[artisin]

Here's my 2c. It's unlikely that many users, here or elsewhere, would be comfortable downloading and executing this Hacksh binary from your Dropbox, regardless of its benefits.

[LarryClapp]

Thanks, that's good to know. I never thought of that as a stumbling block. I trust me!

Do you think showing an md5 hash would help, or is it just Dropbox itself?

Would (for example) dl.huck.sh be better? (I own huck.sh (and huckridge.com and several others) and have a site there, but don't have anything at dl.huck.sh.)

I actually kind of thought that Dropbox would be better than my own webserver, on the assumption that people would trust them more than me. I dunno.

[artisin]

Personally, my primary concern is security and, by extension, trust. My shell environment functions as the gatekeeper to my castle, and installing this binary would be akin to blindly handing over the keys, especially since the source code is not accessible. I'm unsure if it's feasible given Hacksh's requirements, but using Flatpak could largely address your distribution issue as well as my security issue.

[wolftickets]

If you happen to have a GitHub space for storing things you can upload release artifacts there for folks to download.

[tutfbhuf]

Preferably, these release artifacts are generated by a pipeline, and the hashes are verifiable.

[jrm4]

Offhand, I love this as an anti-signal and I'll probably try it out because of this.

A too-slick website here on HN is a strong deterrent for me.

[LarryClapp]

Ha, fascinating. (And thanks for trying it out!)

So would a tarball on Github put you off, do you think? Would you prefer a raw directory listing from Apache at dl.huck.sh (et al)?

[chromakode]

Agreed. I would not consider running a closed source shell because it's not auditable.

[LarryClapp]

Yeah, I've worried about this a lot. Perhaps there's someone I could hire to give hucksh a clean bill of health. I wonder how much Bruce Schneier would charge? :) (That's a joke; I'm confident that, even if he'd do it, I couldn't afford him. But something like that is what I'm thinking of.)

Googling "security audit my code" finds several companies that offer such a service. My concern would be (aside from the admittedly non-trivial benefit of just having better code), would it make a difference to anybody that was on the fence about it? I suspect that the matrix of "potential customers" vs "what auditing service they'd trust" is large.

Thank you for the comment.