What is the value added by this collaboration? Can we find synergies and increases the reuse factor to maximize our ROI? 😜

It’s kind of obvious 🫡

And make me feel less like I'm cheating on him. 😂

It would totally be worth while having a call to discuss our visions for #GitViaNostr.

I bet we would come up with new ideas and better approaches as our thoughts collide.

Currently, we have a gigantic external dependence in Ngit. Which is fine, so long as everything is fine.

But we have a strong incentive to duplicate or fork it, so that we can be maintainers. Otherwise, we get no credit for any improvements and if we need a bugfix and isn't available, we'll be forced to fork it and have our customers switch to our version in a rush. I've had that happen in a software project before and it's incredibly embarrassing to admit that you have no control over a core feature.

This is why everyone prefers to fork, rather than contribute. Contributing regularly to something you don't have your name on is cucky.

well said

Did you check out my concept? That outlines a few things. Eg submitting proposals via.`git push -u`

I agree but it is also sometimes useful to have a application signing key.

The common way of signing a release is to sign a checksum file which lists all of the related binaries hashes. That is essentially what the the nip51 event does although it doesn't include the actual hash, but rather the id of each event that contains the hash. This makes it harder to find release events that include a specific binary because there may be many nip94 events referencing the same file. We need to query for nip94 events for the hash first and then find releases that reference those. I suppose isn't too bad.

It makes more sense to me that trust attestations are made against a release event and not just each individual binary. What if the author accidentally included a binary from the previous release? the hashed file would still have trust attestations attached.

How would you highlight that a previously issued release package shouldn't be trusted as it contains incorrect version? With a replaceable event the author could quietly update it and the user wouldn't know that they didn't use the correct binary.

And by the way: we already have a way of including attribution. When I first floated this idea a few months ago I believe it was Pablo's recommendation to use the combination of `p` and `zap` tags to achieve it. NIP-57 appendix G goes over this mechanism.

I see the maintainer role as quite different to the contributor role. Maintainers decide which changes get applied to an application and make it into each release whereas contributors propose and / or code the changes. Often maintainers also review for quality but this is also sometimes left to contributors theough peer review.

The fabrication argument applies to the contributiom rather than maintainership.

In my above example the 3 maintainers could decide to create a key pair specifically for releases and share it amoung one another. It could issue the app profile event and each release. This seems to make the most sense if users are going to subscribe to a single app profile per application for releases.

What happens if one of the maintainers moves on? may be there is a falling out or they start working on the closed-source competitor. They will still know the signing key.

If however, app profiles supported maintainers each of them could create their own app profile from their existing pubkey, leveraging their own reputation, and include the others as maintainers. excluding the maintainers field, the app profile for this group would be the most recent one submitted by any of them. Any releases issued would be on behalf of the group. The membership of this group can evolve.

This is the best case I can make for adding a maintainers field.

I would prefer to follow an app profile published by a group of specific pubkeys with their own reputation who claim to maintain an app than a single pubkey who's ownership is opaque.