Which hardware wallets are open source?

[Pmalek]

ColdCard is a good example of a trusted wallet that does not use open source licensing for it's firmware.  The software is still transparent, allowing for the community to review it.  However, ColdCard's firware licensing prohibits redistribution of the software (or firmware, in this case.)  This is designed to protect Coinkite's intellectual property, while allowing for the community to verify it is safe to use.

I remember there was some talk about this back when the Mk4 was released and many users were against such a way of licensing. Even though ColdCard's don't qualify to be called open-source, those who want to review it and understand the code can do so. That should be the main focus point if you don't want to use close-source software. Other peculiarities and licensing characteristics that restrict the redistribution of the software shouldn't be something the end-user needs to care about.   

[n0nce]

ColdCard is a good example of a trusted wallet that does not use open source licensing for it's firmware.  The software is still transparent, allowing for the community to review it.  However, ColdCard's firware licensing prohibits redistribution of the software (or firmware, in this case.)  This is designed to protect Coinkite's intellectual property, while allowing for the community to verify it is safe to use.

I remember there was some talk about this back when the Mk4 was released and many users were against such a way of licensing. Even though ColdCard's don't qualify to be called open-source, those who want to review it and understand the code can do so. That should be the main focus point if you don't want to use close-source software. Other peculiarities and licensing characteristics that restrict the redistribution of the software shouldn't be something the end-user needs to care about.   

Do keep in mind that if ColdCard were reproducible, there may be a point considering it (even though the non-open source license is like, super fishy and anti-Bitcoin and everything).
However, mk1 to mk3 are not reproducible by WalletScrutiny as of today (09/25/2022)!

https://walletscrutiny.com/hardware/coinkite.coldcard.mk1/
https://walletscrutiny.com/hardware/coinkite.coldcard.mk2/
https://walletscrutiny.com/hardware/coldcardMk3/

This means whatever compiled firmware binary you are installing to your device, may be compiled from entirely different source code!
I can't state this enough: open-source code is nothing without verifiable builds. Do not trust - verify.
WalletScrutiny does verify and find that ColdCard builds are not created from the latest version of the source code CoinKite provides.

Also, do be aware that checksums don't give you a hint about how much has been changed, just that something changed. It can range from a single variable change in the source code to giving you fully NSA-backdoored binaries.

[Pmalek]

Do keep in mind that if ColdCard were reproducible, there may be a point considering it (even though the non-open source license is like, super fishy and anti-Bitcoin and everything).
However, mk1 to mk3 are not reproducible by WalletScrutiny as of today (09/25/2022)!

I was talking about the Mk4 only. Wallet Scrutiny has still not finalized their review for this device and it's tagged as Under Development right now. I am curious what the final verdict will be like once they do.

This means whatever compiled firmware binary you are installing to your device, may be compiled from entirely different source code!
I can't state this enough: open-source code is nothing without verifiable builds. Do not trust - verify.

No arguments there. We agree on the importance of the verifiability of the code. If you want to verify the builds and there is a way to do that, that's what I would focus on. That's where you will see if you are using the real thing or not.

The choice to allow/disallow the redistribution of the code through an open-source license is politics. It doesn't affect the security and verifiability of the hardware wallet (assuming you can build the code from its source). That's why I feel like it's important to distinguish the two. People can consider that to be the wrong approach and I don't disagree. But allowing/not allowing you to use the source code, making something out of it yourself, and redistributing it, doesn't affect your use of the hardware wallet and it's software. Again, assuming you can verify that everything is as it should be.

[dkbit98]

However, mk1 to mk3 are not reproducible by WalletScrutiny as of today (09/25/2022)!

I think this is the case with many other wallets listed on WalletScrutiny right now, maybe they need more time to update and test latest released wallet versions.
WalletScrutiny doesn't have big team of people, so we can't expect them to be up to date all the time, but I think they accept help from volunteers.
There is also an option of using alternative to WalletScrutiny, called BitcoinBinary but note that this website is owned by ColdCard
https://bitcoinbinary.org/

[n0nce]

But allowing/not allowing you to use the source code, making something out of it yourself, and redistributing it, doesn't affect your use of the hardware wallet and it's software. Again, assuming you can verify that everything is as it should be.

You're not wrong, but e.g. their license would not permit them to copy a bug fix from a similar wallet, which is under MIT, due to this clause.
Especially looking at something like the Trezor crypto library, which is shared by a lot of hardware wallets and that is / needs to be updated from time to time, I can see how this may cause security issues.

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

Not having an MIT (or similar) license also doesn't permit users to fork the code to add features, fix bugs or continue supporting it after official vendor support ends.
Just a few factors that are vastly different in 'real open-source' and definitely buying criteria for me.

