Verifying the reproducibility of bitcoin core is way harder than i expected. And the problem is, with multiple engineers doing it, I know that's it's my fault if it doesn't build...
Thoughts.
Have you uses act? Basically let's you run github actions locally.
My opinion is essentially that no app should actually have to tell you how to build their app (if they care about reproducible builds). nostr:nprofile1qqsyvrp9u6p0mfur9dfdru3d853tx9mdjuhkphxuxgfwmryja7zsvhqpzamhxue69uhhv6t5daezumn0wd68yvfwvdhk6tcpz9mhxue69uhkummnw3ezuamfdejj7qgwwaehxw309ahx7uewd3hkctcscpyug I plan to use amethyst as my initial test, do you think I'll have any issues?
Here's my plan:
Hit zapstore for apk or just the hash since it's blossom
Then locally run the pipeline via act and upload to blossom and confirm the hashes are identical.
Once that is confirmed working, do the same thing but via the CICD DVM.
Then lastly do the nostr attestation which I've been discussing with folks on the github (so there might be some decent work to do there to make sure it has all the information I want).
That's basically the POC. If I can get through this, I'd want to work with zapstore to add either:
Badges for apps/versions with reproducible builds
Or
Figure out how to add custom collections that are paywalled with a small zap to be able to pay the DVM bill (example if I have 10 apps that I'm attesting to, it could cost me like 100,000 SATs to do the Reproducible build for each version). Probably ends up requiring a paid relay. Initially I'd probably just fund it myself and see how much zaps I can collect from just running the pipeline 1x/ month.
If this ends up proving valuable. Then my plan is to implement the fdroid dark pattern stuff (which I recently discovered is actually just manual) as scripts for the DVM stuff. I think this is a way to get the non-bitcoin security focused folks onto nostr, by having MORE features in our app store.
End user ux:
Go to zapstore to download app.
See the following badges/filters:
Reproducible builds (clicking this should take you to the DVM results of that versions reproducible build)
Does(not) use location services
Does(not) depend on non-free services
Does(not) depend on centralizes server (? Ex proton VPN vs something like amethyst that let's you run your own server/relay)
Does (not) employ tracking
Etc
Sorry for the long note, but I took my meds today and I'm really fucking stoked about this idea but I'm pretty sure only like 5 people would care.
No worries - I had chatGPT summarize it. :P
Wow, this seems pretty complicated, and I don't consider myself a full-fledged developer just yet. I haven't tried ACT, but I'd be interested in giving it a go; it sounds like it could be helpful. Just to clarify, we mainly use tools like diff and diffoscope instead of SHA256sum, because it's very rare for the SHA-256 checksums of APKs from Google Play to match those of the ones built from source. Also, I'm not very familiar with Zapstore, and I don't know much about DVM either. I'm currently trying to verify the reproducibility of bitcoin core for desktop using GUIX. I'm sure that the devs have done this themsleves, but I'm giving it a go.
For the methodology, we have several pre-built scripts - that you are free to modify and adapt for your own use.
I'm thinking of whether to give you the new method which includes nostr attestations - which we are still working on, or the minute step-by-step procedure for specific wallets with specific versions.
IF the latter, we can try out a test case.
Say app id: de.schildbach aka (Schildbach Bitcoin Wallet)
OLD METHOD:
1. Extract the APK from your phone.
2. Fork, clone locally walletscrutiny. Instructions here: https://gitlab.com/walletscrutiny/walletScrutinyCom
3. Once you've set up your environment and have the apk ready.
4. In the nostr:nprofile1qywhwumn8ghj7mn0wd68ytnzd96xxmmfdejhytnnda3kjctv9uqsuamnwvaz7tmwdaejumr0dshsz9thwden5te0dehhxarj9ehhsarj9ejx2a30qyghwumn8ghj7mn0wd68ytnhd9hx2tcpremhxue69uhkummnw3ez6ur4vgh8wetvd3hhyer9wghxuet59uqzpytvkhls05a4rnhh76mt0a28nvgqrdqpcr5z2k8wrg39qnra2p7fp72lx8 root directory, run:
`$ ./test.sh -a /path/to/apk/file.apk
5. The script runs and there's a verdict.
This case is the easiest - for a huge majority of the apps we test, more often than not, the scripts break. So that's the part that takes research and colloboration.
