PSA: please don't upload images directly from your phone with Olas unless you want to dox yourself, ive seen a lot of images being uploaded to nostr.download with full EXIF data including GPS data.
Discussion
😅
nostr.download doesn't strip EXIF? 👀
You wanted your integrity for uploads and strict checksum matching, you got it. Blossom does not allow any modification to the media unless you use /media endpoint, and I don’t think any current servers have it even implemented.
Interesting because nostr:nprofile1qqsw9n8heusyq0el9f99tveg7r0rhcu9tznatuekxt764m78ymqu36cpz4mhxue69uhkvun9deejuat50phjummwv5hsz8rhwden5te0wfjkccte9e3xjarrda5kuurpwf4jucm0d5hsz9thwden5te0wfjkccte9e6hg7r09ehkuef0avzrjf's #Haven relay with built in Blossom server is stripping GPS from this image.
Its not, your image doesn't have GPS data, but everything else is there, model etc
All other EXIF data is there correct, minus GPS. So why is my haven/blossom/olas uploaded image missing GPS then?
Maybe you turned that off on your camera.
Nope. I also downloaded the images I uploaded and viewed them to confirm and used external EXIF data viewers. 
It’s not missing on others it’s probably just your photo app doesn’t gps tag your images
Google Camera is absolutely tagging them. I see it displayed in Google Photos.
Its getting stripped on device somewhere, i just checked another image on olas.app and it has the GPS data, maybe its only a problem for the iOS Olas app?
Maybe that's it?
It’s either app/os does the stripping or blossom server mods the file and breaks checksum.
Here is Corn uploading my image via iOS Olas.
And here is me uploading it via Android Olas.
Both using the same image to nostr.download Blossom. His version has GPS. Mine does not.
The point is that blossom, using standard /upload API, does not allow for any manipulation of the media at all. If image is huge and has bunch of exif data in it, it will remain as uploaded. If client has a bug, or Android/iOS changes an api or something, the image will be exposed to potential leakage of metadata. Server could check and refuse, but I know that only nostr.build has it now for no_transform uploads using API (or account page). Some other servers may have it implemented too, but I don’t know of any.
so.. wen client with auto-stripping option before image upload?
IMHO client is the first line of defense, server should act as a failsafe and either refuse upload or have an option to strip. You can’t trust one entity to keep your privacy.
you're right. but I think it would help if clients had such an option instead of (maybe) having to use a 3rd party app which does (or maybe doesn't) strip all the data. then have the server do a check and return a warning if metadata is found. at that point the user can decide if he cares or doesn't. Or strip the data server side but from what I understand that breaks the checksum?
Warnings don’t work, normal folks learned to ignore them due to warning fatigue. Refuse to accept is the only way. Stripping with default blossom will not work, csum will break, and honestly I don’t think any of the clients even check. SHA256 is slow and not the best for that, Blake3 is much faster and as reliable.
oshash is fast
SHA256 by itself is great for cryptography, Blake3 is just very fast on modern CPUs and outdoes SHA256 by miles. Regardless of implementation
It’s a great and super-fast algorithm, especially the WASM implementation! But until it’s bundled by default in Linux, other major OSes, and browsers, it’s unlikely to go mainstream. Switching algorithms is pretty tricky once you’ve committed to one. Still, Blake3 is definitely impressive!
Agree. I am still planning to use blake3 to produce hash and keeping it as an alternative.
Sounds great! I’ve always been a fan of Oshash for media—it integrates so well with the OpenSubtitles ecosystem, which has most of the world’s content indexed. I remember it was quite a challenge and even a bit controversial when they switched to a better hashing algorithm. I think the resistance came from the sheer scale of the ecosystem and the compatibility issues involved, but it’s impressive how they made it work in the end!
It seems that it does not read the full file to produce hash, which can be OK for some use cases but not ideal for integrity. 🤔
uff truth on the warnings!
Maybe, but either way there should be NO metadata, also the images are huge and not compressed at all
Should strip before upload. Don't want the server to know either.
There are apps for this. Probs should be built into Nostr clients.
It does if you use NIP96 or /media blossom upload, but its still not merged
Sigh 😔
Either remove the metadata using Imagepipe or take a screenshot of your photos before uploading them.
This banger of a man told me about the screenshot thing years ago … does that still work? Genuinely?
🫣 we need to do better on the client side
Turn off GPS at least!
Not sure it helps but I screen shot most of my uploads too.
Never used it, but thx for the info. On the other hand I use "Scrambled EXIF", this comes with CalyxOS (or GrapheneOS).
do you download this from the play store?
Even with stripped EXIF, pictures are a great way of doxxing yourself!
It would be nice to have a more private experience, like with instagram private profiles
What about nostr:npub18m76awca3y37hkvuneavuw6pjj4525fw90necxmadrvjg0sdy6qsngq955 and nostr:npub1nxy4qpqnld6kmpphjykvx2lqwvxmuxluddwjamm4nc29ds3elyzsm5avr7 ?
We strip all location metadata!
What if I upload it from my phone without uploading it to Nostr.build and then copying it over?
I don’t understand the scenario. If your upload ever goes through nostr.build, our website or any app, we strip location data. Not sure about any other service.
Also if you don’t advertise that, you should. Definitely a selling point! 🫡🤌🤝 
Thank you, we do talk about it whenever possible.
Here is a recent blog of features:
I thought so because I have specifically checked.
One thing I do like about Nostr clients is that they allow hot linking. This practice was used a lot in the 90's when web space was extremely limited. Copy the link, post the link. The pic will automagically be loaded in the client.
Works great for horking memes.
What is Olas?
So let the server strip it
if you are positing an old photo. could you help me understand the implications of what doxing this does? and for someone who is not anon npub. but also I guess for anons?
