Infinity Wallet - A unique native desktop Wallet & Web3 Browser - Milestone 1
Beneficiary:Dear Dotsama community,
The proposal
The proposal covers the integration of Polkadot, Kusama and their ecosystems into the Infinity Wallet all-in-one gateway, for a complete and user-friendly way to access the decentralized world and Web3. Along with the value add, benefits and what would be required to complete the developments and integration of Polkadot and Kusama ecosystems within the Infinity Wallet, as a native supported chain that we look to provide ongoing support and developments for, as well as collaborate with the Polkadot & Kusama ecosystems, driving ongoing value and adoption.
The deliverables have been split into 3 milestone referendum proposals ("current referendum for milestone 1"), with the focus of the combined proposal the integration, development & adoption of Polkadot, Kusama and their ecosystems within the Infinity Wallet.
Budget for milestone 1
Milestone 1 Total amount: 9,924 DOT (~$69,000 at time of proposal);
Please review the full proposal for a more detailed description, along with all deliverables & the cost breakdown for Milestone 1: https://docs.google.com/document/d/15XShwMFoT8oSK9U04JnlXYL4zk95dHJ9jMZGRW7Ynl8/edit?usp=sharing
All the best,
Infinity Wallet
Comments (3)
Proposal Passed
3
of 3Summary
0%
Aye
0%
Nay
Aye (43)0.0 DOT
Support0.0 DOT
Nay (41)0.0 DOT
Comments (3)
Appreciating your engagement with community feedback and the transition to a milestone-based proposal structure reflects a positive step towards aligning with Polkadot governance expectations. This structure promotes transparency and accountability, crucial for fostering community trust.
Despite the benefits of EV certificates in enhancing trust through Microsoft's SmartScreen, they do not authenticate the source code or ensure the security of the build process itself. The current practice of publishing SHA-512 hashes without corresponding PGP signatures represents a significant security gap. These hashes, while useful for verifying download integrity, offer no assurance regarding the origin or the absence of tampering before publication. This is compounded by the fact that the binaries themselves are not signed with PGP keys, further diluting the trust model.
For a more robust and transparent release workflow, we urge you to consider the practices where binaries are not only built but also signed as part of their release workflow (e.g., genpeerid build workflow). This approach significantly enhances trust in the binaries by ensuring they are directly traceable to their source, authenticated, and have not been tampered with post-build.
Given the strong interest from stakeholders in seeing Infinity Wallet support the ecosystem, we are inclined to adjust our position in favor of your proposal. Nonetheless, this support is contingent upon your willingness to incorporate external audits for each release. While the current proposal may not need to detail the budgeting specifics for these audits, it is essential that Infinity Wallet acknowledges and accepts the necessity of such audits. Our community can assist in identifying qualified members/team to conduct these audits and produce public reports, enhancing the overall security posture and confidence in the Infinity Wallet as a critical infrastructure component within the Polkadot ecosystem.
In conclusion, to shift our vote to support, we require at least a clear commitment from the Infinity Wallet team improve binary signing CI, began to publish changelogs for releases and engage in the previously proposed auditing process. This stance is an exception to our usual voting habits, particularly given our reservations towards endorsing proposals for closed-source projects in highly sensitive areas such as wallets.
Appreciating your engagement with community feedback and the transition to a milestone-based proposal structure reflects a positive step towards aligning with Polkadot governance expectations. This structure promotes transparency and accountability, crucial for fostering community trust.
Despite the benefits of EV certificates in enhancing trust through Microsoft's SmartScreen, they do not authenticate the source code or ensure the security of the build process itself. The current practice of publishing SHA-512 hashes without corresponding PGP signatures represents a significant security gap. These hashes, while useful for verifying download integrity, offer no assurance regarding the origin or the absence of tampering before publication. This is compounded by the fact that the binaries themselves are not signed with PGP keys, further diluting the trust model.
For a more robust and transparent release workflow, we urge you to consider the practices where binaries are not only built but also signed as part of their release workflow (e.g., genpeerid build workflow). This approach significantly enhances trust in the binaries by ensuring they are directly traceable to their source, authenticated, and have not been tampered with post-build.
Given the strong interest from stakeholders in seeing Infinity Wallet support the ecosystem, we are inclined to adjust our position in favor of your proposal. Nonetheless, this support is contingent upon your willingness to incorporate external audits for each release. While the current proposal may not need to detail the budgeting specifics for these audits, it is essential that Infinity Wallet acknowledges and accepts the necessity of such audits. Our community can assist in identifying qualified members/team to conduct these audits and produce public reports, enhancing the overall security posture and confidence in the Infinity Wallet as a critical infrastructure component within the Polkadot ecosystem.
In conclusion, to shift our vote to support, we require at least a clear commitment from the Infinity Wallet team improve binary signing CI, began to publish changelogs for releases and engage in the previously proposed auditing process. This stance is an exception to our usual voting habits, particularly given our reservations towards endorsing proposals for closed-source projects in highly sensitive areas such as wallets.
One of the best proposals with substantial value add we have ever had from a wallet