The flashing instructions at grapheneos.org/install now include complete, fully tested instructions for Windows 10. Windows 10 has bsdtar (libarchive tar) and curl built-in now, which is nice. I found it amusing that Windows now has a nicer tar than most Linux distributions do.
Conversation
Linux distributions rely on a zip implementation with a final release in April 2009. As you'd expect, it's hosted on SourceForge without HTTPS: infozip.sourceforge.net. The releases aren't signed and the last release has a bunch of known vulnerabilities distros patch downstream.
Replying to
Only issue I have with bsdtar is the attack surface. It detects the file type automatically like GNU tar but supports a lot more formats: github.com/libarchive/lib. That's very convenient and useful but I'd generally prefer to have auto-detection by filename instead of the header.
3
