Alternative Distribution Channels
It's great to see the work that is being put in to allow for Briar Desktop to be packaged as .jar, .deb, macOS and windows installers etc. Users might find it useful to offer more privacy-preserving ways to download these files, than just through the clearnet.
Two relatively easy methods are to offer .onion
and/or .i2p
mirrors of the download page, but it might be worth it to consider p2p distribution methods down the road. One p2p strategy could be through removeable drives and/or hotspots, like Briar android. Another method is i2p's strategy of update-able torrents using i2p's network. Here's a brief description of this strategy, from i2p dev "idk":
Developer/Maintainer builds update and signs it to create an su3 file. The developer uploads(The whole su3) it somewhere and passes it to a News Server Operator. Either the Developer or the News Server Operator generates a magnet link corresponding to the su3 file. The Developer and the News Operator seed the torrent.
The News Operator then generates a signed feed, which is also an su3 file. Note that the signer of the software is different from the signer of the newsfeed. Both of the pieces of download information are added to a file called releases.json which is combined with a recently updated blocklist of known bad nodes and a series of release notes to create an RSS feed, which is downloaded by the I2P client.
The client then adds the torrent to the build-in I2P torrent client I2PSnark. Over the next 36 hours, every Java I2P user will participate in this torrent, ensuring that there are plentiful sources for the peer-to-peer download. What happens next depends on which UpdatePostProcessor is in use, this is somewhat (I2P)distribution-specific. DMG and NSIS packages use a different UPP than the mainline distro, for instance.
Documentation for this method can be found here: https://geti2p.net/spec/updates