kaie
commented
1 year ago cc @Sancus @hellsworth @KillYourFM
Open kaie opened 1 year ago
kaie
commented
1 year ago cc @Sancus @hellsworth @KillYourFM
rtanglao
commented
1 year ago kaie
commented
1 year ago SUMO could be the place where the detailed explanations live.
==Download page==
MelissaAutumn
commented
1 year ago Some thoughts:
I don't believe we have a sha256 hash (or any hash) in product details which is a pre-req if we want it to appear on the site. https://github.com/mozilla-releng/product-details/tree/production
I could definitely see this being useful though. Some examples of how other sites handle this:
Ubuntu provides a pop-over card that displays instructions to verify the download:
openSUSE uses a dropdown with a link to the sha256 signature:
KDE Neon just has a link below the download button for the pgp signature:
Somewhere in the download section, it would be good to explain to users how they can verify their downloads, in a discoverable way.
We should discuss what we should explain, which verification strategies we want to explain.
The intention is:
(1) create some general awareness that verifying downloads is a good idea (the fact that such a verification offering can be found on the download page could be seen as a way to make users aware, and allow them to learn more, if they want to)
(2) Allow users a simple verification that could be done without downloading additional software. For example, if users find the SHA256 checksum on the download page, there could be a quick information how to use tools already available on the OS to verify (e.g. sha256sum on Linux and MacOS, and on Windows something like certutil -hashfile SHA256)
(3) Potentially have a link that explains the more advanced checking. Which is, use GnuPG, and offer a link to the signature file.