Many projects should have instructions how to build their app - unfortunately they don't. We file an issue in their repo. If they respond, cool! If not, then we try trial and error until we manage to build it.
Do tell, if you've reached this point.
For the new method...I'll tell you when you finish this.
```
make[1]: Leaving directory '/home/dannybuntu/home/dannybuntu/bitcoin/depends'
make: Leaving directory '/home/dannybuntu/home/dannybuntu/bitcoin/depends'
INFO: Building 29.0 for platform triple x86_64-linux-gnu:
...using reference timestamp: 1744384813
...running at most 4 jobs
...from worktree directory: '/home/dannybuntu/home/dannybuntu/bitcoin'
...bind-mounted in container to: '/bitcoin'
...in build directory: '/home/dannybuntu/home/dannybuntu/bitcoin/guix-build-29.0/distsrc-29.0-x86_64-linux-gnu'
...bind-mounted in container to: '/distsrc-base/distsrc-29.0-x86_64-linux-gnu'
...outputting in: '/home/dannybuntu/home/dannybuntu/bitcoin/guix-build-29.0/output/x86_64-linux-gnu'
...bind-mounted in container to: '/outdir-base/x86_64-linux-gnu'
ADDITIONAL FLAGS (if set)
ADDITIONAL_GUIX_COMMON_FLAGS:
ADDITIONAL_GUIX_ENVIRONMENT_FLAGS:
ADDITIONAL_GUIX_TIMEMACHINE_FLAGS:
guix shell: error: mount: mount "none" on "/home/dannybuntu/tmp/guix-directory.PeHlio": Permission denied
```
Possible solution... run as `sudo`
Doing research on how to reproducibly verify desktop bitcoin core.
So far: 
> From FB:
> I was just watching the new season of "HOW TO SELL DRUGS ONLINE (FAST)". I got to the bit where the startup is kidnapped by drug dealers and forced to make an encrypted messaging app for them. Managed to pause the video when Dan the CEO is pretending he knows how to write code so he doesn't get shot š¤£
And it all comes crashing down...
I wonder what will happen to the "blockchain" incubator they put up in the Philippines.
And also, some misguided government projects: https://technology.inquirer.net/122504/the-philippine-government-will-digitalize-with-bsv-blockchain
https://www.youtube.com/watch?v=SQ0mBnJmd6I
The Primeagen talks about Open Source
Makes sense! If youāre installing the GitHub APK via Obtainium, verifying that binary is valid for your use case.
WalletScrutiny focuses on trustless verification of Play Store builds ā since thatās what most users receive, often without knowing if it matches source. Different threat models, same goal: auditability.
We donāt verify against GitHub releases ā we verify against what users actually receive from the Play Store.
At WalletScrutiny.com, we extract the APK installed on a real device (or downloaded directly from the Play Store via an API), then build the app from source following the developer's instructions. We compare the two using tools like `diffoscope` or `apktool` to check for byte-for-byte reproducibility. If they match (excluding signing differences), the app is reproducible.
Using the GitHub APK assumes trust ā weāre focused on trustlessness.
Hi! To verify the reproducibility of your apk, first ensure that your app is source-available (Open Source). You need to extract your apk from the phone. There are third party apps that do that, but if you want to be sure, you could use WalletScrutiny.com's in-house script which just runs adb:
https://gitlab.com/walletscrutiny/walletScrutinyCom/-/blob/master/apkextractor_sync.sh
You may clone the entire walletscrutiny.com repository if you plan on pushing through with doing the entire process.
Now, most Android apps, can either be distributed as a single apk or a bundle of apks (split apks).
Before you run that script though, ensure that your phone is connected to the PC, with Developer Mode and USB debugging both on.
If you run apkextractor_sync.sh, run it like so: (example for illustrative purposes, you need to find the appID of your app)
$ ./apkextractor_sync.sh io.nunchuk.android
The script will tell you if your app if it's a single apk or a split bundle.
š Just verified a reproducible build of Nunchuk v1.67.0 (io.nunchuk.android)!
ā The APK from my phone matches the one built from source (tag: android.1.67)
š Signing excluded, but the code checks out byte-for-byte.
š¦ SHA-256: 41a66972d53121db4c77fd54bd79202822074fea6db35059b3049bfb5571bb73
up or down, we build.
This is undeletable so I will try to make a better one.
