Add Copay to wallets

[maraoz]

This PR adds copay to the wallet list.
Let me know if I did everything correctly :)

It also fixes a deprecated use of port configuration.

[maraoz]

Some screenshots of the changes:

[schildbach]

Thanks for your PR.

Reading the description, I think a score of "Shared control over your money" would be more appropriate.
Web wallets are centralized by nature.
You published Copay on Juli 9th (http://blog.bitpay.com/2014/07/09/copay-beta-an-open-source-multisig-wallet.html). So I think Copay's transparency score is "new app" for about 3 more months. Btw. I cannot find the source of your Android app -- can you point me to it?

Technical: I think you should squash your 4 commits into 1.

[maraoz]

@schildbach thanks for your review. Will fix that.

[maraoz]

Updated with changes.

Regarding Android code: it's the same as the web version, and we use Apache Cordova to build an Android app. Here's the mobile-specific code: https://github.com/bitpay/copay/tree/master/cordova/android.

Regarding the "control" score, "Shared control over your money" reads "This wallet requires every transaction to be authorized both by you and this third party.". That's not true of copay. All multisig keys are generated client-side by the users. All the app code is open-source and you can run it yourself, so you don't need to trust any 3rd party. What do you think? Can I revert to "Control over your money"?

Thanks

[harding]

@schildbach Hive Web gets checkGoodControlFull, and I think (in general) the disadvantages of web wallets is well covered in the Environment ("Remote App") score. Although it's possible I may be forgetting something we discussed earlier.

Everyone: If we limit ourselves to the available descriptions, I think checkGoodControlFull is appropriate here. However, we may want to create a new checkGoodControl score with a slightly reworded description to account for the fact that this wallet allows the user to optionally not have full control over his coins---that is, to request payment to n-of-m outputs with n>1. Obviously, this is good when the user chooses it, but I don't think either controlFull describes it well and controlMulti seems incorrect (as mentioned by @maraoz).

Perhaps: "This wallet gives you full control over your bitcoins, including giving you the option to allow other individuals you trust to freeze or lose your funds. You remain responsible for securing and backing up your wallet." (A minor variation on controlFull.)

Edit: oh, and another thanks to @maraoz for submitting this PR! Copay looks very cool!

[saivann]

I agree with @harding and @maraoz, how about:

checkpasscontrolshared: "This wallet gives you full control over your bitcoins and allows you to share this control with other individuals. This means you must choose your copayers carefully since they can freeze or lose your funds. You also remain responsible for securing and backing up your wallet."

[saivann]

@maraoz Thanks for submitting a pull request.

May I ask what is the format used for the .aes wallet backup? Is there documentation on how to restore the wallet without using Copay?

If I understand correctly, the Copay Android app and Chrome / FF extension are relying on Electrum servers to verify payments and get block chain data?

The service displays a pretty strong no-responsibility BETA disclaimer before using the service, maybe we could wait until the service exits BETA? For instance, browser extensions aren't in the FF / Chrome extension stores, and I've hit bugs with a 1 of 1 wallet; Copay kept refusing me to send bits with a double unspecific error message, or claimed that I didn't have enough funds (which wasn't the case) until I used the browser extension on Firefox (I don't know why).

Since the app is available as a browser extension, consistently with other apps, it should also be made available under "Desktop" too.

Unless I'm mistaken, checkpassdecentralizeservers should be replaced by checkfaildecentralizecentralized for the web version.

I think the web version should use checkfailtransparencyremote since the code is loaded from a remote location.

[harding]

@saivann your proposed text for checkPassControlShared is much better than mine. Thanks!

[maraoz]

On Thu, Oct 2, 2014 at 5:36 PM, saivann notifications@github.com wrote:

@maraoz https://github.com/maraoz Thanks for submitting a pull request.

May I ask what is the format used for the .aes wallet backup? Is there
documentation on how to restore the wallet without using Copay?

There's no documentation on the backup format yet. I've opened a new issue
on our project to do so. The basic idea is that it's a AES-encrypted
key-value store of the master private key, the master public keys of other
copayers, the address book, the transaction proposals, etc.

