PencilNavigator
commented
1 year ago Hello! This is a great idea and we are currently discussing about it. Thanks!
Closed mazerty closed 1 year ago
PencilNavigator
commented
1 year ago Hello! This is a great idea and we are currently discussing about it. Thanks!
Vinfall
commented
1 year ago Besides checksum, it would even better if you could provide OpenPGP signature for the ISO along with a signing key. You can find the information on Arch Wiki, Kali and Tails.
Use GnuPG to sign the file w/o encryption would suffice. And the sig/ascii-armored file should only be tiny like 1KB. You can just upload signing key to a key server and put the signature on download page and the increased bandwidth consumption is acceptable.
PencilNavigator
commented
1 year ago SHA-256 will be added to the download page with the new 22H2 update. Closing it as solved.
mazerty
commented
1 year ago well this is disappointing for me, linux user now you don't offer direct download anymore, and the building tool only works on windows :(
(if you wanted to cut the costs on hosting and bandwith, bittorrent would have been a better alternative, a lot of linux distributions use that)
anyway, i hope this new system will suit the majority of your user base :)
PencilNavigator
commented
1 year ago @mazerty its not for cutting costs. we do this for legal reasons. Re-distributing a modified windows iso is against Microsoft's TOS, and can get our repo taken down. by using this new method, not only we can debug more easily, we can also push hot fix that users can just apply with a button on the AME Wizard.
mazerty
commented
1 year ago oh ok i didn't know sorry ! yeah that makes sense...
maybe you can put a notice on the website explaining the change ?
do you intend to have a linux build for the ame wizard ?
Prerequisites
Is your feature request related to a problem? Please describe.
The SHA-256 sum of the downloads are missing on the download page.
You obviously care of the privacy aspect of Atlas, but since you're hosting the downloads on a third-party service (MediaFire), you cannot guarantee that the ISO has not been tempered.
Describe the solution you would like.
Can you please show the SHA-256 sum on the download page so that users (like me) who wants to be sure of what they downloaded can double-check ?
Describe alternatives you have considered.
Unfortunately, there's no fix around that since it has to be you who provide the SHA-256 sum :)
Additional context.
Downloading a full OS online and running it on a machine is a sensitive matter. For Linux distributions for example, users are expected to double-check the integrity of the download by computing the SHA-256 sum of the downloaded file and compare it to the one that is visible on the website.