Replying to Avatar franzap

Should zap.store be listed as maintainer of a project? Probably not. We're solving that in a different way: curators. Curators leverage their reputation and create lists and other nostr primitives to recommend apps. I would choose to install an app signed by a random developer but curated by two of my friends
Avatar
DanConwayDev 1y ago

zap.store shouldn't be listed as a maintainer of a project because it doesn't make decisions about what code is or isn't included in a release. However, if it decided to take on a role like f-driod, it could issue a app profile for some apps, review releases produced by the project to check for undeclared trackers and malicious code, build from source and issue their own releases for an app.

Curator sounds great! In reality, most applications aren't reproducible and we are trusting the issuer that they built from source and didn't introduce any vunerabilities in the process. In fact, most applications aren't opensources so we are trusting the issuer even more.

Having trust atestations against app profiles and pubkeys that issue them are the most important and useful sort. Curator is a really good choice of word to describe this.

Reply to this note

Please Login to reply.

Discussion

Avatar
franzap 1y ago

Totally. I am not persuaded about zap.store issuing app profiles. Let's say I want to recommend Mutiny Wallet and you follow Mutiny and zap.store... which one are you going to install? What happens when you have multiple curators vouching for Mutiny? To me, the signer is always the dev and then we can overlay trust attestations, badges, external service providers attestations – a DVM market/reputation will emerge for these kind of things

Avatar
DanConwayDev 1y ago

I'm not suggesting you should as it would shift your focus from building zap.store into QAing apps. Using a f-driod type issuer of releases would prevent the developers from issuing malicious binaries for non-reproducible builds but enable the issuer to do so. I don't think the incentives are there for anyone to take on that role.

The nature of the trust attestations and how they are interperted is the tricky bit. Probably much easier to critise than design.

Avatar
franzap 1y ago

We're definitely interested in being a curator and in fact we already are one (plan is with time to allow other relays and curators). We'll see how everything plays out, for sure there will be tons of developers that will not sign their apps and curators will have to in their place. I don't really like F-Droid's model for non-reproducible builds, I'd rather pull the dev build with their own certificate and stamp a nostr signature on it. Step by step 😄

Avatar
DanConwayDev 1y ago

For me it depends on the app. I don't love the centralisation and their sometimes obnoxious behaviour; but I prefer my chances of being rugged by f-driod's build process than any one of 6 app developers build process.

Avatar
franzap 1y ago

sure, depends, for critical apps (ie money) I would only use apps sourced from devs (better if it has reproducible attestation)

Avatar
DanConwayDev 1y ago

It will be interesting to see how it all plays out.

I'd definitely value a dev attesting that they reviewed all the code added to Sparrow Wallet in a release and Craig Raw isn't obviously rugging everyone. I'd want to zap that.

Avatar
franzap 1y ago

Sure. But besides reproducible builds it's impossible to know if the build is not manipulating the source code. So you got to trust the dev and the build environment

Avatar
franzap 1y ago

That's where OS permissions and software like opensnitch etc can help too

Avatar
DanConwayDev 1y ago

I personally use nix, which allows me to easily build from source in a lot of cases.

Avatar
DanConwayDev 1y ago

But it doesn't matter if the builds are reproducable if the source code contains malicious code.

Avatar
ChipTuner 1y ago

To complement your example, I have been enjoying obtainium. Code directly from the developer. If I could I would want an app store that I can manually enter developer's keys into or do an openssh style "do you want to save this key" on first download, then subsequent updates will validate signatures as they are released. If the developer changes their keys, it should be a manual process or lots of blinking read lights. I don't want to trust an app store, like the case for F-Droid. I understand why they do it, but I like the model of, hey get this package from it's owner.

Avatar
DanConwayDev 1y ago

Its not obvious but this happens by default with APK installed on android. The app must be signed with the a key and the key must match the already installed version.

Choosing the correct app when you first install it is the key.

Avatar
frphank 1y ago

Apps from Google Play are signed by Google though not by the devs (anymore) and it's missing the UI part where it asks on override. I think that's what he wants.

Avatar
ChipTuner 1y ago

Yes, but I'm speaking for a world outside of smart phones

Avatar
DanConwayDev 1y ago

For sure. That would be great.

Avatar
franzap 1y ago

you just described zap.store 😄

And yeah TOFU is the way. Android does it and we'll be bringing that to other OSes