I am pleased to announce the release of the 0.1.0 release of Flotilla, a new client for communities.
This is NOT a NIP 29 client. More details to come on why, but for now, give it a try at flotilla.social.
If you're not sure which group to start with, try one of these:
https://flotilla.social/spaces/wss%3A%2F%2Frelay.nostrtalk.org%2F
https://flotilla.social/spaces/wss%3A%2F%2Fbucket.coracle.social%2F
IMO, my public posts should not appear when I log into a given relay. If I am inside a community, I only want to see posts in that server.
I'm not sure what you're referring to. The home page shows public posts by the relay's pubkey. Common practice right now is for that to be the owner of the relay, not the relay itself. Other stuff is locked in to that particular relay.
Its confusing because you are asking people to log into a relay first and use groups inside of it.
But then on the "home" tab, I can see all my posts that are not in that relay.
That's because your pubkey is being advertised as the relay's pubkey. Flotilla assumes the pubkey is exclusive to the relay. But maybe I should still limit it to fetching from that relay
Yeah, I think you should. Otherwise it gets very confusing to know where is what and how private am I in this system.
I am using it for internal comms of a company. Let's see if it works :)
Rad, don't hesitate to let me know about problems
Just released an update to only fetch notes from the relay you're on. I think this makes sense.
The Nostr ecosystem continues to expand and evolve.
Lfgoooo π₯awesome work!
is there a list of messaging relays I can find some in π i just noticed on the really settings page that I donβt have any yet
auth.nostr1.com or inbox.nostr.wine are a good place to start (the second one requires payment). If you want to self host, haven by nprofile1qy2hwumn8ghj7un9d3shjtn4w3ux7tn0dejj7qgnwaehxw309amk7apww468smewdahx2tcpz4mhxue69uhkvun9deejuat50phjummwv5hsqg8zenmu7gzq8ulj5jj4kv50ph3muwz43f747vmr9ld2alrjdswgavt99xv3 is really good
This looks really good. if its not NIP-29 though do you have a spec explaining how it works?
PR is coming soon, I'll mention you when it arrives
It sounds a lot like what nostr:npub1lunaq893u4hmtpvqxpk8hfmtkqmm7ggutdtnc4hyuux2skr4ttcqr827lj and I where working on with satellite nodes. although they where compatible with NIP-29
What is it doing under the hood? as soon as I login it seems to open 20+ relay connections and it starts asking me to decrypt events... ?
Honeypot
Just kidding, it's decrypting your DMs which you can access from the menu item on the bottom left. The connections are a result of it trying to find profiles for all your follows so it can build web of trust for possible relay groups. All things to be optimized.
nprofile1qyghwumn8ghj7mn0wd68ytnhd9hx2tcpzfmhxue69uhkummnw3e82efwvdhk6tcprfmhxue69uhhq7tjv9kkjepwve5kzar2v9nzucm0d5hsz8rhwden5te0wdshgetvd35hgefwdpa8yep3xsujucm0d5hsqgpxdq27pjfppharynrvhg6h8v2taeya5ssf49zkl9yyu5gxe4qg55la0jnz I'm releasing an update now that will disable DM decryption by default until you explicitly enable it
Thanks for fixing it so quickly.
its an annoying part of nostr, but I cant login to most other web apps because they crash my computer with decryption requests
I feel ya
doing a ECDH derivation seems like a low hanging fruit for native code inside extensions though, has anyone considered this? or even pushing out the entire thing to native code?
