Thread

nostr:nprofile1qyxhwumn8ghj7mn0wvhxcmmvqyg8wumn8ghj7mn0wd68ytnhd9hx2qpqu65jmzmvyppx779m4pgsenw88h63y2q55wavr42n4h46ceaf9vns0eac7g nostr:nprofile1qy2hwumn8ghj7etyv4hzumn0wd68ytnvv9hxgqgdwaehxw309ahx7uewd3hkcqpqqkfnmpuz692azr8c5phn0930x2v92xyqvwgr6ve8znaa3qd6c3hq8xwdq9 nostr:nprofile1qyxhwumn8ghj7e3h0ghxjme0qyd8wumn8ghj7urewfsk66ty9enxjct5dfskvtnrdakj7qpql2vyh47mk2p0qlsku7hg0vn29faehy9hy34ygaclpn66ukqp3afqta478g nostr:nprofile1q9z8wue69uhhjmrswp6xjdmy0p4kxut4vejng6ejwu68qcejwcenwamkvdu8xan9xa4x7mr6de5hzutrv3ukjan3wpckcefnd35kgtn0de5k7m30qythwumn8ghj7ct5d3shxtnwdaehgu3wd3skuep0qqsxu35yyt0mwjjh8pcz4zprhxegz69t4wr9t74vk6zne58wzh0wayc7u62gr nostr:nprofile1qyt8wumn8ghj7etyv4hzumn0wd68ytnvv9hxgtcpzemhxue69uhks6tnwshxummnw3ezumrpdejz7qpq2rv5lskctqxxs2c8rf2zlzc7xx3qpvzs3w4etgemauy9thegr43sugh36r nostr:nprofile1qyt8wumn8ghj76n4deuxjmn8waskueewdaexwtcpzfmhxue69uhk66tnwd4k27fwv9e8gtcqyrp4l7xrgpzf7rtg4udwcjzyhdz2ns9cc8w57n2wl0r9uysrng6g557x0wy

split payments also exist in lnbits iirc

👀

Check https://gitworkshop.dev/npub1ha6lk9d8gtpv42mazl9nahu7wupjmjf9y3y8tvj9gy9dc20etmts995yfr/nospm (not active I think and its fails to load the assets of the repo) /cc nostr:npub1ha6lk9d8gtpv42mazl9nahu7wupjmjf9y3y8tvj9gy9dc20etmts995yfr ) We can build something similar as the fair protocol https://github.com/fairpm/fair-protocol/blob/main/docs/start-here.md

Cool idea. I'd also suggest not just signed by nostr keys (for verification), but distributed over nostr too (to reduce dependence on a central entity that could be taken down). I look forward to be able to complete the full software lifecycle over nostr; share code, build deps, distribute - then separately tools for communities to build via (chat apps, kanban boards, etc).

CC nostr:nprofile1qqsprwdgjszdhucrfelp3p46nhzvd5mk7gu6zxp8r0fwc4n63zv9pnspzemhxue69uhhwmm59ejx2un8d9nkjtnrdakj747zye6

👀

Signing with nostr keys vs gpg or whatever else wouldn't make much difference in case of compromise tho, unless you could really ensure that all package signing keys are using a hardware signer and that the key never left the signer (think hsm/hardware wallet) so that just a compromise of devs machine wouldn't be enough, you would also need physical access Or using multisig approach with multiple parties needing to sign (and some of them not being known) could prevent some of it

it's a cool idea, but way too early. if someone built this they would have like 3 users. zapstore is better approach right now imo because it's more marketable.

nostr:nprofile1qqsdua0tr4axvfuq02xl7ranxl8u7xy706d032mz98mg3anywyxrq9qppemhxue69uhkummn9ekx7mp0qythwumn8ghj7ct5d3shxtnwdaehgu3wd3skuep0qy2hwumn8ghj7un9d3shjtnyv9kh2uewd9hj7zshfgy

True - that's a different problem and multisig is a good starting point to solve that. But you can use nostr web of trust for reputation! I see as nostr pgp with actual adoption

Iono about that. Nostr users are disproportionately devs. HOW MANY DEVS we got??? Tag here if you'd use a nostr npm alternative!!

Not gonna lie, this sounds dope

nostr:npub18lzls4f6h46n43revlzvg6x06z8geww7uudhncfdttdtypduqnfsagugm3 is right. nostr:npub180cvv07tjdrrgpa0j7j7tmnyl2yr6yr7l8j4s3evf6u64th6gkwsyjh6w6's is the CMO of marketing to devs.

I was already building this a year ago but I was high when I did it so it was not usable so never released it and kept it shoved in my todo list I will use a definitely use it. I want nostr + blossom alternatives to NPM, Docker container registry, apt repository and everything that requires me to pull some code or binary from a trusted source

I was also thinking just yesterday about how library devs don't get the needed support and how zap splits can solve that

but identity is already attached to github accounts. if i'm using a library related to nostr, i already know the author just as much as I would if there is a signed even. the added benefit i could see is if people started auditing libraries they don't author and attest to this. but this is a really tough 2-sided market with. i can imagine software dependency insurance markets on lightning and nostr in the future ... but i think that's going to take a while. would still be fun to build but nobody's going to use it for a while!

