[aviaryan]

Hi HN,

The founder of YourNote here. YourNote is a user-first note-taking app. By user-first, we mean that user's personal data (which are the notes) are guaranteed to be secure and private if you use YourNote. This is achieved by using Blockstack and Gaia for user authentication and user data storage. So, at any point in time, user and only the user has access to their notes. Even if their Gaia storage gets hijacked, their data is encrypted using the keys only the user holds so it's basically impossible to access a user's data for a third party. This establishes two things.

1. Data Security

2. Data Privacy

So with YourNote and Blockstack, we can be sure that we are good on those fronts. Another thing that makes YourNote interesting is that it uses open standard (markdown with frontmatter) for storing notes. So even if YourNote gets taken down, the user can still access their data using any text editor as the data is stored on their own storage. Also, if the user starts hating YourNote for some reason, they can export their data and either use a text editor for accessing them, or fork YourNote and make their own app. So basically, another thing that YourNote guarantees is -

3. Data Accessibility

I believe these three things are very important for a note-taking app which stores data that is more "personal" and "valuable" to the user than photos, media, and other data.

HN, I would love to know what you think about the idea and the product. I know that it's a long way to go before this can become something that people will readily jump ship on, but I hope it's a valid start.

[TekMol]

    at any point in time, user and only
    the user has access to their notes

I don't think that is true.

When I use your app, you can do anything you want to my data. You might promise me that the Javascript you delivered to my browser is treating my data in a certain way. Storing it in encrypted form or whatnot. But that is just a promise. Reality is: you can ship me code that does whatever you like.

[aviaryan]

That is true, and the only way to fix that is when users see the code and run it themselves (I plan to open source very soon). Apart from that, I don't think I can provide any other guarantees. No open source project can. If they are discovered doing something bad, they go rekt. That's how it usually is. So what's the point here? Should I not have a line like this in my copy?

Another thing that can be done is that I distribute my application in such a way that its code is directly linked to the open source GitHub repo. It can be done by having some script as the distributable that clones and runs the source code (it's a very bad way though). It would be interesting to know if any other open source project in the privacy space is already doing something extreme like that.

[dyarosla]

Word of advice: your usage of immature expressions very much lowers the professionalism of your product and how much I’d look to trust it. In the comments here, phrases such as ‘user starts hating YourNote for some reason’ and ‘they go rekt’ are two such examples.

[clarry]

Characterising the language you don't agree with as "immature" doesn't reflect well on you.

[dyarosla]

Please provide a more appropriate word to describe those phrases. They’re definitely unprofessional- but unprofessional doesn’t quite fit here. Also- nothing about disagreeing with here. There’s language that is appropriate in some contexts and that isn’t quite appropriate elsewhere. In essence, your comment is seemingly argumentative for the sake of it.

[canadianwriter]

"rekt" is immature and has nothing to do with agreement.

[aviaryan]

True. I will be careful. Thanks for pointing it out.

[jacobtwotwo]

It reads, to me, as more of an ESL adaptation.

[markovbot]

>Should I not have a line like this in my copy?

Of course not! Don't lie about who has access to your users data and what is possible to do with it. That's not fucking cool. It doesn't matter if there's no way to do it. You don't go making false claims.

[beatgammit]

Or more simply, just allow users to self host. Users can trust one version of the app, and then only update when they need a new feature, at which point they can choose to trust that version.

However, that already exists. I can use NextCloud in this manner and the have a note app.

[joekrill]

I've said this before, but that's just kicking the can down the street. At some point, unless you are inspecting every line of source code, every dependency, every dependency's dependency, and so on down the line until you get to the silicon, you HAVE TO put your trust somewhere.

[canadaduane]

The approach we're taking at Mainframe is to create a new "baby OS" that provides a sandbox for dApps to live in. This way, the OS acts as intermediary on permissions to access any resource that would contradict the user's will. For example, accessing a URL, signing data with a private key, or making a payment would all involve an OS-level permission. (For now, mainframeOS is part desktop app and part decentralized infrastructure. The user experience of the desktop app is similar to a browser, but cannot access DNS without explicit permission, and relies on decentralized infrastructure only, which provides privacy and security guarantees that today's browsers can't. Someday it will grow up into a real OS layer.)

[aviaryan]

True. In fact, if you can self-host things, you have already solved most of the data-related concerns.

But with YourNote, my other aim is to allow users to also move out of the app in case they don't feel like using it. That's why we have features like "Export Notes" that exports the data in clean, hierarchical `.md` files. This way they always have easy access to their data.

[TekMol]

It is true that this issue exists with every software.

I wanted to point it out anyhow because it often is overlooked.

Not sure about the line in your copy. Maybe it is possible to state more clearly what the actual privacy and security mechanisms.

[aviaryan]

You are right. It should be explained in detail somewhere as lots of people had questions regarding it on HN.

[jteppinette]

> user's personal data (which are the notes) are guaranteed to be secure and private if you use YourNote

This might be a stretch, since it is not true. You cannot make this guarantee. No one can make that guarantee today.

[aviaryan]

In a binary sense, you are right but I think everyone still uses them to sell their product. Maybe I can add a disclaimer listing the conditions in which this guarantee doesn't hold true.

[joekrill]

I mean, this is effectively called "life" (as it stands today). You have to trust people. You have to trust someone, at some point. That's why we have things like privacy policies and service agreements. There can ALWAYS be a malicious actor somewhere in the chain. Even if you were to hand write a clone of this app in assembly and compile it yourself: can you trust the compiler? Can you trust your CPU? Can you trust your monitor?

[Sujan]

What is Blockstack?

What is Gaia?

[aviaryan]

Blockstack is like a framework that allows people to create and access decentralized apps on top of it. It enables that by letting users created a decentralized ID that is stored on the blockchain (bitcoin) and giving users access to the apps based on that ID (like authentication).

Gaia is a storage system built by the Blockstack team. It is different from IPFS and others in the sense that it allows the user to choose where they store their data. This storage location is called Gaia hub. This approach gives users absolute control over their data which is unlike other distributed storage systems.

You can learn more about them here.

https://blockstack.org/what-is-blockstack/ https://github.com/blockstack/gaia

[JeffMerlet]

What happens if one day Blockstack and Gaia go definitely away?

[aviaryan]

Even if Blockstack goes away, you can still access your data (in encrypted form) as Gaia is nothing but a storage system that is a wrapper over existing storage providers (aws, google cloud, and more). Now, the question is how you will decrypt it. Blockstack stores auth information on the Bitcoin blockchain so I guess you will be able to access your Blockstack credentials as long as Bitcoin blockchain is accessible and you have access to your secrets. Also, Blockstack and Gaia are open-source so it's unlikely they disappear with no trace.

[canadaduane]

Neat! I agree, and although it may not be clear what all of this means to everyone, this is the beginning of how "blockchain" (I use the word loosely) is going to prove its value. At Mainframe, we're working on something similar, called "Noted", and we offer some of the same guarantees but take it one step further: we rely on no centralized infrastructure at all, not even DNS. Congrats on getting this released!

[aviaryan]

Thanks. I wonder how are you doing that? Is there any way I can learn more?

[canadaduane]

Sure! Check out https://github.com/MainframeHQ/js-mainframe. This is a browser-like desktop app that has ambitions to embed portions of itself at the OS layer some day (we call it "mainframeOS" right now, with that ambition in mind).

We'll be making our first public release at the beginning of February. It will combine decentralized file storage, messaging, identity, and contacts in an easy-to-use API for dapps that operate from within its framework.

I'd be very interested to hear your feedback. I'm @canadaduane on twitter and @duane@refactorcamp.org on mastodon.