Nostr Web Client

always XD. It still cracks me up seeing projects active on there, corporate projects too. Do what you must I suppose, but it's always had a sleezy feel to it. Maybe because of all the malware I downloaded as a youngster XD

Daniel Wigton 5mo ago

I am still mulling over what software distribution should look like. Having a trusted entity like the play-store, steam, or Ubuntu repos is nice. I am not quite sure how to make it distributed and web-of-trust.

You can make a software store with all the hashes of the binaries your friends use, but that makes discovering new esoteric software hard and your friends might be idiots. How do you know when an update is legit? Can you trust the original maintainers even? What if they try to sneakily remove limits on OP_RETURN or something?

Reply to this note

Please Login to reply.

Discussion

ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 5mo ago

someone injected some malware into the AUR recently also.

just gotta be careful where it matters to you. idk about you but every time i sign up for some new website i brace myself for endless newsletter spam and the potential for yet another honeypot for hackers to sell on the dark web. it's a jungle out there. stay strapped or get clapped.

ChipTuner 5mo ago

> it's a jungle out there. stay strapped or get clapped.

That's facts.

Email is rough man, I feel the same way. I use stalwart-mail with default spam filters, and it is, by far the best spam prevention email server I've ever used over proton, gmail, yahoo, etc. Even when you press "DONT SEND ME FUCKING EMAILS" they still send you emails twice a day. Like I wanted to support your product or use this thing, but I specifically declined your permission to molest my inbox.

ChipTuner 5mo ago

That's a great discussion. I don't have the answer to that. I guess this is a normie makes up the majority problem right? I don't mind adding pgp keys and repositories to my machines, with Debian/ubuntu machines you basically have to do that anyway if you want any software from the past year on your machine. I love dnf and RPM packages, similar could be said for .deb as well just not as appealing to me as rpm is.

I like obtaining packages from the maintainers directly, assuming they take it seriously. Ideally package maintainers sign their commits and distributions and were good. That's what I do, and encourage. My projects require a build step 99% of the time (it's that mono-repo life) and I sign everything I can. I think my signing tool is broken though I need to fix that and resign all my packages. That said, my my build tool is foss and available, so my builds are repeatable if you use my build tool + git :)

I think a centralization/power/corruption problem appears once the app store gets too large, at that point if were going to have a dozen app stores "wanting to do it better" why not obtain software from the developer.

I think android does this well, apks are universal and signed. You can use obtainium to install them with updates directly from the developer. I use mozilla's beta release from their ftp (because that's all they offer from their ftp site) and obtainium scrapes that for me.

In that specific case, I'm not sure it's the app store's responsibility to take a position on that anyway right? I think the app store starts to have an obligation to it's users, and it removes the communication channel with the developer as well. Point is, I'm not sure the app store has an obligation to protect user's from "political" positions, simply obvious malware. Which is something too, but there is still a point to review updates before installing them as well. Obtainium allows for viewing changelogs and release notes if using supported platforms like github, or manually adding a regex html scraper.

ChipTuner 5mo ago

The best thing an app store can do is stop a distribution if they find an issue. If you can't trust the package maintainers who can you trust to obtain _their_ software?