[PSA] Rabby is NOT open source - remember, if it's not open source, they're not your keys!

I wanted to draw people's attention to this because with all the discussions lately about open source hardware and alternatives to Ledger, Rabby is getting a bit of a push as well.

For those that don't know, Rabby is a fork/alternative to Metamask. A lot of people are preferring it over Metamask as it has additional features and supports more hardware wallets, things like that.

If you check the Rabby homepage, you'll see they proudly claim to be audited and Open-source. And indeed, they have a github page that appears to have the source code available. Great, right?

Well not so fast. The whole idea of being open source is that anyone can review the source code and most importantly, anyone should be able to build it. And that's exactly what I tried to do - build it from source.

Except it doesn't work, you can't build it because a large chunk of that source code is missing. This is what you get if you try to build this yourself: https://i.imgur.com/JQcSk9n.png

If you're not a developer, this might not mean much to you but I'll try to explain: Modern software isn't usually just one chunk of code, it's lots of chunks of code all glued together. The developers of Rabby, for whatever reason, have decided to take an integral chunk of code and hide it entirely. Trying to build it produces an error saying "Sorry, I can't find that crucial bit of code, I can't build this". This is bad.

I'm not the first person to notice this, it was raised with them last october that you could suddenly no longer build Rabby. That issue has been ignored again and again.

But at least it's audited, right? Except according to their homepage, the last audit was over a year ago - March 2022. So fuck knows what could have changed between then and October when the developers decided to hide a huge chunk of the source code from their "Open source and audited" extension.

Don't use Rabby until they fix this.

This is particularly troulbesome as some hardware wallets are only supported by Rabby, since Metamask stopped adding new hardware wallets years ago. I myself have a Bitbox02, which relies on Rabby to grant it support for lots of altcoins and I'm now stuck without an alternative.