Nostr Web Client

Ya I was thinking about this... we could do independent audits.. but probably would need to be done by someone who doesn't run a relay? Ie, I could verify you, but then it'd be fishy if you verified me lol.. 🤔

cloud fodder 2y ago

Basically, we could give non-superuser ssh access to one of the security folks that we trust, so that they could at any time, ssh in and verify the logs are not being kept. Then they publish what they find periodically. Kind of like how companies do independent security audits.

Reply to this note

Please Login to reply.

Discussion

il_lost_ 2y ago

What about this? https://audgit.ai/

cloud fodder 2y ago

Auditing the code is not enough, we would need to audit the state of the server since most of these servers allow ssh access the state of the system can be changed at any time by an operator.

nobody 2y ago

An even further issue is that in the case of allowing an auditor in, it would expose secrets as well.

nobody 2y ago

This is cool, but yeah, it’d have to be combined with something to audit to deployment as well.