Trusting code obtained from the internet

You might be surprised, even annoyed, that none of the contents of this site or Collapse OS' is served through HTTPS. Supporting plain old HTTP alongside HTTPS is one thing, but no SSL at all? That's weird.

I do that because I believe that HTTPS provides a false sense of security. Times and times again, certificate authorities commonly accepted around the world have proven to be corruptible.

I believe that by blindly accepting the comfort of SSL infrastructure, you play russian roulette with the integrity of your machine. Since you're already playing this game, you might as well put a second bullet in that revolver, right? YOLO, use plain HTTP.

But let's say you're not a roulette player. How can you trust the code I'm offering you?

First, you have to trust me and that's a big step. I've been around for some time. This code has been around for some time. If you haven't heard of backdoors in that code, that can be of comfort to you. But ultimately, the only way to be sure is to review the code yourself. Luckily, there's very little code in there, so it's rather easy to review. Once you've done an initial review, all your need to review during updates are the diffs and that's much quicker.

Second, you have to trust the transport method. You can't. But it's your lucky day! It just so happens that I began signing my stuff with PGP on 2023-12-13. This is the key I use for signing:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFqOLeEBCAC5Ur0jyh7tGmcvqwm3cRCZOwpJKyMIJAy+5Is1x92pcACTWbpd
axvJcTPthlcggqgag7mRaguYuwEytNiNiQsYAzhM78eSvXqwmC5YwUq4clxNzffl
118kUrcr6xuwrVKKZcEIKWOAiIud3HZu7PwMTg00q73QVqxXa8PPbcdzCfVUT70L
aJzBsKRFjyqH9xiBXxgQwXCnZnrAK7hHZuePq5w2FA6lB9MgMLoK/B+X4VB/h5h+
HqA8JnKmMbkECWDo/ZmdTZ1fxyp9FNZ8j8eGMTrvdI0oUSnm9Nb2SJkx1bi5vTbi
Abzwho7dja/N2k16yBbRF/1T9bs6UBAOrO6nABEBAAG0IlZpcmdpbCBEdXByYXMg
PHZkdXByYXNAZ2VudG9vLm9yZz6JAU4EEwEIADgCGwMFCwkIBwIGFQgJCgsCBBYC
AwECHgECF4AWIQRABgHTOfSafnKzIDoP+JHNnzpWxAUCZXnu3QAKCRAP+JHNnzpW
xBoYB/9+8fOiCIox9Lx7eMrX9y+58bCJFUHmeHWs8sYnQAnYT/asaqQ3ho9D8P8m
R8SEWrzBSewALMHlsF8qfkNw7QxMf6z1R7PiPzEcUW2wnSHFWJVHw7pydCo+g1AU
TktBZlur3kBJSGHyKmh251FFcVBg/xTwNun6sr3Hyp7DwbMwdafakSbLuGd0Hzw1
1jVoANoPSRSD3bMUBfhEkItmtXFUodLFpd7V2M1lzjjb4hxu6ZPnqgbeqI0lqBOy
99hQocrDh1x/XVxfswpXcOZ3zR6bnYN6fKHhnd8FTJ1OJTwpx53j0KnLaBqD1a7z
0TPllJjezMBoSHDnYsIyGmgENmAHuQENBFqOLeEBCADAqkMdOC/7ALkvAxeIHttb
poo4i7e3eFY77uLUXcpD+clbCc+S16NNEfKNsa6n0hLLeeDoeFlVQbNTUiKedZ9R
wzPbkc7Sf6to+ap+S5cqYe/cPID55kx4L1XwNiZHvFBfcaAxbv83RiccK7L2+HDn
Pq2AhGP8AdWiZDOGWomp0/bSQhWxz0tI4iCHIJYBWiI6CpPNAalsN99vEstSZDQ9
fd9RIb7BRSntKrVnql5dDHAxeVNpt1WvbCEsFCGJM9AheTIkbeqJ2JrCqvtwYFbS
P41rCts/u1LWFYmyci2q+kf8+pMyw29HhD0Pr5ZzJNna4zwRcp43vpYxnYpeeugb
ABEBAAGJATYEGAEIACACGwwWIQRABgHTOfSafnKzIDoP+JHNnzpWxAUCZXn1PwAK
CRAP+JHNnzpWxIUPB/46kRDyrBWlxqHWtkZJOfMXUCTdr4JsueYNrTWdeNtRLG+S
cHGvMXkk82YQaInirEpG7dJDC7KpzOSnFJjCrESH94YOUPgy86ju5Lro2dBS9rED
AZ+0bQx7UqkPTK+eT7VlMjBJvlYxH4z+LHU9U3HVyIanqxse1MoQg+azOYvIBFam
9h8EFuDGcyMUBWm6CK+NJ0moHK2XmbE3jdzyZVOwZOlw7Jzz5GJuNg66hRjbYVhm
4KBGvZpUus8r+JsNTH60z6HjWuNeM5hLn4rpbFFZP9axwbGKfFXeAcZrVmbzi+Go
SVKbtJqlCQiPxJWwa4eUStILeHEDw2w1OtBre3qmuQENBFqOMlEBCAC8FBEERn0L
N9cJjiRBAc9BTHS3GJDKBEC8DEg1/27VhMhuEVcjP3Oj0aMhuo9jroOaTAXO/TVL
seMNi3KNUkGXxO9fs2mlXv9SktTDacLnX2dd00jxxTJIHd2xjwvLcDxRpyKbds8Q
44quVVYXGrPOLw3gDxx6seuLspFNk9rbaumtc1gwNp8cym199t5cAlOW3nsq0p7W
71wE7WGn27tSosVEs/q9AaCxsjKZsBMNIiUyWfjUJaAtQbBxb8XQwHNNxiYOOVBa
njIpPaga6yZOjUPyew90IdqPKs6qomAfZWdCH/3FMaEt5WhbCwE69iQi+EuSn9Vk
uPD7lOpzP+BjABEBAAGJATYEGAEIACACGyAWIQRABgHTOfSafnKzIDoP+JHNnzpW
xAUCZXn1PwAKCRAP+JHNnzpWxI9TCACgiyn7jDCmjm27/KZ46/PXstkemjOqbj45
4QTtVJilXxLlj8PUP+Y6OGPLGcYvbF5ogv5PPZeoNGNR09uffYq+bk8r2QWWrRea
91zfehVg/sVYCWizcmlZn/jNPsoEl8EqkpcgNq6kiH9sirlpxfTpbO3EdsHAETar
orNNYPBwrzJm9kdDxk0/nJiMua8/uNI0GPCflWp4XFHsbJ7yoJaS4gXOcvTWN99O
y1bnJGYZYq696f0xuGmtJgonrHUZIXDZFYS9eDPk7JX1FqIRmlTpe5bTtSK1bVN8
ONMDqyFKWj3wGkHGdOzewuT3I6FPFHOpcNV1hmJD+bl57o7V5slUuQENBFqOM48B
CACyRzpMIjWIIimTzfEnOgzBtNNyxGLeaNHQ1iMY87iE73PvDHl6ofjbV2Kmf+0P
QTZpjnHPumZLaAU2AtOHhzdd/ncer0kyvQFv9G3t0EbQyyKdA/t5JD7Dj1zFowKN
nWt/6mYKEHd9ej4tRNTBoPIm/IHDJVYHXovQlmj+H0opFQBjcQyQjD0PbcOQyoue
EnHeF76mKlFuiWV6jopdyTXxFW2a7U5vBZQZxPth8cTA72AhLg86bBroiLqIF0bi
Gpo3eYzERrSDacfcEFWKN2QZHVc4amruT1oNY9PusdCmklTV8g6vLEXMLEmwG7l/
7foPXQ3+3xynZNHGt3Jb6S2HABEBAAGJAmwEGAEIACACGwIWIQRABgHTOfSafnKz
IDoP+JHNnzpWxAUCZXn1PwFAwHQgBBkBCAAdFiEEzxAa2B+saKTW8nfCbgMDJWya
24wFAlqOM48ACgkQbgMDJWya24wDOwf9HukbqLqu9x2RSAo7gYg6P6pveTUhj6A9
CuiVK936Rjm4nUC8NmvW7rEMrUGVfMtizeEA4gA+nlGQKIcEX0Ba6fbpUR6OUiLA
+4oGAWxVZwADry1YvJm2jbuD5BMfd3zeblz75NXdBR//OTkWVNEQYDjwCRfA0gDo
UZzt3tVs7zC5HP+OxZVhe7NQsHxHl9epMSIpkfCYuaxaEpDw+gsoMWh3TvpDbPUc
yw3qMe70mwyQmOslIbN7b3x3b8jmKFiLxj998J6QUgj9xlolliNWwsJPTpwPK1pN
wV/xuCs6k2gK/j8fleUtsS12AzcsqonPBvEb+muw/hBDHiGAsKislgkQD/iRzZ86
VsRH/Af/fxD5gFURXAqfwymQO6TbbXV5nHsUOjpounwrvq8hB8QN1/QdkMnFWGka
vRocaXbkg+q8QHFd/yH7urOkbo2mDLN171Gf056spaoR8/VE/Hdb04/AZlWa7vQr
YOrIXLL0j/bWoqjrQ3+M1SLpdQXY9S+h9ydYWn+MoyvSHf+dwd7f1QcGhAlrAqSo
/FJNSV62Lh8qiayJqPIna4NPQdTqFmBgO8S7eElPWfXMJrJe+NLngi5V/cbJjmbs
QpQHrjzehjdAfCGoZ8oitDwxVZwu62sLn4+/O05zouaEe6U2GEFCPWQXoaGBPKqX
AxyDjf9WsAGE8nDC6hJ/zRAZamVJTg==
=BAcB
-----END PGP PUBLIC KEY BLOCK-----

