[edent]

What I don't get about the Snap store is why there's no verified link back to a website?

If you have the technical ability to create an app, you probably have the ability to upload something to /.well-known/ or to add a DNS TXT record.

That way the Snap store could say "This app came from this website."

OK, it doesn't help if someone goes to the trouble of registering a homograph address, but it would at least give normal users a chance to check out who the author is.

That seems to be how Flathub works. It shows a verified domain, or prominently says that it is a community released app.

[ndiddy]

I suppose the problem is that Canonical wants to make the Snap store the default place for users to get GUI programs, so they've been willing to take the risk of letting random community members maintain Snaps of popular software so the store looks more active.

[popey]

Back in the day, we had long internal conversations about doing verification 'properly' with government-issued IDs, third-party verification agencies and the like. But that never amounted to anything, sadly.

They might consider it further if the store got to a decent scale (like the contemporaries like iOS, Play and Microsoft). But with "only" 6K applications published, and the money canon being pointed in other directions, I can't see it happening any time soon.

[KomoD]

This assumes the user would actually pay attention to that. (spoiler: they won't)

> OK, it doesn't help if someone goes to the trouble of registering a homograph address

Doesn't even have to be homograph, it can just be something that has "exodus" in it (coming back to users not paying attention, this would work, and is also the reason phishing and other fake sites work), if "exodus-wallet.com" was verified then many people would still fall for it.

The entire thing would've been avoided if users paid attention and going to the official website instead of blindly trusting the Snap Store (and following VERY common advice, such as don't enter your secret phrase or password anywhere)

[bagels]

How would someone know what the right url to expect would be in this case? It's just moving the trust problem elsewhere.

[__MatrixMan__]

DNS isn't quite as adversary resistant as the crypto space likes to have things.

I'm not sure what Bitcoiner's preference would be exactly, but I'm sure they've got something involving signed wallet hashes published on the chain.

The hard part, as with anywhere else, is getting users to check it.

[pests]

It would never work because of adoption and whatnot, but using a crypto system like ENS and requiring users to go through a special browser might make that a bit more in-universe. Or maybe a toggle in the browser to turn on ENS and disable DNS.

The point being - you should know when you want to access certain services so you switch on this mode, not allowing normal DNS name jacking or the like.

Sorta like privacy mode but for dapps/"web3"

Just random musings

[__MatrixMan__]

I imagine a launcher which hashes the binary before you run it and compares the hash to some kind of registry. Then it can tell you that 5 people you explicitly trust have encountered this hash, and 768 people that they trust have, and 5789 people that they trust...

If you're the first person to encounter the hash, or if the number of hops is very high before you encounter something besides 0 (eventually heading into sybil-territory) then you have cause for extra scrutiny.

Bonus points if the people who developed the app are participating, but still useful if they're not.

[Atotalnoob]

Off topic, but I wish /.well-known/ was used more often.

Right now, the only real usage for apis is in oauth2.

There are dozens of tiny use cases we could use a standard uri for ease of use in corporate environments…

.well-known/documentation - redirects to the docs

.well-known/health - health check

.well-known/specificiation - api contracts

Etc…

[mappu]

I'm a fan of the existing `/.well-known/change-password` standard!

[NovemberWhiskey]

>Right now, the only real usage for apis is in oauth2.

... as well as the ACME HTTP-01 challenge as used by Let's Encrypt etc.

[Atotalnoob]

This is true, and there are some other usages, but it’s still not widely used and in my opinion it should be