However, mk1 to mk3 are not reproducible by WalletScrutiny as of today (09/25/2022)!

I think this is the case with many other wallets listed on WalletScrutiny right now, maybe they need more time to update and test latest released wallet versions.
WalletScrutiny doesn't have big team of people, so we can't expect them to be up to date all the time, but I think they accept help from volunteers.

True; we can donate though, so they can take a bit more time out of their day to do this free service and update wallets more frequently.

[Agbe]

It's really shocking that I'm just knowing that hardware wallets are of two types just like every other PC and mobile wallets, my thought was every hardware wallets are fully open source until a day ago thanks to this forum still but now which hardware wallet is open source?

Which of them? You would have name the two types of hardware wallets which you have known for others that do not know would come to know it from you. The senior men have given you links and some of the open source wallets.  If you like to read article, you can read this to learn more [BTCDirect] and also use Google to make more research and read more on it.  

The following are some of the open source Cryptocurrencies wallets. Copay , MyEtherWallet, mSIGNA,  Electrum is one of the best for now. You can read more on https://opensource.com/article/18/7/crypto-wallets they are all well explained there. Since you have not gotten enough experience on wallets please be careful when using open source wallets.

[Pmalek]

You're not wrong, but e.g. their license would not permit them to copy a bug fix from a similar wallet, which is under MIT, due to this clause.

That's again political bullshit that doesn't have to be there. I understand why it is done that way. You have put restrains on your software that doesn't allow anyone to change it or redistribute it, and as a punishment, you aren't allowed to use anything we release either. Politics.
 
I didn't know that. So if I have a piece of software, it needs to be released under an MIT license for me to use any code from any other MIT licensed software? But wasn't ColdCard forked from Trezor's source code, which is also released under an MIT license?

Not having an MIT (or similar) license also doesn't permit users to fork the code to add features, fix bugs or continue supporting it after official vendor support ends.

Sadly, that's all true.

[n0nce]

You're not wrong, but e.g. their license would not permit them to copy a bug fix from a similar wallet, which is under MIT, due to this clause.

That's again political bullshit that doesn't have to be there. I understand why it is done that way. You have put restrains on your software that doesn't allow anyone to change it or redistribute it, and as a punishment, you aren't allowed to use anything we release either. Politics.

Don't know if that's your definition of politics, sure.
I think it's good that corporations can't just take FOSS code that people developed for free or made available free of charge and go sell it to customers for big money.
Keep in mind the 2 definitions of free: free as in freedom (free to use FOSS software, modify etc.) and free as in zero-cost (no licensing fees required).
Just like we value 'free' as in 'freedom' in Bitcoin in general; I believe that FOSS should really be the standard in this space.

What gives anyone the right to 'take software and redistribute it (maybe with some changes)' without 'giving back' as in: allowing others to also take this modified version of the software - either to improve the original codebase or to make another product out of it?

I didn't know that. So if I have a piece of software, it needs to be released under an MIT license for me to use any code from any other MIT licensed software?

Correct; that's pretty much the whole gist of the MIT license.

But wasn't ColdCard forked from Trezor's source code, which is also released under an MIT license?

I believe it just uses Trezor's crypto library, which is tried and tested, just like most other hardware wallet vendors. Because, well, it's tried and tested. But that requires the new product to be MIT, as well. Trezor just can't be bothered suing the Coinkite dev team, I guess, but they could easily do that, yes.
I do personally believe that Coinkite removed easily indentifiable references of using the Trezor library because of that, compared to Foundation Devices who are clear about it:

• trezor-firmware Contains a copy of the Trezor source code in order to use Trezor's crypto library. We will likely make this into a git submodule soon to make it even easier to keep the library up to date.
  

There are still some references in code comments, though...
https://github.com/Coldcard/firmware/search?q=trezor

[Pmalek]

What gives anyone the right to 'take software and redistribute it (maybe with some changes)' without 'giving back' as in: allowing others to also take this modified version of the software - either to improve the original codebase or to make another product out of it?

Everything and nothing. It sounds more like a question of morality and doing the right thing rather than are you allowed to do it. If something is public and free, then that's exactly what it should be so everyone can use it. I understand that's not the case with MIT licenses, I am just saying. A morally corrupted individual will take someone's free work, wrap it up differently, and sell it as their own.       

I do personally believe that Coinkite removed easily indentifiable references of using the Trezor library because of that, compared to Foundation Devices who are clear about it:
...
There are still some references in code comments, though...
https://github.com/Coldcard/firmware/search?q=trezor

Morally corrupted or morally deficient could be some of the ways I would describe such actions.