why is it, anyway, that javascript engines still don't have a native sha256 hash function? or an AES (rijndael) hash function? this seems like a really simple problem yet because they still treat browsers as dumb presentation engines while constantly overloading it with GUI logic nobody bothered to provide a fast path for this
It's less related to this than that 1. some people like to approve every request 2. some signers don't properly implement "approve always", and 3. nip 46 signers are remote and it can be hard to deal with the latency on both client and signer side
My complaint is that almost all apps presume the user will always sign everything, and they usually crash or are buggy when the user does not give the app access to everything
this is because most front end app devs have ZERO understanding of cryptography, not even the distinction between actual encryption and signing
the media has not helped this at all, by calling signatures "asymmetric encryption" bullshit. the encryption requires you to do a little computation but signatures are not encryption they are authentication, really big difference
That's a corollary for sure
signing is a more expensive operation by like factor of 4 or more than deriving a decryption secret and making a cipher block stream
not wanting to see messages that have been encrypted to you is quite retarded, i mean, i don't even know how to express how retarded it is to not want to spend the cheapest amount of crypto compute on seeing what people send you
signing stuff, that's a different issue because implicitly you are also sending that out, there should be a clear delineation between actions that are secret and actions that become public or at least move to private across the connection
i admonish you guys to do some more study on cryptography and signals intelligence, please
look, put it this way, if someone has already breached your system, they can see all yoru encrypted messages and you are whining because the signer asks you to derive a shared secret????
sorry but this is beyond retarded
performing an action that has zero effect outside your computer should not need any permission
deriving shared secrets out of a message from your nsec should not require permission at all. at all.
if someone is already inside your browser or computer that's a whole separate problem to signing stuff and sending it out, i really hope you get the distinction
Shared secrets gives you something durable that clients can quietly exfiltrate to spy on users later. Not a good idea IMO, but others disagree
if they can get at the shared secret they probably can get at the nsec, how far separated are those two things?
hint: you can't derive the shared secret without the secret. it's one step. one.
security of the nsec and derived secrets is almost unity
the actual data it decrypts, that's your computer it's on, it's not being SENT ANYIWHERE ffs guys, please, get some fucking realism in your threat models
if you can't trust the computer, why you use the computer?
oh yeah, because it isn't a leaky sponge like you are trying to make it out to be, yet somehow it is secure in other ways
no, fuck you. decrypted messages are adjacent to the fucking nsec
Nostr Slack is here. Get your relay and build your own community.
What does it not being a NIP-29 client mean? (I know I could go look up the NIPs but I'm a normie π, I don't know them by heart like the devs). I assume this make it different from Chachi.chat, but how?
I'm going to write a big old blog post on this soon. The basic difference is that nip 29 groups are based on relays, flotilla groups _are_ relays.
Is this desktop only?
Nope, very mobile friendly. It even has an APK so you can download it on zapstore or obtanium
Wow! Crazy! ππ»ππ»ππ»ππ»
So no more nsec.app login?
Signup still uses nsec.app, and you can still login with nsec.app using a bunker. But I got rid of the auto-nsec login. The state of NIP 46 is just too unstable to build anything like that right now.
Why are you separating threads from comments on a message? I feel like I am missing something here....
Is it always one relay per community or are multi-relay communities possible?
Multi-relay is possible, although it introduces lots of problems so I've designed it to assume that the relays are federating with each other
URI encoded relays? aight o.o
Interesting to see someone sidestep NIP29, will check it out ^^
Signup not working for me. Infinite spinner
Make sure pop ups aren't blocked. Which browser are you on? If you're on Safari it might not work well.
Yes safari
Very good UI, but it requires signing many events π€£
Can't do stuff if you don't want to do stuff
Not seeming to work for me with either of those links
Free Debt https://shorturl.at/AsObk
Please add a login mode for mobile users as well. I'm using Amber on Android.
NIP 55 is supported, are you not seeing the Amber login method? It looks like this:
I was trying it on Safari mobile with nsecbunker but it would get stuck logging in. π₯² Also tried Arc browser and same thing.
LFG!! π₯
I've enjoyed testing this out so far, huge, huge potential!
It's become my main client when on Desktop/Web, and hope Communities/Space BOOM over time.
Great stuff nostr:npub1jlrs53pkdfjnts29kveljul2sm0actt6n8dxrrzqcersttvcuv3qdjynqn
Thank you for all your very detail-oriented help with testing! I would not have been able to put out a release at this level of quality without you.
