TheLastGimbus
commented
4 months ago I would pay for this feature
In Poland we have a meme:
Which translates to "buddy, you bought me with this like a pack of jelly beans"
In all seriousness: about checksums - you know, I always wonder like "how does this make it more secure if the website-tamperer could also tamper the checksum/gpg key listed on the website?" and "don't browsers/http already handle integrity" ? But I guess if everyone does this then it's somewhat usefull :shrug:
So - as I always tell people concerned about windoza defender (#288) - binaries are uploaded by github actions bot, so I don't even have a way of uploading a virus if i wanted to - you can track whole .yaml pipeline, tool that it uses and actions log :+1: only one tampering could be microsoft, sneaking some tiny dipsy NSA_KEY ;)
Checksums - I coooould add them to release notes... but files are ~5mb so there's not a lot of room for download error - but if you really want to, they are available in AUR PKGBUILD files for each release: https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=gpth-bin
And last: gpth is a single binary with 0 dependecies/weird built tools, so you can just pacman/whatever -S dart ; git clone ... ; dart run bin/gpth.dart
hope all of this satisfies your threat model 🔒🔒🔒 feel free to send whatever donate you feel like :)
I am somewhat uncomfortable running an executable on my computer without having a means to check that it was not corrupted during download (integrity) and that it was not tampered with by an attacker / that it corresponds to the original, correct software (authenticity). I am not sure this discomfort is relevant in the case of gpth, but it would be nice to have mechanisms to check it, like other pieces of software do, e.g. via checksums.
I am a linux user, so I am fine if it works only for the linux release ;).
I would pay for this feature.
Thanks in any case for your work and for keeping it free and open-source!