"Garnet turning out to be malware"
???
What give you this idea? Can you show me who said this and their proof of this?
Discussion
Me. It's probably "benign" i.e. probably won't steal the user's Monero but the red flags I was looking past when I recommended it got 10x worse and I don't trust it now.
nostr:note1rl4qtd3a9qgngwz3ed8kt2veypllmpzaw2ks8ptsxmpvcvusdsxqyyt0mq
What specifically in the code is malware?
There's only one or two users working on it because it was created from a relatively small bounty (very common for most bounties) and was largely under the radar until maybe a week ago...anyone can read the code and make pull requests and contribute any time they want. Hopefully more attention brings more users willing to help work on it.
I don't have specific knowledge of what's in the code that's malware. I'm not a coder and can't review code.
It's what the code is in that's malware, that I have specific knowledge of - as I mentioned: the worst possible git.
It also seems like a malicious copyright claim might be building up, furthering the severity.
There would be less than zero reason to be surprised if this app spies on users and very little reason to be surprised if it steals monero from users based on its level of malware, so I can't recommend it.
I also must repeat, I'm very tired of the nostr community tolerating and promoting shit like this. It's been what, 8 FUCKING YEARS since Microsoft acquired GitHub? We need bird flu to kill people harder than COVID because this species is fucking dumb.
Do you mean because it is on github? I agree probably not the best decision, but it's not like that is some outlandish thing among FOSS apps. Even Bitcoin/Monero have githubs.
"malicious copyright claim might be building up" What are you referring to?
Its brand spanking new, so I'm not saying you're wrong to be cautious, or even avoid it until more attention and work is put on it, but I at least haven't come across any reason to suspect Garnet is malicious.
Because I'm angry at the community and it's hard to stop it from seeming directed at whoever I'm talking to, please let me inject this in the beginning of my reply: thank you for taking the time you've taken to discuss this.
Bitcoin was made long before Microsoft acquired GitHub. Not 8 YEARS AFTER. Satoshi Nakamoto wasn't even around by the time Microsoft acquired GitHub. Satoshi Nakamoto didn't have nostr. Bitcoin and Monero's devs should not have those projects on the worst possible git at this point, it lends itself to the argument that they're malware too.
And it's obviously worsened by all of these facts: that despite Garnet being a nostr client, these people working on it are using the worst possible git as a replacement for getting feedback from nostr users, instead of a supplement; that despite it being a nostr client, there is nowhere to report issues on nostr; that despite it being a nostr client, there are no nostr copies of the discussion threads on the git and on bounties.monero.social; that despite it being a nostr client, there aren't even fucking npubs copied and pasted in the threads.
These facts are ridiculous. If we're very lucky, Garnet is a good project and it's just the community encouraging shit like this that's causing devs to engage in such fucked up behavior. If we're not so lucky, a malicious copyright claim is building up where retnull wants to controll the Garnet name and use it to suck up oxygen from other similar projects while stagnating the development of Garnet so that nothing gets developed in this area. If we're very unlucky, retnull wants to build a honeypot that somehow ends up implementing spyware backdoors or worse, coin-stealing backdoors. I hope we are lucky, and if so, I'll be relieved to see proof in the form of retnull being an early adopter of ngit.
Typo: control, not controll
It's really hard to find quite perfect phrasing here. It's extremely relative; virtually all code is malware since virtually all coders are either malicious or make mistakes based on disinformation from other malicious people. But sometimes good faith efforts outweigh mistakes and the malware element seems canceled out. In this case, I have a bad feeling about my recommendation.