You might be surprised, even annoyed, that none of the contents of this site or Collapse OS' is served through HTTPS. Supporting plain old HTTP alongside HTTPS is one thing, but no SSL at all? That's weird.
I do that because I believe that HTTPS provides a false sense of security. Times and times again, certificate authorities commonly accepted around the world have proven to be corruptible.
I believe that by blindly accepting the comfort of SSL infrastructure, you play russian roulette with the integrity of your machine. Since you're already playing this game, you might as well put a second bullet in that revolver, right? YOLO, use plain HTTP.
But let's say you're not a roulette player. How can you trust the code I'm offering you?
First, you have to trust me and that's a big step. I've been around for some time. This code has been around for some time. If you haven't heard of backdoors in that code, that can be of comfort to you. But ultimately, the only way to be sure is to review the code yourself. Luckily, there's very little code in there, so it's rather easy to review. Once you've done an initial review, all your need to review during updates are the diffs and that's much quicker.
Second, you have to trust the transport method. You can't. But it's your lucky day! It just so happens that I began signing my stuff with PGP on 2023-12-13. This is the key I use for signing:
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----
Slow clap and how are you supposed to know that this isn't the man-in-the-middle giving you a fake key? It's true that the only trust method I'm offering you here is "trust on first use": at first, you take a leap of faith, but afterwards, you're ok (or not ok... but confidently stay in the same state of integrity).
Moreover, you actually have a few options to help you in your initial leap of faith.
First, try to hit this URL from somewhere else, the public library maybe? Or the Internet Archive? Is the contents the same?
Second, it just so happens that this isn't the first time I use this key. This
key is the key I've generated when I became a Gentoo developer in 2018. I've
kept it fairly safe from leaks since then. I've recently dug it back from
backups and renewed it. You should be able to get it from
Then what you can do is look at Gentoo's git log (you have to dig a bit, I was a Gentoo developer only for one year) and find a commit by me and assess that it's signed using the same key. If you can do that, you can be pretty sure that this key you're seeing on this page doesn't come from a middleman. Example:
git verify-commit 29e210c6e660f2897a3d33654f465b566327db9f
The Collapse OS and Dusk OS "files" directories each
SHA512 file that lists the checksums of all the files in the folder.
This file is accompanied by a
SHA512.gpg signature file. You can verify the
signature of the checksums and then verify the checksum of the files you
For Dusk OS, I began signing my commits on 2023-12-13. It's possible that some commits are not signed here and there, but generally, they're going to be signed.