Imagine if your web of trust could:
- manage a list of nostr apps
- manage a hierarchy of categories and determine which apps belong to which categories
- update all of the above on a continuous basis
Who would like to see that?
Discussion
And then you learn a term “supply chain attack”
You mean sybil attack?
I rather refer to software development case when you have multiple open source dependencies in your project and one day one of the dependencies becomes controlled by an attacker
In case of a web of trust it may mean one of your friends becomes the attacker, or they are sold to an attacker or they get hacked by an attacker etc
With WoT, you can remove the attacker from your WoT as soon as you realize it. Or even better, someone else in your WoT spots the attacker and does the removal before you ever realize there’s a problem.
Sounds great… if you don’t actually care of the consequences
The consequences of discovering a bad actor?
Of not discovery. Or a late discovery. Or a wrong discovery.
If thats your nostr feed that could have a couple of hours or days or months of being affected, thats probably ok
If your banking app got updated from another source and your WoT helped to discover it in an hour - it may already be too late
So in case if you don’t actually care of the consequences of the attack - thats ok. If you do care, you want as much control as possible. And today WoT could give much less control than Apple
The point of a WoT-curated page for nostr apps will be so you can keep up to date and have fun discovering new apps and even new categories of apps that you didn’t know existed. You won’t even have to be logged in, unless you want to contribute / help curate. I see it as a playground to find out what WoT can do.
WoT has lots of uses, but no need to apply it for mission critical purposes before it’s ready.
Dependencies can be curated in the same fashion as the apps. Your WoT maintains a list of dependencies and organizes them into categories, like the “oh crap these have malware!!!” category.
Sounds good but how do you determine the WoT?
According to the tapestry protocol, you are always at the center of your grapevine (your WoT). You select the ppl who select the ppl who select the ppl (and so on) who do the curation.
I’ve built a proof of concept for curation of lists as a desktop app. I haven’t coded the curation of categories yet, but that part of the protocol exists and the existing proof of concept should give you the general idea. Here is an overview with screenshots from the desktop app that shows exactly how it works.
https://github.com/wds4/pretty-good/blob/main/appDescriptions/curatedLists/overview.md