Tarballs can indeed be fine, most folx not raised by wolves will checksum em at bare minimum, and are likely already capable of simple build for their os.
Login to reply
Replies (2)
That's hard to say. I've work with some real noobs over the years. Tarballs can still feel very foreign, and checksums aren't even included for many public projects. That said many very big projects ship setup scripts, with direct bash invoke syntax so you can assume they don't expect their audience to verify their work.
Compare any of that to the Windows user and my customers get uncomfortable with a .zip archive. They expect to run signed exes or msi installers. At a minimum you can still ship a self-contained zip file and it can just work without any extra tools or scripts.
checksums are overrated. they're usually supplied next to the same bytes that they're protecting, so anything that can modify one can modify the other.
gpg signatures, checksums published on nostr – those are okay