Honestly, this is mind-blowing.
Dynamically checking the reputation of a signing npub before installing. Well done, @franzap !
Still not 100% sure what pokey does for me yet, but I know of people who have my back!
Login to reply
Replies (92)
Amen!
Pokey gives you notifications.
That part I figured out, but what from who to what, I haven't figured out yet.
True if big
except I have never followed this signer
what is this affiliate scam @franzap ? shady af
👀
Data is coming from @Vertex @Pip the WoT guy - is this not working correctly?
Could you please ask if it's a mistake before accusing me of affiliate scam?
I checked it on seems legit
npub.world
Hmmm that’s a bit of a slippery slop. The way it’s laid out makes it look like all those people have signed and approve the dev/signer. Rather than just follow them. I’d probably change the wording and layout a bit.
It says "follow", whats unclear?
Trust decision is in the mind of the beholder. I can assume if it’s the zapstore it’s reputable, the followers just show how well known they are in the community. An extra signal, not an endorsement.
u did
Prove it! Oh, wait….
🫢
Maybe there is some tooltip thing that states “dyor” “maybe ask around before installing apps. These npubs might have info”
this is what graperank is for
careful..
Visually, I would separate it more. UI isn’t easy. I definitely thought it read as that dev was Also signed and approved by all those others. Bold and make the fonts different perhaps. So there is a clear delineation between. Signed and Followed.
(All said, genuinely)
Signed by: abc
————
Developer is also followed by these people you may also know: xyz
I get it, I will try to improve that in the next version
nak req -k 3 -a 32e1827635450ebb3c5a7d12c1f8e7b2b514439ac10a67eef3d9fd9c5c68e245 relay.damus.io
And koalasat is right there
it seems to be saying I endorse this signer, which is misleading?
I think this is a great opportunity to debate how to interpret something that is actually signed ( followers, posts, applications, etc.).
For myself, I only interpreted as how the signer is ‘known’ in the community as indicated by who is following them. No endorsement. I recall when we had the spammers, the worst thing you could do is follow a spammer, because it gave them social validation. This is kinda the opposite thing because I am looking for how well the app signer is known.
What’s really cool here is that everything is a signed event. That cannot be denied or debated. What is really up for debate is how things should be presented and interpreted. We’ll figure this out eventually, but it’s way better than groveling for approval and rating from a random App Store technician or algorithm.
actually it does just say I follow them... ok i guess
Yeah, that is not correct, and should not be presented as such.
I would have expected there to be an app endorsement thing instead of relying on contact list
like I followed koalasat for other projects, but it looks like i'm endorsing pokey which is misleading
I think we are discovering new aspects of nostr. We may need to add some sort of endorsement tag - different than following. I’ve seen this idea of endorsement and attestation in digital trade documentation, but it has not crossed over into nostr yet. The closest thing so far is attestation by @Nathan Day
Picked
I'm trying to leverage follows because that's all we got in nostr.
That said I am open to suggestions for that UX, do you have any?
For the record, I did not like you calling this an affiliate scam @jb55
It's a fake jb55. I thought the way it's supposed to work is to only show you mutual follows.
Oops nvm it's not fake
Yes the closest we got are showing who picked an app in an app pack (basically public favorites) and rolling that out for everyone soon, maybe once with more data we can show that first
I am telling you my initial reaction, im sorry you don’t like it
if this was a signer app it would have even been more confusing, as it would say "jb55 follows this signer"
It doesn't show me who follows it, maybe because I follow it and I already had samiz, only those who have a picked one
Agree, it was an overreaction and baseless accusation. I think you deserve an apology.
Amen 🙏
there is a rating nip PR, and an multplie endorsement nip PRs. No one uses them, which means the dataset is so small to be impossible to use correctly.
