Avatar
jb55 2y ago

Damus’s build process currently bakes the current git hash into the version number in settings. You can look at this hash and compare against the source code with that version. You can clearly see in the code that the nsec never leaves the device or is ever sent to damus servers (I dont even have custom servers that damus talks to)

Not to mention there are no trackers or integrations that have the ability to send information outside of the app. This is why we open source 👌 nostr:note185tvu0nld67ler6lg0hhhuqqua7u5r2svtc5e22zknffd4uuw40s5l4ty6

Reply to this note

Please Login to reply.

Discussion

Avatar
Marcelinho 2y ago

wait you can not recover my nsec? 😣

Avatar
jb55 2y ago

You’d be surprised how many people have asked me to recover their nsec 😆

Avatar
Marcelinho 2y ago

there are things that even I do not want to know 🤣

be
Deleted Account 2y ago

so you don't keep it all in unencrypted .txt on your unprotected server?

Avatar
QW 2y ago

Dev do something! Hep me

Avatar
Vanessa 2y ago

I do this all the time but in relation to things like, ‘will, how do I… (insert ridiculous IT questions that I could just as easily google to find the answer)?’ 🤗😂

Avatar
QW 2y ago

Will do the dishes!

Dev do something!

Avatar
Marcelinho 2y ago

🤣

fd
nobody 2y ago

Haha, yeah

Avatar
Onyx👸🏻 2y ago

Wicked sauce

Avatar
cr0bar 2y ago

Just post it as your “hello world” note and you’ll never lose it 👍

fd
nobody 2y ago

Thanks for letting us know, trust you 100% just wondering

Avatar
monshi633 2y ago

You are doing right. Don't trust, verify.

Avatar
Sasha 2y ago

Hey where does the $1k sat zap come from? Cash app? Not coming out of my WoS

fd
nobody 2y ago

Hey 👋, 1k sats is equal to around $0.29 US cents. Sats are the smallest form of bitcoin which is a currency. These sats can come from any exchange or from people here who “zap” you or send you sats.

Avatar
Sasha 2y ago

Damus is showing that im zapping but isn’t providing an invoice

Avatar
jb55 2y ago

do you have an alby wallet connected? It pays the invoice automatically using that if so and if you have a balance.

Avatar
Sasha 2y ago

I must have a balance then idk?

fd
nobody 2y ago

Yup, in whatever wallet you use

Avatar
Viktor Vsk 2y ago

Reproducible build are pain in the ass but the only solution for that

https://core.telegram.org/reproducible-builds

Avatar
jb55 2y ago

Not sure how that would work for appstore builds

Avatar
Viktor Vsk 2y ago

Yeah thats shady and requires jailbreak device but possible

Avatar
Luke Dashjr 2y ago

This all assumes they trust the git hash is correct and unmodified or spoofed, both of which would be trivial to do. So they might as well just be taking your word for it...

Avatar
HoloKat 2y ago

This is probably true for every app. Nobody reads tos or the code or understands / cares how the info is handled and who has access to what. Only some developers might and the user trusts that enough devs looked at the code and confirmed that it’s not stealing everything from the user.

fd
nobody 2y ago

Yes, I trust will 100%

Avatar
HoloKat 2y ago

There is trust in many things and people we rely on daily. It’s delusional to think we can live in a trust-less society. Trust-minimized, sure.

fd
nobody 2y ago

Yes, you have to be careful who you trust but some is good

Avatar
badonyx 2y ago

It is not true of every app. Bitcoin core has a reproducible build process. You can verify the published binary came from the published source. However I don’t think this is possible for iOS apps due to Apple’s signing process.

Avatar
HoloKat 2y ago

No non-dev user is verifying any binary. They will just install and use. The whole verification thing is for a tiny subset of people technical enough to understand it.

Avatar
The Fishcake (nostr.build) 2y ago

You can always build your own Damus, I do. 🐶🐾🫡

Paranoia has to be applied in healthy dosages. Do you trust Apple to keep your nsec safe? What about all the TLS interactions? Do you trust they private key of each site is safe? This list can go on forever……

Avatar
Luke Dashjr 2y ago

I don't use Apple for a reason (well, several...)

Avatar
The Fishcake (nostr.build) 2y ago

Don’t think that any other company is sacred. And Android as compromised by Google as any other phone OS. Graphene OS is not an exception to this either 🐶🐾🫡

fd
nobody 2y ago

We need something totally new! NostrOS

Avatar
jared 2y ago

Today, let’s learn about what an nsec really is, everyone.

“It’s my private key!” you are yelling at me as you read this.

Yes, and no. The nsec does contain the private key and should be protected as such. However it uses bech32, a type-length-value (TLV) encoding scheme (with checksum) which is also used to encode the Bitcoin wallet addresses that start with “bc1”.

If, like me, you like to look closely at nips, you will find that the bech32 encoded values (nsec, npub, etc) are for displaying to humans. Nostr apps use the raw bytes of the private key (decoded from the nsec) for cryptographic operations.

So, if you audit Will’s code, make sure you follow the handling of both nsec (encoded) and the private key raw bytes (decoded).

Avatar
(L)Earn Bitcoin 2y ago

Just imagine not earning satoshis while playing solitaire!

Follow us and check our latest habla post to learn more:

https://habla.news/a/naddr1qqxnzd3exyurgvf3xsurxv3jqgsfpr28k6zr6ymqsrr3k6d9fe76gjufa7q6cjfrmkr4jqna52ln3tgrqsqqqa28m97f5n

Avatar
crimsonleaf363 2y ago

Baking the current git hash into the version number in settings should be a standard for all Bitcoin and Nostr apps

Avatar
geeknik 2y ago

Call 3016886311 and ask for SETEC ASTRONOMY. Those guys can recover anything. 😂