If I understand correctly, the Copay Android app and Chrome / FF extension
are relying on Electrum servers to verify payments and get block chan data?

All versions of copay, including browser extensions, use Insight servers
for blockchain data and payment broadcasting. Anyone can run their own
Insight server, as it's open source. (https://github.com/bitpay/insight-api)

The service displays a pretty strong no-responsibility BETA disclaimer
before using the service, maybe we could wait until the service exits BETA?
For instance, browser extensions aren't in the FF / Chrome extension
stores, and I've hit bugs with a 1 of 1 wallet; Copay kept refusing me to
send bits with a double unspecific error message, or claimed that I didn't
have enough funds (which wasn't the case) until I used the browser
extension on Firefox (I don't know why).

This is weird, did you hit those bugs with the web version? It's the most
stable one and the one most people use. Which browser were you using? Maybe
we can continue that discussion on copay's issue tracker (
https://github.com/bitpay/copay). The BETA tag will stay for a long time,
we've already launched the platform. The disclaimer is there just because
we want to make sure it's open source software, and you should run it
yourself.

Since the app is available as a browser extension, consistently with other
apps, it should also be made available under "Desktop" too.

OK. Will change that.

Unless I'm mistaken, checkpassdecentralizeservers should be replaced by
checkfaildecentralizecentralized for the web version.

Well, you can run your own Insight server locally, so you don't need to
trust anyone for blockchain data. What do you think?

I think the web version should use checkfailtransparencyremote since the
code is loaded from a remote location.

You're right.

Reply to this email directly or view it on GitHub
bitcoin#587 (comment).

[maraoz]

Updated with discussed changes.

[saivann]

Well, you can run your own Insight server locally, so you don't need to trust anyone for blockchain data. What do you think?

IMO, all scores should represent the default. When going on copay.io, installing the extension is optional, so the score needs to reflect this reality, especially given that most users likely won't take any extra steps to install the extension, even though we encourage them to do so.

To be fair with greenaddress and blockchain.info, the checkfailtransparencyremote score should be applied to the Desktop wallet as well (sorry, I forgot about this one), unless Copay finds a way to prevent users from running unsigned remote code every time they go on copay.io .

All versions of copay, including browser extensions, use Insight servers for blockchain data and payment broadcasting. Anyone can run their own Insight server, as it's open source. (https://github.com/bitpay/insight-api)

Just to be sure on this; does the browser extension and mobile apps connect to random insight servers by default, or do they connect to Bitpay's insight server and optionally let technical users run their own server?

At the same time, can you optimize your screenshots and icon with optipng -o7 file.png ?

[maraoz]

updated with @saivann's suggestions.

To answer your question: it's the latter. You need to change the settings to use other insight server. We may change this in the future based on your feedback :)

[saivann]

The BETA tag will stay for a long time,
we've already launched the platform. The disclaimer is there just because
we want to make sure it's open source software, and you should run it yourself.

I have had a communication from Bitpay's support that seems to conflict with this one. I've noticed (and reported) that Copay allows one character long password. BitPay's support answered that this was intended because the service was in beta.

I've also found the service was still vulnerable to poodle attacks until yesterday (one month after the flaw was publicly released, the issue was fixed within 24 hours).

In general I really like what Copay wants to achieve, but feel like I can't suggest we link the service while finding concerning issues like these. So, I guess this further tells me it would make sense to revisit this pull request once Copay isn't in beta anymore.

[maraoz]

@saivann seems reasonable

[crwatkins]

@maraoz Now that Copay is out of beta, could someone update this PR to accurately reflect the currently supported platforms (e.g. remove web), confirm that the scoring is correct, and update any images that might need it? Thanks.

[maraoz]

Sure! Ping @matiu

On Thu, Jun 4, 2015, 21:26 Craig Watkins notifications@github.com wrote:

@maraoz https://github.com/maraoz Now that Copay is out of beta, could
someone update this PR to accurately reflect the currently supported
platforms (e.g. remove web), confirm that the scoring is correct, and
update any images that might need it? Thanks.

—
Reply to this email directly or view it on GitHub
bitcoin#587 (comment).

[harding]

Closing in favor of pull #888.