Slow clap and how are you supposed to know that this isn't the man-in-the-middle giving you a fake key? It's true that the only trust method I'm offering you here is "trust on first use": at first, you take a leap of faith, but afterwards, you're ok (or not ok... but confidently stay in the same state of integrity).

Moreover, you actually have a few options to help you in your initial leap of faith.

First, try to hit this URL from somewhere else, the public library maybe? Or the Internet Archive? Is the contents the same?

Second, it just so happens that this isn't the first time I use this key. This key is the key I've generated when I became a Gentoo developer in 2018. I've kept it fairly safe from leaks since then. I've recently dug it back from backups and renewed it. You should be able to get it from --search-keys vdupras@gentoo.org.

Then what you can do is look at Gentoo's git log (you have to dig a bit, I was a Gentoo developer only for one year) and find a commit by me and assess that it's signed using the same key. If you can do that, you can be pretty sure that this key you're seeing on this page doesn't come from a middleman. Example:

git verify-commit 29e210c6e660f2897a3d33654f465b566327db9f

How I sign

The Collapse OS and Dusk OS "files" directories each have a SHA512 file that lists the checksums of all the files in the folder. This file is accompanied by a SHA512.gpg signature file. You can verify the signature of the checksums and then verify the checksum of the files you download.

For Dusk OS, I began signing my commits on 2023-12-13. It's possible that some commits are not signed here and there, but generally, they're going to be signed.