Honestly, this is mind-blowing.
Dynamically checking the reputation of a signing npub before installing. Well done, nostr:nprofile1qqs8y6s7ycwvv36xwn5zsh3e2xemkyumaxnh85dv7jwus6xmscdpcygpz9mhxue69uhkummnw3ezumrpdejz76jympz !
Still not 100% sure what pokey does for me yet, but I know of people who have my back!
Pokey gives you notifications.
True if big
except I have never followed this signer
what is this affiliate scam nostr:npub1wf4pufsucer5va8g9p0rj5dnhvfeh6d8w0g6eayaep5dhps6rsgs43dgh9 ? shady af
👀
Data is coming from nostr:nprofile1qqstq4j6pk2sgaupru6l7ah9nq0dueafq356jllwcy7uzlek9yx7hlspz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsz9mhwden5te0wfjkccte9ec8y6tdv9kzumn9wshsz9mhwden5te0wfjkccte9ehx7um5wghxyctwvshs4kprv3 nostr:nprofile1qqs0dqlgwq6l0t20gnstnr8mm9fhu9j9t2fv6wxwl3xtx8dh24l4auspz4mhxue69uhkzat5dqhxummnw3erztnrdaksz9rhwden5te0dfjkcmreve5hx6pwd3skueqpzemhxue69uhk6mr9dd6juun9v9k8jtnvdakz7rvs0wk - is this not working correctly?
Could you please ask if it's a mistake before accusing me of affiliate scam?
nostr:npub1xtscya34g58tk0z605fvr788k263gsu6cy9x0mhnm87echrgufzsevkk5s damus iOS WOT shows you follow nostr:npub1v3tgrwwsv7c6xckyhm5dmluc05jxd4yeqhpxew87chn0kua0tjzqc6yvjh
🫢
It's a fake jb55. I thought the way it's supposed to work is to only show you mutual follows.
Oops nvm it's not fake
I checked it on https://npub.world seems legit
Hmmm that’s a bit of a slippery slop. The way it’s laid out makes it look like all those people have signed and approve the dev/signer. Rather than just follow them. I’d probably change the wording and layout a bit.
It says "follow", whats unclear?
Visually, I would separate it more. UI isn’t easy. I definitely thought it read as that dev was Also signed and approved by all those others. Bold and make the fonts different perhaps. So there is a clear delineation between. Signed and Followed.
(All said, genuinely)
Signed by: abc
————
Developer is also followed by these people you may also know: xyz
I get it, I will try to improve that in the next version
I think this is a great opportunity to debate how to interpret something that is actually signed ( followers, posts, applications, etc.).
For myself, I only interpreted as how the signer is ‘known’ in the community as indicated by who is following them. No endorsement. I recall when we had the spammers, the worst thing you could do is follow a spammer, because it gave them social validation. This is kinda the opposite thing because I am looking for how well the app signer is known.
What’s really cool here is that everything is a signed event. That cannot be denied or debated. What is really up for debate is how things should be presented and interpreted. We’ll figure this out eventually, but it’s way better than groveling for approval and rating from a random App Store technician or algorithm.
Trust decision is in the mind of the beholder. I can assume if it’s the zapstore it’s reputable, the followers just show how well known they are in the community. An extra signal, not an endorsement.
Maybe there is some tooltip thing that states “dyor” “maybe ask around before installing apps. These npubs might have info”
this is what graperank is for
careful..
u did
Prove it! Oh, wait….
nak req -k 3 -a 32e1827635450ebb3c5a7d12c1f8e7b2b514439ac10a67eef3d9fd9c5c68e245 relay.damus.io
And koalasat is right there
it seems to be saying I endorse this signer, which is misleading?
actually it does just say I follow them... ok i guess
Yeah, that is not correct, and should not be presented as such.
I would have expected there to be an app endorsement thing instead of relying on contact list
like I followed koalasat for other projects, but it looks like i'm endorsing pokey which is misleading
I'm trying to leverage follows because that's all we got in nostr.
That said I am open to suggestions for that UX, do you have any?
