This event has the wrong hash for this image. How does your client deal with that?
Discussion
nostr:npub12vkcxr0luzwp8e673v29eqjhrr7p9vqq8asav85swaepclllj09sylpugg
nostr:note1shl5xvh3q8yrt66qhyyxpddwwcj4l82pn3xz9y57rh2ty6m6vrms70t7nz
Why even load it?!?!
Or I mean, view it. You have to download it to verify the hash...
That is what I'm doing with gossip. It will show an error message in the place of where the image would have been, as well as a link so that you can view it in a browser if you want to. It won't show the altered image.
Yes, that's the correct behavoir! I run gossip on nixos. Had to create my own nix file for it, as the one in thr repo didn't wotk for me. Not an expert so I didn't send a patch...
Great app btw! Thanx!!!
Amethyst loads it but only if you click on it does it show the warning.
It should actually gray it out with bars or something.
Cryptospaces should act secure.
I found Amethyst's warning very subtle. I only realized after reading the comments that the warning existed.
Yeah, we were more upfront in the early days but users thought it was too annoying.
What I realized is Nostr seems fine with not verifying any attached content. Devs tends to be highly dismissive about it and leads to a userbase that is not used to verify attached content.
I for one am not dismissive. If I post an innocent frog meme and somebody at the website where it is stored at (not mine) changes it to a swastika, that reflects badly on me and most nostr users will have no idea that I didn't post a swastika... thinking about how events are digitally signed it sure seems like I did!
Previously some people argued for storing binary objects inside of events. I argued against due to performance reasons and CSAM legal reasons, not signature reasons. I like the imeta 'x' field a lot and I think all the clients should both produce imeta tags with 'x' and also verify them.
My head wasn't even in this space a few weeks back and gossip is playing "catch up" on this. It does neither thing currently (on master) but I just got it verifying on unstable, and soon I will work on adding the imeta tag for links when posting.
what if post a swastika and later claim it was originally a frog and you tell me due to your verification it is impossible
as Ron Paul said "the wall ( with Mexico ) can be used to keep us in"
Would be great if that behavoir could be an option.
The above post was a test to help me develop some new gossip code that will be on master within a week or two, which I just completed.
You also need to consider optimizations by media services
That is pretty common
If a media service optimizes an image and then provides the URL, we will download the optimized image and hash that and provide that in the imeta tag, along with 'ox' for the original data pre-optimized. The x tag should still verify. This is work I haven't done yet (most of this last week was refactoring, not actually adding this new code).
Some media services do optimizations differently based off of client also. And re-optimizing images.
My personal opinion is that we also need a hash that reflects the overall content of the image roughly, and a way to signal to image services “return original optimized version” in case of things like a zoomed up view or doubt about content integrity.
The problem is that the current state of Nostr media makes it impossible for services to optimize without making someone mad.
Clients should signal what they need (data saving preference, rough resolution, intent such as to view up close/save or just timeline) and servers should provide that. Servers should also be able to optimize however as long as the original can be requested
