Ok? If you enter your key somewhere, you’re giving them access to run everything. Pubky is infinitely more secure than that. And if you use Nostr signers, Pubky is also much simpler. So cool, copy what pubky is doing and put it on nostr. Problem solved.

Course he could. He could push an update with a sophisticated backdoor, any nostr dev could. That update gets past app review, your app auto-updates, adeiu to your key. Just because there is a commit in github, doesn't mean that code is what's in the IPA. This is not F-droid.

that's quite a lot of steps involving multiple people, likely to get caught and lead to real world consequences even if after the fact, at least it would destroy @jb55's reputation forever very different from one employee from the homeserver hosting provider being tricked into giving access to the account of an important person to some malicious entity like we have seen happen many times in every big platform

good job pretending you're smart or that you understand what you're talking about you tricked me for a while