Wow. Software updates deployed via Nostr. @WasabiWallet and the Nostr network are serving bitcoin in new innovative and decentralized ways. Thank you. View quoted note →

Awesome!

LFG

Wow View quoted note →

Bad ass!!

View quoted note →

This is good stuff. Encouraging to see solutions to the centralisation risk of the management & distribution of FOSS & freedom-tech emerging on the freedom-tech stack itself These things have long been freedom-tech's soft underbelly ... exciting times View quoted note →

No están en zapstore?

Nostr as notification infra! That's cool 😎

brilliant!

Amazing, how do we utilize the nostr functionality? Is it imbeded in the new version?

We release Wasabi and as part of the process we publish a note under this public key npub129hpcwy3h7uhpzwzts6utkt2p5st7lf4qpzp3d2j0p6z56lvkpgspngzeq, which means that those who follow that account will see that there is a new version available with all the links to download the packages and verify them. The Wasabi client also subscribes to that nostr npub and listens for updates. In case a newer version is published, the Wasabi client will use the links in the nostr note to download the appropriate package, verify its authenticity, and let you know that the package was downloaded and is available for you to install. So, Wasabi users don't need to do anything. But what if something bad happens? Imagine GitHub doesn't allow us to host the releases on their platform or takes down the repository or something similar - how is this feature useful? In a case like that, we can host the packages somewhere else and update the links, or we can even publish more URIs to IPFS, Torrent, or whatever. Of course, the Wasabi client only understands HTTP, but more advanced users might prefer to download Wasabi using something different.

Software distribution. Another piece of the puzzle. View quoted note →

This is brilliant. The #GitViaNostr dev community are clearly failing to provide the right developer tools if @npub1nccw...z7mj had to roll his own.

That’s a good question, but this isn’t actually a new risk unique to Nostr. Any software distribution channel depends on some account or key. If an attacker gained access to GitHub maintainers’ accounts, or to DNS records, the outcome could be the same. Nostr doesn’t make this problem worse... it just changes the medium. More importantly, Wasabi doesn’t auto-update. The client only notifies users that an update is available. Before any update is accepted, the client independently checks that the binaries are signed with our official PGP key, which is bundled into the software. If the signatures don’t match, the update is rejected. On top of that, operating systems themselves add another layer of defense. Windows and macOS both enforce developer certificate checks at runtime, so an attacker would also need to compromise our Apple and Microsoft signing certificates to avoid OS-level warnings. Compared to our previous GitHub-based distribution, this is actually a step up in security. Back then, compromising a single maintainer account could have been enough to trick clients into surfacing a malicious update. Now, even if someone compromised our Nostr key, they would still face multiple cryptographic and OS-level hurdles before a malicious build could ever be accepted by users’ machines.

@Wasabi Wallet Where do we find the APK on nostr? Or does nostr only apply to updates?

By the way, I don't think that last paragraph is correct. If the attacker compromises a maintainer GitHub account, they will not have access to the PGP private key to sign the malicious release, thus clients wouldn't update the package.

thanks for all the work, i used wasabi myself but its quite some time ago now i cant stack much more and for small amounts i would use lightning and onchain swaps or ecash mints

Very Kool ! Greatest is the recognition for Relay operator !!!

Wow!