I used to maintain the OpenPGP.js library (used in ProtonMail) and I don’t use PGP. And Phil Zimmerman doesn’t use PGP because he prefers Apple Mail on his iPhone. I always ask myself: what’s the point of asking users to download a PGP public key to verify a binary they download from the same website. Users aren’t getting more integrity assurances over what SSL already offers them, since most have no idea how to use WoT. It’s different with nostr... every user has a WoT that they can manage (with decent enough UX) and it already gives them value outside of verifying binaries. So I’d love to see an easy-to-use “nostr-verify” unix program that you pass your npub that *just works*. Anyone that wants to attest a given binary can upload their signatures to their relays. Then the “nostr-verify” program just pulls these sigs from my relays to verify the binary. Does this exist? nostr:note1qqq9ytr5f5ffrdq3j2478d0n7m4ydwwqc0wyur6jun9rn9qetckqvyyz8d
except tor/market users...even then...
@Zapstore fixes this.
Friday night experiments https://video.nostr.build/57b19c36e10f0049ff431119c204b983ec51f45ab103cbbbe4203e85b388ad55.mp4
Where can I find documentation that breaks down the fields, commands, cli tools, and fields in the protocol? Looks wonderful, thanks for sharing!
Oh man, that's so sexy, that's what we need. How do you verify the `zapstore`?
Thank you, yea it's just a start. I have some ideas around verifying zapstore itself, for now it's mostly through social (kind 1) clients
Are reproducible builds possible for zapstore itself?
Awesome!!!! Some thoughts on the WoT part: 1. Enough users to follow the npubs behind most of the apps they're using 2. Where and how do you prompt users to follow those npubs? 3. There is no win-win for making users go through that step (and it might mess up their feeds etc) 4. Follows don't have a cost and 90% of my follow-list will not know the first thing about trusting in software Alternative idea 💡 : USERS: Focus 💯 of the UX on letting them zap the apps they value. No ratings, no recommendations, no adding to "Following". BUILDERS: Let them verify and vouch for each others apps. Build a Web of Trust amongst those who actually know how to verify (and what price to ask for it). Then you scan say things like: - Zapstore & 21 other apps (that you value and use) trust this app. Install? - Here are the most valued apps in your network - No other app trusts this app. Enter secret key / Read only?
Appreciate your thoughts and generally like the idea. I have a lot of questions though. Zaps also require a WoT layer or it can be gamed. Yes there are challenges with follows, but getting devs to vouch might be even more difficult. Will devs vouch, or apps, or the npub behind the app? I think curators might solve this problem. Let's say Ben Carman (who anecdotally is linked to Mutiny, Harbor, etc) has a list of trusted apps. Curators could perhaps be found by WoT + zap weight.
was recently thinking about how Signal very quietly rolled out a WoT feature when they introduced usernames... nostr:nevent1qqsy8dwr4aha5hmd4clnchu05vvua900tjchgze67mhd6emsamsd2dcpzpmhxue69uhkummnw3ezuamfdejsygp3rdyhvdv9vanl7hqua73t33wgwh8psjhysak6jfu7s2d6q8w39ypsgqqqqqqszujvmm
The point is you download the key only once - the first time. The probability of getting infected the first time is lower than the probability of getting infected the first time plus with any of the manual updates. And you can still use keybase or other alternative sources. But the education of how to do this properly is generally low, that's true. Nostr could make it more user friendly in some aspects but it introduces another problem: duplicate profiles. You have to know which specific key belongs to the person you trust.