[blub]

Gimp and Inkscape are the only free or open source graphics tools that have something resembling a secure download process.

Krita serves their website over https and the download over http from some mirror. Can't find any trace of a hash on their site either.

[p4bl0]

Why don't you use your distribution's packages manager to install it?

[blub]

A relative was using MS Paint to draw some simple floor plan diagrams and asked whether there's any better tool available.

Gimp is actually overfeatured for what they need, but that was the only thing I found which I could install with a good enough certainty that I won't infect their computer with malware.

[kenoph]

Gimp is actually not that good for drawing. I guess that if simplicity is needed, Paint.NET (www.getpaint.net) is a good option.

EDIT: I mean drawing geometrical stuff. Of course it's good for general drawing.

[blub]

I strongly advise against Paint.NET. Besides the lack of download security they have huge "download" ads leading who knows where on the front page and a tiny download link.

They are knowingly using this dark pattern to make ad money which is too bad, because as you say the app is really good.

[sp332]

You could install it with Ninite?

[thedaemon]

Krita is not malware...

[Bromskloss]

Inkscape?

[blub]

I ended up installing that too, but to be honest it's much too complicated and not exactly a good fit for floor plans.

I just remembered that there's also Dia (diagram editor), I might give that one a try.

[Bromskloss]

I'm afraid I don't see that Gimp is any more suitable. Far less, actually.

[expression]

FWIW, files.kde.org does support HTTPS as well.

[boudewijnrempt]

And if you press the details link you get all the info you could want:

    Filename: Krita-3.0-Alpha-master-e5109c2-x86_64.AppImage
    Size: 85M (88670208 bytes)
    Last modified: Mon, 11 Apr 2016 07:27:01 GMT (Unix time: 1460359621)
    SHA-256 Hash: 5d6574f750a188f67548d965ce6a8abd4d33479bc64f88130e545250e179a0e1
    SHA-1 Hash: bf969c7ce56aac754eb84a2123caa9cbf4174884
    MD5 Hash: ee0b82e82a98086dccad7f1344888a1c

[blub]

The hashes only seem to be visible over http (no details link over https).

[minitech]

files.kde.org is also accessible over HTTPS (but use a package manager if possible).

[kiba]

I would say you're overly paranoid, but I do fear one day clicking on the wrong site.

That being said, we have to trust something.

[Piskvorrr]

When I need to install something on Windows (be it drivers or apps), I keep marvelling: the process has remained identically crude for two decades, all the way since Win95: download some executable from any old website, no verification possible (yeah, there's a MD5 hash - on that same website), and hope it won't screw up the system (or at least not too much; btw there's no clean way to uninstall). Repeat step for step for every package, manually clicking through ten steps in the executable (where the only one that actually matters is the license - when was the last time you wanted to install somewhere else than C:\Program Files?).

Don't even think about "give me this, this, this, and this; check that it is the right version from a trusted source; make it so!" (PortableApps can do that, so it's demonstrably possible, even on Windows)

Progress? We don't need no steenking progress! Package managers are for lusers who prefer clicky GUIs over Glorious Hard Work and spelunking in the dark corners of the net! (How that ever got pushed as user-friendly?)

[StevePerkins]

What you're describing is either:

1. Chocolately (https://chocolatey.org/), which most people don't know about, or

2. The Windows Store, which I hope never catches on.

[reitoei]

You need Chocolatey in your life: https://chocolatey.org

It's great if you're forced to used Windows as your development machine.

[dagw]

And soon Chocolatey will be seamlessly integrated with Windows 10 Package Management tools

[J_Darnley]

How is installing on linux any different when your One True Package Manager does not provide what you need? Usually it is "here use this third-party repository which is just some guy providing executables" or "build from source".

What's worse is when your One True Package Manager creates a broken package because the packager has no clue what they are doing. Debian and SSH ring any bells? Would using an exe provided by the developers have that problem?

[Piskvorrr]

Ah, the "but Linux sucks too" tactic! Of course it does, so does everything. In the past 10 years, I had to build from source about 50 times, and had 2 broken packages - while installing thousands (plus dependencies, not counting that). Not perfect - but way better than hunting for each and every single one.

[dagw]

Well Windows 10 finally includes all the tools for package management out of the box. Now they just have to convince people to use them.

[garaetjjte]

AFAIK not for Win32 apps.

[dagw]

Out of the box PackageManager should support anything that can be packaged as an .msi file and it lets you write plug-ins to handle just about any other type of method for packaging and distributing apps.

At the moment it's however largely a case of Microsoft quietly developing a quite powerful tool and then going out of their way to not tell anybody about it. Microsoft has also not shown any interest in developing and supporting their own general software repo (I guess they don't want to compete with their app store). So we've basically got to wait for third party developers to fill the cap. Fortunately the people behind chocolaty are working on this and have said they'll have something ready by Summer 2016.

[Piskvorrr]

Wonderful!

[blub]

I am not paranoid, the distribution security of most software projects is weak. It is feeble.

[imaginenore]

While you're right, Krita publishes checksums for their downloads:

https://krita.org/en/item/krita-3-0-released/

[blub]

Thanks, but I don't understand why they would put them in the release announcement instead of the download page. Everyone wanting to download this software will head straight to the download link and won't jave time to hunt for blog posts.

Also sha1 should be avoided nowadays, but at least it's not md5...

[boudewijnrempt]

Well, the reason is that I went crazy from people mailing me "what are those numbers? what should I do with them? They are scary!!!" We had to make the download page as simple as possible -- and I still get mails from people who cannot figure out how to download Krita. Several, per week.

[blub]

If you're the site maintainer please consider adding a link to the KDE https downloads or a link to the checksums somewhere on the download page, in the source code tab or even at the bottom.

[Piskvorrr]

Good enough for verifying integrity in transit ("the line didn't mangle any bits"). Without a side channel, that's all the hashes are good for (if someone can get a rogue version on a site, they can also change the hashes displayed on the same site).