My mind goes through various attack points, but to be a little more simple about the thought process, I see a way to do better, and I don't understand why doing less than the optimal as a matter of expectation would be a desirable project goal.
Discussion
what's the optimal? what expectations did you have that a PWA doesn't hit?
1. Locally hosted.
2. Sanctioned off from other shit.
Its like I said. A file that you download and load the file location of into a browser that isn't the same app you "watch free online" in.
It isn't that its a pwa, its that its a pwa that took no effort to minimize its attack surface. If you're gonna put money in a web browser, the most heavily researched application in I.T. for exploits with a wild environment that just executes whatever the site you visit gives it, I would think its because you have a very good excuse with very good risk minimization.
When I saw that this app was called "mutiny" I thought ah yes, the solution you go to when the app store has taken everything from you and the device you're on doesn't have "jailbreaking" instructions yet. What I was not thinking was that the app would commit a mutiny on your sats.
We live in a world of links that are 1 letter off, of people who think the internet is down when DNS gets shut off by a government or ddosed or just has a bad day, its a post "atomic wallet" world. A world where people have already lost money from malicious updates. A world where we gotta be talking about verifying applications before we run them, not for nerds who are extra, but as an expectation for grandmas. Nobody wants to make the ux to verify better, they just want to make things vulnerable and make "ux" an excuse for it.
Normalize basic security habits and quit normalizing the unsanitary computer practices.
There isn't even a damn version number on the thing Tony! If I'm trying to use this in a version controlled way as I described, how am I supposed to know what version I'm on?
Point me at a nostr client that supports keysend for zaps and I very much will. I'm only using SN to receive zaps for compatibility reasons. I got blixt wallet rearing to go. Got Phoenix too, but they aren't done with bolt 12. I've actually been actively complaining about this.
I also have a hash checker ready to go: https://github.com/hash-checker/hash-checker
So that I can verify what I'm downloading.
So if you had a release in your releases I could verify the hash.
Really Tony? We're really stuck on this f-droid thing right now? The point isn't that it came from f-droid Tony. It could be Opera or Chrome or Firefox or anything! The point is just that its not the same browser as your daily driver.
And what do you mean "minimized web assembly code you can't read"? Why wouldn't I be able to read it? I don't know what the vendetta with f-droid here is, and I don't know what version of f-droid caused you such a vendetta, but I do actually get a link to the source code in my version.
I can take that I'm wrong to suggest a particular browser, it is no longer maintained after all.
Here's the reason it was abandoned:
https://github.com/tobykurien/WebApps/issues/253
"Unfortunately the bad news is that I will probably stop supporting this app this year, despite this app being a labour of love and one I'm proud of. The sandbox leaks mentioned in the README, combined with browser fingerprinting, supercookies, FLoC, and other hostile abuses of Web technology, have made me come to the conclusion that the Web is a lost cause for private browsing. Yes, WebApps offers only limited protection, and that protection will probably decrease every year."