- Publish the releases on IPFS. (The link is also the hash & it's decentralized)
i don't think it can be a viable option because IPFS requires peers to continue seeding content. for example right now that we are on version 3.x peers have to continue seeding version 1.9 because someone might need it (eg. recovering a wallet file that doesn't work in new versions). and that is not something that people would do. best case scenario is decent seeds for new versions and older ones dying.
- Digitally sign the releases (whether published on the legacy website or on IPFS)
the releases are already signed using PGP.
- Let me see the software version # when I launch the app, without having to enter my wallet password! I need this to see if there's an update before entering my pw into a potentially vulnerable version.
- Let me check for updates before entering my password to my wallet.
this won't solve much. if you want security then you shouldn't be using the wallet online (on a computer that is connected to the internet). look into Electrum's cold storage options.
not to mention that the initial entering of your password only decrypts the public information such as your addresses and transaction history not your private keys.
- Establish a presence on the new, decentralized web platforms. Operate under the assumption that your domain name will eventually be compromised either by thieves or the government (yet, I repeat myself!
)
it won't matter as long as users continue doing these two things:
1. verify the deterministic builds hashes
2. verify the PGP signature of each release.
or simply build from source code.