For the record, I did not like you calling this an affiliate scam nostr:nprofile1qqsr9cvzwc652r4m83d86ykplrnm9dg5gwdvzzn8ameanlvut35wy3gpzdmhxw309aex2mrp0yhx5c34x5hxxmmdqyxhwumn8ghj7mn0wvhxcmmvqyg8wumn8ghj7mn0wd68ytnvv9hxgpywa92
I am telling you my initial reaction, im sorry you don’t like it
if this was a signer app it would have even been more confusing, as it would say "jb55 follows this signer"
this is meant to solve "oh fuck there are 69 pokey, which one is thbereal one?" problem, not an app quality problem
yeah but the reality is that it doesn't say that for the app, it just says that for the signer… so if the app was originally from some obscure key, and some influencoor publishes another copy, it will tell the copy is the real one no? I guess we're not at that point and simple deductions like this works for 99.9% of the cases
yeah that's pretty bad. think I'm going to not publish to zapstore at this time until this is fixed.
but I guess anyone can publish damus android there without my permission and it would show that I endorse it just because I follow that key. pretty incredible.
I just need to piss franzap off so he publishes a malicious version of my app, it would look completely legit. Sounds like an entirely centralized infrastructure dependent on a single guy, who i already don’t trust from past interactions. Yeah i’m out
But if that is your concern, you are better off publishing it in the zapstore, such that the version signed by you or the damus pubkey is in there🤔
if this is possible, I don't see what's stopping it from being filled with malware and false WoT endorsements. if its franzap managing that personally I don't see how this is a good solution at all, since it would be very centralized. for instance if I pissed franzap off (likely already since I called it an affilliate scam), then I wouldn't be able to publish the app at all. maybe he would get a kick out of publishing a troll version signed by himself with tons of WoT endorsements since people follow him.
the system is just poorly designed and depends too much on him imo
There are two things here, how zapstore is build, and what all this WoT stuff does.
Now i have not looked into zapstore that much, but i think at this stage he is gatekeeping things and want to open things up eventually, we can all think of that what we will.
But your original complaint was irt to the WoT stuff, and there i think your reasoning is weird. The point is to give you context such that you can trust that you have the correct signer. I.e. that if an app release is signed by either you or the damus profile, it is actually you or the damus profile. Obviously if i see a version of damus signed by peepeeMCpoopoo, it does not matter who follows peepeeMCpoopoo, because it makes no sense to download his version to begin with.
That this system is not flawless is true by defintion, regardless of what improvements are made, the only alternative that would cover that flaws is a trusted gatekeeper (the play and appstore model), which has drawbacks of their own.
Anyway, don't conflate things
I don't see how this is any different from play or appstore model. you need approval from franzap to appear on the zapstore do you not?
That would the first matter i described, yes. It is currently some weird hybrid of the two models. Im sure Franzap has his reasons for doing that, currently, and i am not sure if i would agree. We can ask him, nostr:npub1wf4pufsucer5va8g9p0rj5dnhvfeh6d8w0g6eayaep5dhps6rsgs43dgh9 why not open things up and allow people to publish releases via Nostr/blossom directly?
Regardless, other than him directly censoring you, what would be the problem of you submitting Damus, signed by the damus nostr profile?
I don’t want to ask for permission from anyone. I’d rather just publish an apk on my site and tell people to use obtainium or something, at least for now until im on the play store. I don’t see what advantages zapstore has for sovereign publishing over an apk and your own server, as it seems strictly worse because it is permissioned.
What happened to permissionless tech?
That’s the eventual goal. We’re making the right steps. All I am looking for is to determine a trusted signer for an app. First, we need to step away from the permissions platform app stores, then provide a permissionless way to discover and host the apps.
Exactly, permissionless way = managing relays + blossom servers
I'm working on it while keeping a safe experience for everyone in the meantime.
you npub need to whitelisted
This "permissionless tech" will require *you* as a developer to go through KYC from 2026 onwards if you want users to sideload your APK on a normal Android phone.
Tech in general exists in a permissioned zone. I don't know what permissionless tech even means? Even Ham radios require a license, and they can triangulate an operator down if that operator doesn't have one.
It's like talking about permissionless passports or something similarly weird-sounding.
I prefer to say that tech exists and is successful as a result of (voluntary) convention. Governments (especially, the EU) are making the mistake of confusing this with (mandatory) compliance.
We are still in early days figuring out the conventions and not jumping headlong into permissioned compliance.
I think it's pretty up in the air. While you'd never know it from Nostr there is widespread support for some of this regulatory stuff. For the keeping children off certain sites thing, it's all well and good to say it should be up to parents, but a lot of parents are working all hours and struggling with just getting by, and getting a little sleep too, they'd welcome some help from regulators to keep their kids off certain social media and porn sites that are known to be bad for child health. It could be that most people want tighter controls, and that those who don't, while well intentioned, are in the minority.
