Thread - Nostr Hypermedia

Your last sentence is important--what you're really asking (or assuming) is that we can "trust" the code more in signing extensions (and frankly that may not be the case). This is one of the weaknesses in the open source community. We all assume that because the code is available to all, it's "good". But what really happens (in more cases that we might want to admit) is the only "audit" the code receives is from the original developer--I'd even dare to say that most projects out on git hub probably receive very little (if any) code review prior to being released.

↑ Parent

Replies (2)

Keysa - Simplest Bitcoin Edu simplestbitcoinbook@nostrplebs.com 1 year ago

Yes, I guess I am hoping (!) that the code for a signing extension would be rigorously reviewed.. and even then, I am aware it could have a vulnerability (but any code could have that, so at some point we (esp us non-coders) have to *trust* the code 😅)

1 replies ↓

Judge Hardcase 1 year ago

Agreed. Unless you've diligently ensured your nsec has continuously remained isolated from the Internet (which might be nobody), it's prudent to operate as if your nsec has already been compromised.