Thread - Nostr Hypermedia

Relays: 5

Replies: 2

Generated: 03:38:05

Signing with nostr keys vs gpg or whatever else wouldn't make much difference in case of compromise tho, unless you could really ensure that all package signing keys are using a hardware signer and that the key never left the signer (think hsm/hardware wallet) so that just a compromise of devs machine wouldn't be enough, you would also need physical access Or using multisig approach with multiple parties needing to sign (and some of them not being known) could prevent some of it

2025-09-18 05:28:38 from 1 relay(s) ↑ Parent 1 replies ↓

Replies (2)

Max max@nostr.com npub18lzl...ugm3

True - that's a different problem and multisig is a good starting point to solve that. But you can use nostr web of trust for reputation! I see as nostr pgp with actual adoption

2025-09-18 17:37:53 from 1 relay(s) ↑ Parent 1 replies ↓ Reply

aljaz aljaz@nostr.si npub1alja...g9jp

I know, but the reputation part doesnt solve the hacked part, hence my comment:) As nostr:nprofile1qqsprwdgjszdhucrfelp3p46nhzvd5mk7gu6zxp8r0fwc4n63zv9pnspz3mhxue69uhhwmm59ehx7um5wghxuet59ucq863l mentioned zapstore is much better implementation of this because its higher up in the food chain, here you have layers so maybe the author of the lib you are using has high rep score with the author of the lib that his lib was using but not with you, the problem is that a tiny lib is not a finalized product so you can have multiple layers of reputation/trust in between, its not very informative at the point

2025-09-18 18:46:54 from 1 relay(s) ↑ Parent 1 replies ↓ Reply