I came across this thread: Most wanted APP for the SAFE Network (wished-for apps) but I haven’t been able to find a comprehensive list of apps that people are actually working on. Individual projects are mentioned. It would be kinda cool if there was a list, since, by comparing it with the list linked to above, one might avoid duplicating the efforts of others.
Of course, such a thing might not be possible due to competitive secrecy.
[EDIT] There may well be a divergence between what people say they want, and what they end up using the most. For example, they might say they want apps to set the world free but what they spend most time on might be arcade games or World of Warcraft.
I hate to be a curmudgeon and negative thinker here but:
Apart from apps that are being worked on (the topic of the thread), a list of apps that are actually finished and available carries a hazard that needs to be addressed:
It would make sense to have a kind of “seal of safety” on apps that are being offered. That is, someone tests them to ensure that the binaries that are provided by the developer are not poisoned.
If there is a huge list of apps available, the implication is that they are approved by the list maintainer. But that’s a problem if anyone could put up some app that could contain a malicious payload, such as something “phoning home” secretly.
hmm - in theory the http://safeappstore.io/ might also be a good address for getting a list of the apps being developed / are finished / submit your app - but i don’t know how busy @whiteoutmashups is with programming the app-store itself … maybe he is not 100% up to date with the current status
There has been previous discussion on this forum of deterministic builds as a desired feature of SAFE core software.
Deterministic builds (or what the Debian developers call “reproducible builds”) is source code that produces the exact same binary files each time it is compiled. The binaries in common software can vary from one compilation to another due to such extraneous conditions as timestamps. I only know about it from my reading, but as I understand it, deterministic source code is accompanied with a description of the compiler and other conditions that a user would need to use in order to produce exactly the binary that is offered for download by the developer/publisher. In that way, the end user (who compiles his own files) can be confident that the downloadable binaries are indeed compiled from the source that is published. And since the source code of popular (and particularly: security-sensitive) software tends to get examined by various, independent people, then even users who never read source code can have a high(er) degree of confidence that it hasn’t been back-doored.
For that reason, projects such as Tor and Bitcoin have made their code deterministic/reproducible.
Safe network would need the same protection.
And, taking a cue from Debian ( ReproducibleBuilds - Debian Wiki ), which has tens of thousands of packages and a few more years catching up to do before they are 100% complete, it would make it easier in the long run to make sure that SAFE apps are deterministic/reproducible at the beginning when there are only a few of them.
Where are you getting this implication from? Anyone can submit an app to the site. And ultimately the site is meant to be decentralized. So where is this assumption that it’s somehow an approved list coming from?
This is what reputation systems are for. If you find a “bad app” you vote it down and if you find a “good app” you vote it up.
I think he’s suggesting that a type of “approved SAFE badge” Or something be created so there’s some kind of system that apps can use to show people they have met at least some sort of basic security testing.
Reading this I’m surprised you didn’t get around to this sooner. Your site’s the perfect visualization for the apps that were wanted. The one with the logos?
My point is approved by who? Approval implies an authority of somekind which is the antithesis of decentralization. Approved by Maidsafe? Approved by the community? Approved by @whiteoutmashups? Approved by whom? Whose approval are we seeking here? I’m very sorry but no this is a bad idea because the moment we get someone to do our research for us we slip back into the paradigm of centralization. Better to have good reviews and rating systems that people can choose from and make their own decisions with. I’d rather have excellent comments, reviews and stats than some badge of approval.
Security testing is fine but there should be multiple and competing testing agencies out there to test applications for their safety and security. That way if consumers lose faith in one for whatever reason they can opt for apps tested by another. Which in turn means that app developers must consider which, or multiple testing agencies they will get their application tested by.
The app’s functionality or appearance it won’t be the devs fault. The devs’ responsibilities are limited to their app and the curation of the community surrounding the app - the users of the app, not the subscribers to the repo.
So if it’s left up to the subscribers to the repo, who gets a say? Well, that’s the real question…isn’t it.
In FOSS, the coders code and the users use. That’s the closest ecosystem - currently active - to my approximation of a healthy ecosystem. They have only ever come up with either centralized, or individually-curated app-distribution methods. Remember, the Network is tasked with putting the data ownership back in the hands of the users.
Also, the Network is a pioneer in self-authentication. Is there some ways that these apps can self-authenticate without having to go through curations?
In [Tor’s] case, any individual can use our anonymity network to privately download our source code, verify it against public signed, audited, and mirrored git repositories, and reproduce our builds exactly, without being subject to such targeted attacks.
This also will eventually allow us to create a number of auxiliary authentication mechanisms for our packages, beyond just trusting a single offline build machine and a single cryptographic key’s integrity. Interesting examples include providing multiple independent cryptographic signatures for packages, listing the package hashes in the Tor consensus, and encoding the package hashes in the Bitcoin blockchain.
– mikeperry - Deterministic Builds - torproject.org
So we’ve come from curation to publicly signing source code. Aka apps can be classified as deterministic in any type of list that’s shown to the users. So now we’re down to PKI - public key infrastructure. Do you know the best way to get public key infrastructure working inside of the Network? Bonus points if you include the automation step.
I don’t see why his thread has degenerated into such complication, with nonsensical wrangling about “authorities” versus “decentralization.”
Deterministic builds: seems a straightforward idea to me. Handout public keys inside or outside the network, whatever. People are already doing these things.
I really liked the idea, but had some reservations (a while back) of who is to say the hash is the correct hash? What I mean is TOR was heading this road by making developers anonymous and a majority decided the correct hash. Then I wondered what if a large organisation/hacker with a backdoor code all said XX is the correct hash. So the problem moved away from the dev team (which is good) to a wider audience (which turns out maybe bad )
So there needs to be a way to answer this or get around the issue of such an attack. I do like the idea though, even with the unanswered problem I “think” there is.
OK, such a knowledge problem might not be computationally solvable in principle.
It doesn’t have to be.
One muddles through: Is there any doubt that Tor’s and Bitcoin’s relatively secure software distribution has made the job of global adversaries harder?
There are degrees of security, and maybe perfection isn’t possible.
The best objective metric might be how many unpopular people can use them with impunity. (Note 1.)
Restating my earlier point: A bazaar of “SAFE” apps put up willy-nilly is a disaster waiting to happen, since it makes the job of crooks and states (but I repeat myself) much easier.
Note 1: Some of those unpopular people, I would readily consign to a furnace, but I assert that one can learn valuable lessons from their being at large, since it might be, for mathematical reasons, the only objective measure we can ever have:
and more info on the same operation:
Only 72 charges were filed against the approximately 600 members of Dreamboard due to the extensive encryption involved.
Twenty of those charged, however, are only known by their Internet handles, and as such were each individually charged as John Does and remain at large.
)