This is not meant to show which apps are good, but which apps are clearly impersonating others
this is meant to solve "oh fuck there are 69 pokey, which one is thbereal one?" problem, not an app quality problem
not going to apologize, this is what I actually felt when I saw this. maybe he should take feedback from a sincere user reaction
I wish all TOFU situations on Nostr incorporate a similar pattern
Anyway, I think this a great advance. For me, I’ve boiled it down to: ‘how well-known is the signer in my web of trust?’ - nothing to do with reputation or endorsement, it’s organic, but heckuva great signal for TOFU.
yeah but the reality is that it doesn't say that for the app, it just says that for the signer… so if the app was originally from some obscure key, and some influencoor publishes another copy, it will tell the copy is the real one no? I guess we're not at that point and simple deductions like this works for 99.9% of the cases
Amethyst also confirms he is following me, @franzap if you affiliate with me at least let me know 🤣
yeah that's pretty bad. think I'm going to not publish to zapstore at this time until this is fixed.
Hi guys please check out my geyser 🙏🏻 it’s for my son, we have only 2 days to launch it🙏🏻
View quoted note →
but I guess anyone can publish damus android there without my permission and it would show that I endorse it just because I follow that key. pretty incredible.
I just need to piss franzap off so he publishes a malicious version of my app, it would look completely legit. Sounds like an entirely centralized infrastructure dependent on a single guy, who i already don’t trust from past interactions. Yeah i’m out
it's wild this passed any form of design review and this was never brought up. I'm glad i'm not the only one. i'm sure they will now say I'm overreacting.
Yeah. It’s not great. Definitely need some clarifications on this card specifically.
But if that is your concern, you are better off publishing it in the zapstore, such that the version signed by you or the damus pubkey is in there🤔
Semi related, not precisely the usecase i had in mind anyway, but i do wonder what you think, atleast in principle. I can appreciate the practicality of the immediate and near future reality of things you are dealing with, so its not something i expect to be a thing tomorrow, just to be clear:
View article →
if this is possible, I don't see what's stopping it from being filled with malware and false WoT endorsements. if its franzap managing that personally I don't see how this is a good solution at all, since it would be very centralized. for instance if I pissed franzap off (likely already since I called it an affilliate scam), then I wouldn't be able to publish the app at all. maybe he would get a kick out of publishing a troll version signed by himself with tons of WoT endorsements since people follow him.
the system is just poorly designed and depends too much on him imo
There are two things here, how zapstore is build, and what all this WoT stuff does.
Now i have not looked into zapstore that much, but i think at this stage he is gatekeeping things and want to open things up eventually, we can all think of that what we will.
But your original complaint was irt to the WoT stuff, and there i think your reasoning is weird. The point is to give you context such that you can trust that you have the correct signer. I.e. that if an app release is signed by either you or the damus profile, it is actually you or the damus profile. Obviously if i see a version of damus signed by peepeeMCpoopoo, it does not matter who follows peepeeMCpoopoo, because it makes no sense to download his version to begin with.
That this system is not flawless is true by defintion, regardless of what improvements are made, the only alternative that would cover that flaws is a trusted gatekeeper (the play and appstore model), which has drawbacks of their own.
Anyway, don't conflate things
I don't see how this is any different from play or appstore model. you need approval from franzap to appear on the zapstore do you not?
That would the first matter i described, yes. It is currently some weird hybrid of the two models. Im sure Franzap has his reasons for doing that, currently, and i am not sure if i would agree. We can ask him, @franzap why not open things up and allow people to publish releases via Nostr/blossom directly?
Regardless, other than him directly censoring you, what would be the problem of you submitting Damus, signed by the damus nostr profile?
I don’t want to ask for permission from anyone. I’d rather just publish an apk on my site and tell people to use obtainium or something, at least for now until im on the play store. I don’t see what advantages zapstore has for sovereign publishing over an apk and your own server, as it seems strictly worse because it is permissioned.
What happened to permissionless tech?
That’s the eventual goal. We’re making the right steps. All I am looking for is to determine a trusted signer for an app. First, we need to step away from the permissions platform app stores, then provide a permissionless way to discover and host the apps.
you npub need to whitelisted
yes, totally.
this influencer would put his reputation on the line. If he/she misbehaves, that's on public display.
