| ▲ | mook 2 days ago | |
Shouldn't the files be signed by Microsoft, with a timestamp signature? That should (barring somebody locating a relevant private key) still mark them as not having been modified. Of course, how many people would know to check for the signature (especially in the case the site went malicious and therefore wouldn't tell you to do so) would be a different question… | ||
| ▲ | kirb 21 hours ago | parent [-] | |
It’s hard to teach people it’s worth their time to double-check these things of course, but I try to show a chain of trust: 1. Files come from Wayback Machine, which is trusted to serve legitimate snapshots 2. There is a sha1 and size listed for most files (though these come from Wayback) 3. Checking signature is easy enough from Explorer Perhaps a page on “how to know this is legit” is a good idea to help educate about this. The goal of the project is to have legitimate downloads with good SEO, without having to cut through ads/spam/sketchy redirects (still has a few ads but intentionally non-obtrusive), so people aren’t blindly downloading from sketchy sites. | ||