Fascinating conversation about software integrity verification on the latest bitcoin.review pod

There is a huge issue with phishing specifically with apps like nostr:npub1hea99yd4xt5tjx8jmjvpfz2g5v7nurdqw7ydwst0ww6vw520prnq6fg9v2's Sparrow Wallet.

nostr:npub1qny3tkh0acurzla8x3zy4nhrjz5zd8l9sy9jys09umwng00manysew95gx suggested adding a known set of hashes in a trusted place and enforcing TOFU (trust on first use: all versions have the same signer) to Sparrow which would help mitigate attacks during updates.

Shout out to nostr:npub1l2vyh47mk2p0qlsku7hg0vn29faehy9hy34ygaclpn66ukqp3afqutajft for bringing up zap.store in the conversation! I'm building it to fix this exact problem: verifying packages stored anywhere using webs of trust. Trust is inherently social so the nostr social graph is a perfect fit.

And agree with nostr:npub1az9xj85cmxv8e9j9y80lvqp97crsqdu2fpu3srwthd99qfu9qsgstam8y8 that current app stores do serve a purpose, curation and reputation will always be important, but having a free market for it is just as important.

For those interested I wrote about this topic at length: https://stacker.news/items/404908