Nostr DMs aren't useful because they don't work dependably. Spending years to build an audience and business, only to have it stolen because your client is insecure, is a massive denotivator. I'll need to reassess whether Amethyst or Nostr is worth my time.

DMs have been quite useful for the last 2 years or so to me. It works quite well everywhere these days. And now with MLS, it gets even better. Use Amber if you are concerned with security. Never put your keys on any client, regardless of how well the dev is trying to make you feel good about it. We are all using way too many dependencies to be able to review security in apps. That's why signers are better: they are tiny. It's easy to review. There is no dev on Nostr right now that is specialized in security. Nobody has ever paid for it. So, keep that in mind as well.

Nobody paid Satoshi either, yet it's one of the pillars of that software.

Satoshi's code barely worked. It took years from other people to actually make it work and make it secure. And all of those were paid to do so.

There needs to be some sort of sane way to expire a Nostr key that lets you keep your follower graph. I don’t care about the posts, but I would like to be able to gracefully expire my key after rotating it in a way that is not dependent on an external domain name. Some way for me to sign a statement that says “I’m over at this npub now” and have everyone following me follow it seamlessly.

So, you're working on Amethyst for free?

No, but none of my sponsors or donors are specifically asking for security upgrades. Same for all the other clients. We do it because we care, but that doesn't mean it's any good. Also, security is much more expensive than what anyone is getting paid to do as a nostr dev.

That's because they are paying you to know better than they do.

No, they know I constantly tell people to go to Amber. None of this is new.

You're changing topics to sidestep the issue. Since you're being paid to know best how to develop Amethyst, but your rational is that no one is being paid to increase Amethyst security, is the lack of security really a lack of funding, or a lack of prioritization?

It's lack of knowledge. We just don't have anyone in Nostr that is a true security dev. But again, our solution is to use signers... ALWAYS. That minimizes your exposure. I don't know if clients will ever get to the security model that a signer can get.