How can I trust clients?

[bentheman]

Hi,

my question is pretty easy. How can I trust clients like Electrum,Multibit etc?
Is it just checking the sourcecode? So, no one should download a new version until it gets verified?

best regards

[1715377946]

1715377946

[achow101]

Yes. You check the source code. If you don't think the developer is trustworthy, check the source code and build it yourself from source.

[pooya87]

Yes. You check the source code. If you don't think the developer is trustworthy, check the source code and build it yourself from source.

there are many problems with what you just said.

1) for example Core is in C++ (if i am not mistaken), Electrum is in Python,... and in order to check the source codes you have to know these programming languages, or at least have some knowledge in any programming language to be able to make heads or tails of what is going on.

2) these are fairly big project so going through the code is going to take a very long time if you are not a veteran programmer and even if you are it still needs a long time.

3) also building from the source code is not recommended for everybody especially when a newbie is asking for it , because they may break something and encounter a lot more problems and there aren't really detailed walkthroughs available to use them to compile the wallet.

the only solution that is left for regular users (which are the majority of bitcoin users) is to trust the developers based on their history and how long their wallet was around.

[sellcollateral]

Like it's been said by pooya87, it's really hard to check the sourcecode yourself, so i personally also trust the developers.

Their sourcecode has been reviewed by many seasoned programmers, so you'd have to trust the fact that any backdoors or vulnerabilitys would have been found by now.

What IS important is to only download their binarys from a trusted source, and you should also check the signature (allmost every developer signs his releases with his/her GPG key, so you can verify if the binary is actually signed by the right dev before you actually install it on your system)

[achow101]

Yes. You check the source code. If you don't think the developer is trustworthy, check the source code and build it yourself from source.

there are many problems with what you just said.

1) for example Core is in C++ (if i am not mistaken), Electrum is in Python,... and in order to check the source codes you have to know these programming languages, or at least have some knowledge in any programming language to be able to make heads or tails of what is going on.

Yes, but most major software have sufficient documentation and commenting in the code to make it easier to understand. You also don't need to be an expert in every language to understand what is happening, you just need to know one language that is related (e.g. Java is related to C/C++, Python, C#) to be able to read the code. '

2) these are fairly big project so going through the code is going to take a very long time if you are not a veteran programmer and even if you are it still needs a long time.

Not necessarily. Even though a project may be "big", they usually have decent documentation (code comments) to make understanding what each function should do a lot easier. Furthermore, if you have a starting point that you can trust, then you can just check each code commit from that point on which will be much easier to check than to analyze the whole source code.

3) also building from the source code is not recommended for everybody especially when a newbie is asking for it , because they may break something and encounter a lot more problems and there aren't really detailed walkthroughs available to use them to compile the wallet.

How so? Building from source for the major wallets is well documented and very easy to do. There isn't anything you can break without actually changing the code.

the only solution that is left for regular users (which are the majority of bitcoin users) is to trust the developers based on their history and how long their wallet was around.

Or you can have someone who is able to read code audit the code themselves. You do not have to trust the developer, you can have someone else you trust to check the code for you.

[Decoded]

Usually, releases are signed with PGP keys or the like. This verifies that this is the same developer as the previous one. But then you have to place trust in them not selling their PGP key to someone else.

[Dank14]

The issue of trust can be hard in the crypto world. For long term storage, I recommend using a paper wallet instead.

[BitcoinSupremo]

The issue of trust can be hard in the crypto world. For long term storage, I recommend using a paper wallet instead.

Or even better a hardware wallet. I know many things have been said that we don't know what is flashed in the USB hardware wallets we may receive but let me tell you why I fully trust the developers of such wallets.

I trust them because they don't know how many bitcoins we as buyers have, maybe we have little quantity (which for us means a lot) and of course they want to continue keep selling and every problem we may have through these wallets we report them in this forum. That is bad publicity for the developers and a way to lose money by not making sales anymore. So yes for me hardware wallets are the best.

[Herbert2020]

The issue of trust can be hard in the crypto world. For long term storage, I recommend using a paper wallet instead.

Or even better a hardware wallet. I know many things have been said that we don't know what is flashed in the USB hardware wallets we may receive but let me tell you why I fully trust the developers of such wallets.

you have to trust someone eventually it is not like all of us are expert coders who can check the code themselves and see which one is good and which one is malicious.

the only way for us to trust a wallet (whether it is a downloadable software or a hardware wallet) is to trust the feedback of other people who have been using that wallet and see the age of that specific software or hardware wallet.

[BuySomeBitcoins]

Do you want to verify the client itself is secure and trustworthy as written by the devs ?

Or you want to verify the release / download is not compromised by a third party / hacker ?

[RGBKey]

The only way to really trust a client besides verifying the source code yourself is to just trust what other people have verified, or trust what others have trusted.