Better idea: make the nostr npm registry agent first Agents can publish, audit, use, and pay for packages (probably using ecash) This has legs - lmk if you build it! nostr:nprofile1qyt8wumn8ghj7cn9wehjumn0wd68yvfwvdhk6tcpremhxue69uhkummnw3ez6ur4vgh8wetvd3hhyer9wghxuet59uqzpkscaxrqqs8nhaynsahuz6c6jy4wtfhkl2x4zkwrmc4cyvaqmxz3023p0l nostr:nprofile1qyxhwumn8ghj7mn0wvhxcmmvqy28wumn8ghj7un9d3shjtnyv9kh2uewd9hsqg9lc6hcy3xu9pv7lh7saqdx5705acu4h3u2eveq9dhjs7su5w38kvgy3cya nostr:nprofile1qyghwumn8ghj7mn0wd68ytnvv9hxgtcqypex583xrnryw3n5aq59uw23kwa38xlf5aeart85nhyx3kuxrgwpzjh056v nostr:nprofile1qyxhwumn8ghj7e3h0ghxjme0qyd8wumn8ghj7urewfsk66ty9enxjct5dfskvtnrdakj7qpql2vyh47mk2p0qlsku7hg0vn29faehy9hy34ygaclpn66ukqp3afqta478g nostr:nprofile1q9z8wue69uhhjmrswp6xjdmy0p4kxut4vejng6ejwu68qcejwcenwamkvdu8xan9xa4x7mr6de5hzutrv3ukjan3wpckcefnd35kgtn0de5k7m30qythwumn8ghj7ct5d3shxtnwdaehgu3wd3skuep0qqsxu35yyt0mwjjh8pcz4zprhxegz69t4wr9t74vk6zne58wzh0wayc7u62gr nostr:nprofile1qyvhwumn8ghj7urjv4kkjatd9ec8y6tdv9kzumn9wshszymhwden5te0wp6hyurvv4cxzeewv4ej7qpq6c0nh3dnadzqpm76uctf5hqhe2lny344zsmpm6feee9p5rdxaa9qe52zdt nostr:nprofile1qyxhwumn8ghj7mn0wvhxcmmvqyehwumn8ghj7mnhvvh8qunfd4skctnwv46z7ctewe4xcetfd3khsvrpdsmk5vnsw96rydr3v4jrz73hvyu8xqpqsg6plzptd64u62a878hep2kev88swjh3tw00gjsfl8f237lmu63q8dzj6n nostr:nprofile1qyfhwue69uhhyetvv9uju6nzx56jucm0d5qs6amnwvaz7tmwdaejumr0dsqzqvhpsfmr23gwhv795lgjc8uw0v44z3pe4sg2vlh08k0an3wx3cj96l2ln2 nostr:nprofile1qyt8wumn8ghj7etyv4hzumn0wd68ytnvv9hxgtcpzemhxue69uhks6tnwshxummnw3ezumrpdejz7qpq2rv5lskctqxxs2c8rf2zlzc7xx3qpvzs3w4etgemauy9thegr43sugh36r nostr:nprofile1qyt8wumn8ghj76n4deuxjmn8waskueewdaexwtcpzfmhxue69uhk66tnwd4k27fwv9e8gtcqyrp4l7xrgpzf7rtg4udwcjzyhdz2ns9cc8w57n2wl0r9uysrng6g557x0wy nostr:nprofile1qy88wumn8ghj7mn0wvhxcmmv9uq3uamnwvaz7tmwdaehgu3dwp6kytnhv4kxcmmjv3jhytnwv46z7qpqxdtducdnjerex88gkg2qk2atsdlqsyxqaag4h05jmcpyspqt30wsqcfvpv nostr:nprofile1qyv8wumn8ghj76twvfhhstnjv4kxz7tn9ekxzmny9uq35amnwvaz7tms09exzmtfvshxv6tpw34xze3wvdhk6tcqyqalp33lewf5vdq847t6te0wvnags0gs0mu72kz8938tn24wlfze6luf5tq nostr:nprofile1qy2hwumn8ghj7etyv4hzumn0wd68ytnvv9hxgqg7waehxw309anx2etywvhxummnw3ezucnpdejz7ur0wp6kcctjqqstwz8h8yh43pqxyykr3qh8kw7qmxcg6chet7shp5yezflvufmsuhs8c55a2 nostr:nprofile1qyv8wumn8ghj7urjv4kkjatd9ec8y6tdv9kzumn9wsq3yamnwvaz7tmsw4e8qmr9wpskwtn9wvqzpcs03gur430p2dnpq8qkprhy7vl63vkhjfgvav444z465su55mnujc3akf nostr:nprofile1qyx8wumn8ghj7cnjvghxjmcpz4mhxue69uhk2er9dchxummnw3ezumrpdejqqgzkxrzxv2rztc7kjat8y099xlequwj6qdfxvq2mq705qmfpmalyfchfx6e7 nostr:nprofile1qy2hwumn8ghj7etyv4hzumn0wd68ytnvv9hxgqgdwaehxw309ahx7uewd3hkcqpqxv8mzscll8vvy5rsdw7dcqtd2j268a6yupr6gzqh86f2ulhy9kkqnmgc6z nostr:nprofile1qy2hwumn8ghj7etyv4hzumn0wd68ytnvv9hxgqgewaehxw309a5xyu3wvdhhyctrd3jjuum0vd5kzmp0qqsq2gwmj5csjm0lwqxu7sgtq8d502m9nr08uhhjck3t6ls3vqc4has0y9wx8 nostr:nprofile1qytzqamnwvaz7tmjv4kxz7fwv3sk6atn9e5k7tcpr3mhxue69uhkummnw3ez6vfwde3x7tnpdenkzmnf9e3k7tcqypr90hlgjed73xq2jvrjhna4ukdx2yjyqmdslqvjzhh83wj8jd9numxx6g9 nostr:nprofile1qqsvrlrhw86l5sv06wkyjgs6rrcekskvk7nx8k50qn9m7mqgeqxjpvg8u2e5q nostr:nprofile1qyt8wumn8ghj7etyv4hzumn0wd68ytnvv9hxgtcpp4mhxue69uhkummn9ekx7mqqyp0antm0cenus8utymsj0dy9r3sn9d7zf98rxysan37rnsn3eqthsx2ul8r nostr:nprofile1qy2hwumn8ghj7etyv4hzumn0wd68ytnvv9hxgqgdwaehxw309ahx7uewd3hkcqpqqkfnmpuz692azr8c5phn0930x2v92xyqvwgr6ve8znaa3qd6c3hq8xwdq9 nostr:nprofile1qyxhwumn8ghj7mn0wvhxcmmvqyg8wumn8ghj7mn0wd68ytnvv9hxgqpqunmftuzmkpdjxyj4en8r63cm34uuvjn9hnxqz3nz6fls7l5jzzfq6xn4mu nostr:nprofile1qy2hwumn8ghj7ct4w35zumn0wd68yvfwvdhk6qg5waehxw309a4x2mrv09nxjumg9ekxzmnyqqs0dqlgwq6l0t20gnstnr8mm9fhu9j9t2fv6wxwl3xtx8dh24l4aus8y8n86 nostr:nprofile1qy88wumn8ghj7mn0wvhxcmmv9uq3uamnwvaz7tmwdaehgu3dwp6kytnhv4kxcmmjv3jhytnwv46z7qpqaljazgxlpnpfp7n5sunlk3dvfp72456x6nezjw4sd850q879rxqsn5jz4f nostr:nevent1qvzqqqqqqypzq079lp2n40t48tz8je7yc35vl5yw3juaaecm08sj6kk6kgzmcpxnqyfhwumn8ghj7ur4wfcxcetsv9njuetn9uq32amnwvaz7tmjv4kxz7fwv3sk6atn9e5k7tcpzamhxue69uhhyetvv9ujumn0wd68ytnzv9hxgtcqyrf3f4llg0cyzdlghnq5zzzl94l9nj8wsclax4v7ee6k0ftc54yp7ces7dv

