How can we trust Electrum Windows EXE?

[Love and Freedom]

First of all: I like Electrum a lot.

Electrum is Open Source and Electrum can be installed from sources. The sources can be verified by everyone and thus it is very unlikely that it contains scam.

BUT:

What if the Windows EXE is compiled from sources that are different? Who would ever notice?

So for example what if the EXE produces private keys that the authors of the software know beforehand because they programmed it that way? What if they decide to move the funds from these addresses one day?

Ever thought about that? I just did and do not feel well now...

[MadGamer]

The developer of the wallet (ThomasV) is known to the public and he is trustworthy. If at some point he decide to scam people, It would be easy to take him to court. If you are paranoid, you can always switch to a hardware wallet.

[Love and Freedom]

Thanks for you reply, but I don't believe it's that easy:

"Electrum was created by Thomas Voegtlin in November 2011.

Since then, various developers have contributed to its source code."

Source:
https://electrum.org/#about

I don't like the "vendor lock in" of a Hardware Wallet, I want to have my private keys.

[xdrpx]

The Binaries are usually created and uploaded on the site by ThomasV and he usually signs these Binaries with his PGP Key. I'm assuming there are tests performed to check for any issues in the source code during the code commits or when any pull requests are accepted.

Apart from that, you have the choice to run or install from source - Download the source code, install PyQT 5 and run 'python3 electrum' or to Build Wine / Windows binaries by yourself by referring to the documentation here: https://github.com/spesmilo/electrum/tree/master/contrib/build-wine

I don't like the "vendor lock in" of a Hardware Wallet, I want to have my private keys.

The Trezor hardware wallet is Open Hardware https://doc.satoshilabs.com/trezor-tech/hardware.html and also Trezor-core being Open source https://github.com/trezor. If by Vendor lock-in you mean having to rely on Trezor for support or services, well you may have to do that even with software wallets in case you face any difficulties. You can also have Trezor connected with Electrum for example if that's what you're looking into.

[Love and Freedom]

Thanks for your reply. By "vendor lock-in" I mean that I cannot export my private keys out of any hardware wallet.

Yes, I am paranoid. I sign any transaction offline but I still have to trust the software producers. I don't want to trust.

[Xynerise]

Thanks for your reply. By "vendor lock-in" I mean that I cannot export my private keys out of any hardware wallet.

Yes, I am paranoid. I sign any transaction offline but I still have to trust the software producers. I don't want to trust.

You can export your private keys from Electrum and whenever you set up a hardware wallet for the first time you're shown a mnemonic seed that you can use to get access to your coins in any BIP39 wallet at any time.

[jackg]

Thanks for you reply, but I don't believe it's that easy:

"Electrum was created by Thomas Voegtlin in November 2011.

Since then, various developers have contributed to its source code."

Source:
https://electrum.org/#about

I don't like the "vendor lock in" of a Hardware Wallet, I want to have my private keys.

ThomasV is the main developer of the client side of electrum, he has to sign the executable to say that he authorises it. If, in the unreasonable instance, a trojan is added by another developer and he misses it and signs the executable. He's still liable in a court of law for the error (in most countries). He would also be able to bring whomever coded the Trojan to court also if he can determine who it is.

[TryNinja]

Thanks for your reply. By "vendor lock-in" I mean that I cannot export my private keys out of any hardware wallet.

Yes, I am paranoid. I sign any transaction offline but I still have to trust the software producers. I don't want to trust.

You can[1], but it's not recommended. However, if you are going to use your wallet with the private-keys outside the hardware wallet device, why even have one in the first place? Your best choice would be to have an air-gapped computer with an offline wallet and a watch-only in your main online computer.

[1] Just get your hardware wallet seed, and in Electrum go to File -> New/Restore -> Standard Wallet -> I already have a seed -> Paste/write your seed -> Options -> Check 'BIP39 seed' -> Next.

[Love and Freedom]

TryNinja, jackg and Xynerise: Thank you for your replys!

I've learned something.

Great forum!