free to add your remarks/questions, DYOR and/or wait for more reviews.
TL;DR: I found nothing wrong and plan to use it soon.
I ran a diff between this release and TDevD's commit from Apr 24th. I didn't check the code between the latest SW release and that date since I already trusted SW.
Ashigaru devs (AD) published release notes [1] and there are also the commit messages from SW commit radar [2].
SW had a fork of bitcoinj. I never had it cloned and it's possible the repository is lost :(
The library and source code are downloaded from JitPack. According to their logs [3], it was built in Mar 20th.
Unless AD are wicked and in cahoots with JitPack, it should be safe to me.
=====
From ExtLibJ, which is used for Stonewall, Soroban, BIP47 etc, there are no changes, except for backend URLs.
Comparison was made with noosphere888's repository [4].
=====
Ok, so now on to the actual review.
New features: the wallet pings an onion URL to see if there's a new version, maybe because there's no Play store and they have no social media.
Also there's a new wallet sync view.
Tor and own Dojo are now mandatory.
OXT explorer was removed. Apparently one is available only if the Dojo instance has one.
Soroban (without Joinbot) and Ricochet are back. So is PayNym, under a new directory. The connect fee has been waived.
Whirlpool removed from the GUI and also options to call SW's support.
About the new directory, I would like to file a complaint against the CEO. What the hell was that 😭😭😭🗣️🗣️🗣️
To finish the review, there were many changes due to rebranding, changing URLs, colours and addresses.
=====
The build is reproducible as per the instructions. I used unzip instead of apktool because it's faster and was already installed.
That's it, congratulations and good luck to Ashigaru devs. Now, take some time to visit http://freesamourai.com [5].
#FreeSamourai
Links:
[1] https://ashigaru.rs/news/release-wallet-v1-0-0
[2] https://t.me/SamouraiCommitRadar
[3] https://jitpack.io/io/samourai/code/whirlpool/bitcoinj/007/build.log
[4] https://github.com/noosphere888/ExtLibJ
[5] https://freesamourai.com