Sometimes when people say "permissionless" they mean "OK to use until you're noticed by people who can and want to stop you", right?
Correct, as such radio is permissionless. For your radio to function, you don't need to first ask someone else to turn it on. It basically comes down the question of is there a gate you have to go through or not.
So a car is permissionless, eventhough you need a license. But if they install a breathalyzer into it and you have to pass that test before it even starts, it is not permissionless.
This is very important, because a lot of what is going on, is turning things permissioned. During COVID they imposed this QR-code permissioned society, putting up 'gates' everywhere in the physical world; and a bunch of these new internet laws do the same where you first need identify yourself before the gates to the web open.
Be very aware of people who propose permissioned systems, because they limit your liberty.
But what does that even mean? You use the ham radio without a license, but then you get triangulated, there's a knock on the door, and you're issued a fine. How is that permissionless?
You can just walk into a grocery store and take stuff, there's no gate. Doesn't mean shoplifting is a permissionless activity.
It's just delayed consequences for not having permission. And it's the existence of the consequences that determine whether something is permissioned or not, not the exact timing of those consequences.
Why is the difference between starting in a cage, and having to ask to be let out all the time; and being outside of a cage, and being put in only those instances of transgression; so hard for you to understand?
Sorry but shoplifting is not a permissionless activity and you won't convince me otherwise.
Are you OK with submitting it to F-Droid for packaging?
Excuse me, what?
The system is not poorly designed, you don't know what you are talking about.
Further, I would not ban you or publish a troll version of anything, why would you insinuate I'd do that?
Let's see if you talk to me this way when we meet in person again.
tried to bring this up early on.
nostr:npub1wf4pufsucer5va8g9p0rj5dnhvfeh6d8w0g6eayaep5dhps6rsgs43dgh9 cried and told nostr:npub1dergggklka99wwrs92yz8wdjs952h2ux2ha2ed598ngwu9w7a6fsh9xzpc i was abusing him. Then nostr:npub1dergggklka99wwrs92yz8wdjs952h2ux2ha2ed598ngwu9w7a6fsh9xzpc cried too. 🤷😂
this influencer would put his reputation on the line. If he/she misbehaves, that's on public display.
Zapstore for example publishes apps on behalf of others, and that's perfectly fine if you trust zapstore.
I think we are discovering new aspects of nostr. We may need to add some sort of endorsement tag - different than following. I’ve seen this idea of endorsement and attestation in digital trade documentation, but it has not crossed over into nostr yet. The closest thing so far is attestation by nostr:npub1cn670f663n3ks02jnnlsvd5y88zjnefy8343ykaxs7y3nzzketrsrjwt8a
Picked
Yes the closest we got are showing who picked an app in an app pack (basically public favorites) and rolling that out for everyone soon, maybe once with more data we can show that first
It doesn't show me who follows it, maybe because I follow it and I already had samiz, only those who have a picked one
there is a rating nip PR, and an multplie endorsement nip PRs. No one uses them, which means the dataset is so small to be impossible to use correctly.
This is not meant to show which apps are good, but which apps are clearly impersonating others
Anyway, I think this a great advance. For me, I’ve boiled it down to: ‘how well-known is the signer in my web of trust?’ - nothing to do with reputation or endorsement, it’s organic, but heckuva great signal for TOFU.
yes, totally.
Semi related, not precisely the usecase i had in mind anyway, but i do wonder what you think, atleast in principle. I can appreciate the practicality of the immediate and near future reality of things you are dealing with, so its not something i expect to be a thing tomorrow, just to be clear:
nostr:naddr1qq255ujwdapku7jwv9zj6m6v29fk24zvtf2x6qg0waehxw309ahx5atdwqhx6ef0qgs9afryspzmk8ljyfj4mhfkumwwmhzrtyxzvzgvfp477w80g5x6t0grqsqqqa287kxm7z
Thanks for sharing man. I'm on holiday atm so I'll read once I'm back.
It says you follow them, not endorse them.
I wish all TOFU situations on Nostr incorporate a similar pattern
Hi guys please check out my geyser 🙏🏻 it’s for my son, we have only 2 days to launch it🙏🏻
nostr:nevent1qqsgr39fkzkktj4kkyln64pdq3npnvsz0muznzpdlpqe084jcw3egesppemhxue69uh5qmn0wvhxcmmv4dewk3
Wozld be nice to see too, if someone reported the App. But this might be more important in the future when zapstore is more widely used!
