We need to fund an audit for Parity Signer.
https://github.com/paritytech/parity-signer The code in the master branch has changed significantly lately. They are important and useful changes that move a lot of the code away from React Native and towards native code. Support for seeing what you sign before you sign it has also been added along with QR codes to update metadata. There has not been a stable release of this tool since September last year despite it being widely used. The current stable release requires blind signing transactions which is a terribly bad idea and undermines the purpose of having a cold signer in the first place (the hot computer can edit the transaction silently). This project is widely used by the community and a bug with it would negatively impact a large subset of users whilst also doing damage to Polkadot's brand. We urgently need to audit this app. Currently we are burning treasury funds, it seems like a better use of these funds would be to put them towards a security audit for Parity Signer and perhaps an education program for how to safely store funds whilst being able to interact with the chain and take part in governance. How do we make this happen? Thanks
Comments (2)
Comments (2)
@bcu There are 4 general steps to follow when submitting a proposal on-chain:
- Draft the proposal based on the info on the template (you will find it on the guidelines below),
- Publish the proposal on https://polkadot.polkassembly.io and push in the channels for discussion and feedback,
- Incorporate the feedback from the Council to your proposal to minimise the chance of rejection (and avoid the bond being slash);
- Submit the proposal on-chain and get the Council to vote on it.
You can find the guidelines on how to prepare a treasury proposal for Polkadot Network here - note you will find a link to a proposal template you can use inside the Guidelines document. The structure for the proposal is quite simple:
Problem > Milestones > Solution
Making sure we include a budget with granular overview of how the funds will be used (costs), human resources, timelines. Happy to review the first draft and give some notes and set this up in the right way. For the budget you can use EUR or USD for now: on the day of on-chain submission, we can calculate the total amount of DOT tokens for the allocation using the 30day avg tool for each token.
If you want to schedule a call to talk about it, you can write me at raul@parity.io, happy to work with you on this so we get it done: I think this is a great idea and I can help you involve the team that worked on Signer as well.
I appreciate your response and you taking the time to get back to me. I'm currently working two jobs and moving house so I won't have time to do the above. Is there the capability of making a proposal for a proposal? Do we just let this languish because I'm unable to be what this proposal needs? I have absolutely no idea how much it would cost in either time or money to audit Parity Signer. It is code published under the Parity namespace not under any namespace I am responsible for. Currently we are burning money from the treasury whilst recommending people use an insecure unaudited wallet to store their funds. It seems nonsensical to be doing so, we could use that money to pay for an audit and keep users safe. Particularly considering Parity's history with security issues I'd argue that was a worthwhile endeavour. We are literally burning the money we could use for this. Attempting to shift the responsibility for Parity to produce secure code to me is wrong. It is a matter of time before someone is hurt by the lack of audited cold wallets. All the while we claim there is a treasury to fund ideas, here is an idea: let's ensure there is at least one audited cold wallet. If you are in touch with the Parity Signer team it might be worth talking to them about what their plan for the security of their tool is? There doesn't seem to be one. If I hadn't pushed hard for it there wouldn't even be a warning on the wiki, website or Github repository. As it is a fix has been pushed to master and no release rolled but one of the warning has already been removed.
@bcu There are 4 general steps to follow when submitting a proposal on-chain:
You can find the guidelines on how to prepare a treasury proposal for Polkadot Network here - note you will find a link to a proposal template you can use inside the Guidelines document. The structure for the proposal is quite simple:
Making sure we include a budget with granular overview of how the funds will be used (costs), human resources, timelines. Happy to review the first draft and give some notes and set this up in the right way. For the budget you can use EUR or USD for now: on the day of on-chain submission, we can calculate the total amount of DOT tokens for the allocation using the 30day avg tool for each token.
If you want to schedule a call to talk about it, you can write me at
raul@parity.io, happy to work with you on this so we get it done: I think this is a great idea and I can help you involve the team that worked on Signer as well.I appreciate your response and you taking the time to get back to me. I'm currently working two jobs and moving house so I won't have time to do the above. Is there the capability of making a proposal for a proposal? Do we just let this languish because I'm unable to be what this proposal needs? I have absolutely no idea how much it would cost in either time or money to audit Parity Signer. It is code published under the Parity namespace not under any namespace I am responsible for. Currently we are burning money from the treasury whilst recommending people use an insecure unaudited wallet to store their funds. It seems nonsensical to be doing so, we could use that money to pay for an audit and keep users safe. Particularly considering Parity's history with security issues I'd argue that was a worthwhile endeavour. We are literally burning the money we could use for this. Attempting to shift the responsibility for Parity to produce secure code to me is wrong. It is a matter of time before someone is hurt by the lack of audited cold wallets. All the while we claim there is a treasury to fund ideas, here is an idea: let's ensure there is at least one audited cold wallet. If you are in touch with the Parity Signer team it might be worth talking to them about what their plan for the security of their tool is? There doesn't seem to be one. If I hadn't pushed hard for it there wouldn't even be a warning on the wiki, website or Github repository. As it is a fix has been pushed to master and no release rolled but one of the warning has already been removed.