Well, not "most frustrating" but "key areas for improvement"
- What draws people to twitter, are thoughtful, up to date, news, valuable and most importantly - directly usable information from key insiders.
Federalism and the Risk of Invasive Foreign Presence in the Philippines: The Case of POGOs and Property Ownership
Federalism has long been a polarizing proposition in the Philippine political landscape. Advocated by former President Rodrigo Duterte during his campaign and throughout his administration, federalism was framed as a structural reform to decentralize power, promote regional development, and empower local governments. However, embedded within the proposed shift was an agenda to amend the 1987 Constitutionāspecifically, provisions that restrict foreign ownership of land and corporations. While such reforms were often marketed as economic liberalization, they also carried significant national security implications, particularly in the context of increasing Chinese economic presence in the country.
One notable development during Duterteās term was the proliferation of Philippine Offshore Gaming Operators (POGOs), many of which were owned or managed by Chinese nationals. These entities quickly expanded across Metro Manila and other regions, occupying commercial and residential properties and employing tens of thousands of foreign workers. The rise of POGOs was seen by some analysts as a proxy for a broader Chinese economic and possibly geopolitical footprint in the Philippines.
Had constitutional amendments favoring federalism succeededāparticularly those that relaxed restrictions on foreign ownership of land and critical industriesāit is plausible that POGOs and similar foreign entities could have transitioned from tenants to landowners, securing permanent footholds in Philippine real estate and corporate sectors. This scenario, had it fully materialized, would have complicated efforts to regulate or expel these entities, especially amid mounting concerns of espionage, tax evasion, and criminal activity linked to some POGOs. The eventual crackdown on POGOs and the exposure of controversial figures such as Bamban Mayor Alice Guo underscore the depth and sensitivity of this issue.
In this light, the failure to implement federalism during the Duterte administration, and the continued suspension of such reforms under the current administration, arguably averted a deeper and more irreversible form of foreign economic entrenchment. The Marcos administrationās ban on POGOs can be viewed as a corrective measure that reasserted state control over sectors that had grown vulnerable to foreign manipulation.
A comparative example can be seen in Japan, where the government is currently grappling with the "Akiya phenomenon"āan estimated 9 million abandoned homes. Due to lenient property laws that allow foreigners to purchase real estate, Chinese nationals have reportedly been buying properties in large numbers. While Japan has been quicker to legislate restrictions in response, the Philippines' case highlights how constitutional safeguards play a critical role in preventing potentially exploitative foreign acquisition of national assets.
The intersection of constitutional reform, foreign ownership, and national security is thus a crucial area of concern in any federalism discourse in the Philippines. While the promise of federalism may hold developmental allure, its implications for sovereignty and strategic autonomy demand vigilant scrutiny.
Fatherhood - 22 years onwards
I've been a father for 22 years now.
With 8 kids, I sometimes treat fatherhood as an administrative task.
You work, you earn money, you budget for the needs, you set aside a college or education fund, fix broken things at home - and if you're extremely lucky, save up for a vacation.
The Consolidation of Political Dynasties in the Philippines
There is an ongoing political travesty in the Philippines, that only a scarce few can discern: the consolidation of power of political dynasties. This brings about the "illusion of political choice". Political clans in every province, in every city - consolidate power through nepotism. Never before have I seen in my lifetime, where the husband, the wife, the children, the nephews, and even the political lackeys are campaigning for positions in the government.
The very problem lies in the structure of the elections. Incumbents treat government functionaries like their employees. What is supposed to be universal service from the government, becomes a debt-of-gratitude to the incumbents. The masses, who often rely on political personalities for donations to medical bills, livelihood and education, often treat politicians like demi-gods.
Also a part of the problem is rampant vote-buying. Incumbents amass significant political capital during their tenure and then use this to mobilize their dependents come election time. No opposition figure, no political party with clear ideological base can counteract these effects effectively.
All the politicians have to do is to portray an image of being supporters of the masses and use their resources to do this to acceptable thresholds and we have a perpetuating cycle. Get voted, gain economic advantage, use these resources they gained in the next election - ad infinitum.
Most of these includes infrastructure development, education, healthcare and more are often funded by debt which has now ballooned to Php16 Trillion. The debt-to-GDP ratio is now at 67%, slightly above the acceptable thresholds.
Corruption now has a scientific method - and opposing these structures has become a monumental task.