franzap's avatar
franzap fran@zapstore.dev 1 week ago
Developers constantly replace releases on users, bitchat for example recently did that and there are countless others. The Zapstore indexer captures releases from Github once and when the developer edits the release/associated assets the download breaks and users start yelling, so I know well how many times that happens. I don't think any of those edits were nefarious, they all seemed reasonable. Software assets (kind 3063) are regular events that carry version information, those could be kept around, however if I had social signal that a key was compromised I would stop trusting it altogether. If I already have the software installed and I believe it's pre-compromise I would keep running it. Developers are encouraged to use bunkers, not hotkeys. In addition I just introduced this:
NostrHub
NostrHub | Discover and Publish NIPs
Explore official NIPs and publish your own custom NIPs on NostrHub.
 which has support in zsp (publisher tool) but not the UI yet. Interesting model because to compromise it you kinda need to hack *both* keystore and nsec -- for updates at least.
↑ Parent

Replies (1)

ChipTuner's avatar
ChipTuner ChipTuner@gitcitadel.com 1 week ago
> Developers constantly replace releases on users, Thats why I said this >> I understand these are problems will face today, but I think we can fix that with some immutability. Just because developers havent messed on the platform yet, they do all the time on github and others it drives me nuts. Ubuntu for example, only offers links publicly to their latest images which will have a different checksum despite the same dl link every weekly. We have hardware/stability issues and ended up keeping our own store of iso images (which is generally recommended) because they change the image url.
1 replies ↓