What is important about open source? Is it that others can review the code, or is it that others can profit off of the code? If it is the former, then ColdCard is fine. If it is the latter, then they don't allow others to use their code for profit.
Discussion
By the way, the souce code is fully reviewable here:
https://github.com/coldcard/firmware
Software license details here:
AFAIK, it doesn't have the verifiable builds. Am I wrong?
What's the difference between verifiable builds and reproducible builds? Instructions on how to build from source and get exactly the same bytes is included in the ReadMe.
Same, maybe I used the wrong words.
So you're saying we can build from source and use that as firmware on the cold card? If so, cool, thanks for informing me, I haven't had the time and motivation to verify yet.
its not that simple.
the fact you cant use it for any business of your own seriously disincentives good people from taking long thorough looks.
With a real FOSS license you can fuck around and know that if something cool comes out of it you'll be free to use it.
With the CC's license you're restricted to the set of people who will donate their time to audit.
It makes a big difference.
I'd think anyone who has the capability to review it and is considering using a ColdCard to store their life savings would be pretty highly motivated to review it. Yes, that is a very small minority of folks, but it only takes one to sound an alarm.
I do take your point that having the option to use the code for your own for-profit project would very likely attract more folks to review it, though. That said, all the alarmism about it does not generally take that kind of nuanced approach from what I have seen. Indeed, you're the first person I have seen make that point.
Most of the time it's "OMG! ColdCard isn't open souce!!?? How do we know they aren't going to rug pull us and steal all our money since there's no way to know what is running on their hardware!!??"