I know, but the reputation part doesnt solve the hacked part, hence my comment:) As nostr:nprofile1qqsprwdgjszdhucrfelp3p46nhzvd5mk7gu6zxp8r0fwc4n63zv9pnspz3mhxue69uhhwmm59ehx7um5wghxuet59ucq863l mentioned zapstore is much better implementation of this because its higher up in the food chain, here you have layers so maybe the author of the lib you are using has high rep score with the author of the lib that his lib was using but not with you, the problem is that a tiny lib is not a finalized product so you can have multiple layers of reputation/trust in between, its not very informative at the point

Did someone jack the devs' keys? Or was it someone playing a long game (where reputation may help more)? Do it for agents! That's where we have j curve potential. New app store is cool and I'm a huge fan of nostr:nprofile1qyghwumn8ghj7mn0wd68ytnvv9hxgtcqypex583xrnryw3n5aq59uw23kwa38xlf5aeart85nhyx3kuxrgwpzjh056v & nostr:nprofile1qy2hwumn8ghj7un9d3shjtnyv9kh2uewd9hj7qghwaehxw309aex2mrp0yhxummnw3ezucnpdejz7qpq0r8xl2njyepcw2zwv3a6dyufj4e4ajx86hz6v4ehu4gnpupxxp7s85uvay, but building for agents has way more mainstream potential imo

I like the insurance market concept! nostr reputation much better bc 1) it's interoperable - you can build (or lose) reputation across many apps and 2) it can work for agents (which is where the real potential is imo)

The initial step of this recent wave of npm hacks started with Qix being hacled, then another dev so it was not a long term infiltration like the xz utils attack last year https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack

The agent marketplace is indeed interesting. I don't see how it would fix the npm problem though, I second what aljaz and Justin said.