Oddbean new post about login | logout This event has the wrong hash for this image. How does your client deal with that? https://mikedilger.com/bs.png
Why even load it?!?!
Or I mean, view it. You have to download it to verify the hash...
That is what I'm doing with gossip. It will show an error message in the place of where the image would have been, as well as a link so that you can view it in a browser if you want to. It won't show the altered image.
Amethyst loads it but only if you click on it does it show the warning. It should actually gray it out with bars or something. Cryptospaces should act secure.
I found Amethyst's warning very subtle. I only realized after reading the comments that the warning existed. nostr:nprofile1qqsyvrp9u6p0mfur9dfdru3d853tx9mdjuhkphxuxgfwmryja7zsvhqppemhxue69uhkummn9ekx7mp0qythwumn8ghj7anfw3hhytnwdaehgu339e3k7mf0qyghwumn8ghj7mn0wd68ytnhd9hx2tch2deau
Yeah, we were more upfront in the early days but users thought it was too annoying. What I realized is Nostr seems fine with not verifying any attached content. Devs tends to be highly dismissive about it and leads to a userbase that is not used to verify attached content.
I think that if you increase the size of the icon and keep it always visible it would improve a lot. I didn't notice because the icon disappears very quickly.
I for one am not dismissive. If I post an innocent frog meme and somebody at the website where it is stored at (not mine) changes it to a swastika, that reflects badly on me and most nostr users will have no idea that I didn't post a swastika... thinking about how events are digitally signed it sure seems like I did! Previously some people argued for storing binary objects inside of events. I argued against due to performance reasons and CSAM legal reasons, not signature reasons. I like the imeta 'x' field a lot and I think all the clients should both produce imeta tags with 'x' and also verify them. My head wasn't even in this space a few weeks back and gossip is playing "catch up" on this. It does neither thing currently (on master) but I just got it verifying on unstable, and soon I will work on adding the imeta tag for links when posting.
what if post a swastika and later claim it was originally a frog and you tell me due to your verification it is impossible as Ron Paul said "the wall ( with Mexico ) can be used to keep us in"
The above post was a test to help me develop some new gossip code that will be on master within a week or two, which I just completed.
You also need to consider optimizations by media services That is pretty common
If a media service optimizes an image and then provides the URL, we will download the optimized image and hash that and provide that in the imeta tag, along with 'ox' for the original data pre-optimized. The x tag should still verify. This is work I haven't done yet (most of this last week was refactoring, not actually adding this new code).
Some media services do optimizations differently based off of client also. And re-optimizing images. My personal opinion is that we also need a hash that reflects the overall content of the image roughly, and a way to signal to image services “return original optimized version” in case of things like a zoomed up view or doubt about content integrity.
The problem is that the current state of Nostr media makes it impossible for services to optimize without making someone mad. Clients should signal what they need (data saving preference, rough resolution, intent such as to view up close/save or just timeline) and servers should provide that. Servers should also be able to optimize however as long as the original can be requested