Zapstore for example publishes apps on behalf of others, and that's perfectly fine if you trust zapstore.
Thanks for sharing man. I'm on holiday atm so I'll read once I'm back.
Exactly, permissionless way = managing relays + blossom servers
I'm working on it while keeping a safe experience for everyone in the meantime.
We’re pushing new frontiers here. Thankful for your work!
Is Play Store permissionless?
Bro send me my comission zap now 😂
The system is not poorly designed, you don't know what you are talking about.
Further, I would not ban you or publish a troll version of anything, why would you insinuate I'd do that?
Let's see if you talk to me this way when we meet in person again.
I wish I had all this sorted out already, but I'm pouring my life into this stuff so appreciate your words Tim
I thought nostr builders would be nicer with other nostr builders… Specially when they are in fact building freedom tech…
engineering is not about being nice its about building things that work
Excuse me, what?
No
Im a big fan
This "permissionless tech" will require *you* as a developer to go through KYC from 2026 onwards if you want users to sideload your APK on a normal Android phone.
Android Developers
Android developer verification | Android Developers
Get started building your Android apps.
Are you OK with submitting it to F-Droid for packaging?
Inclusion Policy | F-Droid - Free and Open Source Android App Repository
All applications in the repository must be Free, Libre and Open Source Software (FLOSS) – for example, released under a GPL or Apache license. Ev...
we’ll put it on everything eventually
Tech in general exists in a permissioned zone. I don't know what permissionless tech even means? Even Ham radios require a license, and they can triangulate an operator down if that operator doesn't have one.
It's like talking about permissionless passports or something similarly weird-sounding.
I prefer to say that tech exists and is successful as a result of (voluntary) convention. Governments (especially, the EU) are making the mistake of confusing this with (mandatory) compliance.
We are still in early days figuring out the conventions and not jumping headlong into permissioned compliance.
One day, it won’t matter where the apk is hosted. I’ll be able to make my own judgment of the signer.
Sometimes when people say "permissionless" they mean "OK to use until you're noticed by people who can and want to stop you", right?
i think you missed the point. if I'm going permissioned I might as well focus on the big stores first.
I think it's pretty up in the air. While you'd never know it from Nostr there is widespread support for some of this regulatory stuff. For the keeping children off certain sites thing, it's all well and good to say it should be up to parents, but a lot of parents are working all hours and struggling with just getting by, and getting a little sleep too, they'd welcome some help from regulators to keep their kids off certain social media and porn sites that are known to be bad for child health. It could be that most people want tighter controls, and that those who don't, while well intentioned, are in the minority.
Correct, as such radio is permissionless. For your radio to function, you don't need to first ask someone else to turn it on. It basically comes down the question of is there a gate you have to go through or not.
So a car is permissionless, eventhough you need a license. But if they install a breathalyzer into it and you have to pass that test before it even starts, it is not permissionless.
This is very important, because a lot of what is going on, is turning things permissioned. During COVID they imposed this QR-code permissioned society, putting up 'gates' everywhere in the physical world; and a bunch of these new internet laws do the same where you first need identify yourself before the gates to the web open.
Be very aware of people who propose permissioned systems, because they limit your liberty.
But what does that even mean? You use the ham radio without a license, but then you get triangulated, there's a knock on the door, and you're issued a fine. How is that permissionless?
You can just walk into a grocery store and take stuff, there's no gate. Doesn't mean shoplifting is a permissionless activity.
It's just delayed consequences for not having permission. And it's the existence of the consequences that determine whether something is permissioned or not, not the exact timing of those consequences.
Why is the difference between starting in a cage, and having to ask to be let out all the time; and being outside of a cage, and being put in only those instances of transgression; so hard for you to understand?
Sorry but shoplifting is not a permissionless activity and you won't convince me otherwise.
And zapstore works lol 😂
From anything related to your account. They are pull notifications. Amethyst might get rid of its own notification system and rely on Pokey, for instance. Then everything is more modular.
Wozld be nice to see too, if someone reported the App. But this might be more important in the future when zapstore is more widely used!