Watermelon
sorry I was in rush when searching for the release date via my phone. the rest remains true though. keep in mind that the target group and goal for mAid is a complete different one than for AXP.OS. I never said the mAid live ISO is a high security daily driver while I still implement features like Secure Boot etc. yes, sha256 and sha512 are only shown on sourceforge which is the main download page though. but yes, hash sums on the homepage and for the release is something I have to fix though.
I haven't updated mAid since a year as it is really just a "small" personal project and again for a complete different target. speaking of that, the reason for the long release pause is that I publish releases after being completely tested only (which is a lot of effort) and for this I need enough free time doing so. since that time I had put much more time into AXP.OS which increased even more after the EOL of DivestOS. For AXP.OS it is way more important being current, tested and stable as I it is in use by some ppl as their daily driver. and I take that very serious.
supposedly didn't inject
no supposing here, it is 100% clear that the malicious code has no effect in mAid. well as long as you can read code and trust git at all. a new mAid release is in the works btw besides the nightlies which can be used in the meantime regardless.
Antivirus scanning is not an authoritative source to determine whether something is safe so I don't particularly care about these scan results
I didn't say it's an authoritative source for determining whether something is safe, but not including it would be unwise. I am pretty sure you would link that source if they would show "90% infected". It is ofc just one tool in a set of tools and also methods when analyzing stuff like that, so if you want to do that seriously you should care about malware scan results, imho.
[...] support for “re-locking” the bootloader as if that would achieve verified boot.
I have no idea what makes you think that. re-locking the bootloader and verified boot are different things and if there is something not clear on the website let me know. as before with your first post it seems you didn't took the time reading first and instead just throw out what you feel (which is OK if you would explicitly mark it like that).
You can read about the bootloader re-lock and also what it is meant for here: https://axpos.org/docs/guides/installation/bootloaderlock/
the other topic regarding verified boot: many devices for AXP.OS do support verified boot and which ones are clearly mentioned at their info and download page. (e.g. h815 does not while Fairphone4 does). This is regardless if that is the Pro or Slim flavor.
again, my statement you replied on first was explicitly about AXP.OS Slim but anyways.
the Pro flavor throws this balance out of the window by having zero security and privacy
"zero security and privacy". I think (again) it seems you are not happy with my person in particular and then out of this feeling claiming statements like that. AXP.OS Pro and Slim both using DivestOS deblobbing tools (and extending these) to remove a lot of calling-home calls ((I am not aware about another project doing that in this scale since Divest's EOL), it patches all devices with monthly (that changes as we all know) ASB patches, uses GrapheneOS' hardened malloc for most devices, includes a Vanadium based WebView and also applies CVE patches on all kernels (I am also not aware about another project doing that last one in this scale, GrapheneOS aside ofc).
The goal of AXP.OS Slim is identical as it was with DivestOS: taking back (some) control of your device. AXP.OS is meant mainly for devices which are not getting support anymore, i.e. end-of-life devices and even devices not supported by LineageOS or GrapheneOS anymore. AXP.OS is not a second GrapheneOS or CalyxOS, but it brings back life to devices which were otherwise kept in the drawer forever. it is clearly stated that for best security you should use a modern (Pixel) phone and switch to GrapheneOS
And you still use MD5 in 2025 (not talking about SourceForge).
sorry wrong again. AXP.OS has no single MD5 hashsum, for simplicity the unstable ones:
where do you see md5sums? I mean yes the special recovery files for ODIN which is the Samsung flashable format but it does not support other hash algos for these devices. these are convenient files but users can download the regular recovery image + the sha256 file for it and create their own one if they want.
besides that all sha512 sum files are GPG signed (e.g. https://leech.binbash.rocks:8008/axp-unstable/AXP.OS-22.2-20250815-dos-sunfish.zip.sha512sum) which will be added for the sha256 ones soon, too.
besides that build notifications get sent to the notification channel (containing its sha256sum).
Besides that every build can be verified by the OTA signature and its build ids.
as you likely have seen on the linked page, AXP.OS also increases key size + hash (8192 / sha512) for AVB, APK signing and dm-verity (incl. adjustments in recovery and OTA Updater to support higher hash algo).
But you don't come across to me as someone who cares about security
that is OK. you do not trust me because you feel like that and I am not here to change this because my personal feeling here is that it does not matter what I say you will dig around until you find something where you can say again sentences again like: "I would personally never trust any software you publish to be secure" and "you seem to have an extreme lack of care for security" or "having zero security and privacy" ... which is just .. wow.. and I'm really trying not to take it personally. :)
anyways I am always open to suggestions and am aware that neither I nor my projects are perfect!
I cherish my privacy and am passionate about security, but ultimately, I am only human and do my best to be of help to others.