I don’t know how easy it would be to migrate to your own local machine, but what you’re describing sounds like Desktop-as-a-Service. All of the major cloud providers offer this in some form.

all public bodies must disclose the source code of software developed by or for them, unless precluded by third-party rights or security concerns

So this effectively changes nothing.

Installing by piping from curl is pretty common and not a red flag in and of itself. Even Rust is installed this way. If you don’t trust the URL, you also shouldn’t trust any binary installers downloaded from that website.

• Dec 2023 ~60 so far
• Nov 2023 ~200
• Oct 2023 ~100

If you take out the employer-side taxes and cost of benefits, maybe. A fair number of their employees must be software engineers, and that much compensation isn’t unreasonable for expert software engineers.

Where does the initial cryptographic verification come from? I’m not arguing that you can’t pin certificates.

There is no way a user can know the website is real the first time it’s visited, without it presenting a verifiable certificate. It would be disastrous to trust the site after the first time you connected. Users shouldn’t need to care about security to get the benefits of it. It should just be seamless.

There are proposals out there to do away with the CAs (Decentralized PKI), but they require adoption by Web clients. Meanwhile, the Web clients (chrome) are often owned by the same companies that own the Certificate Authorities, so there’s no real incentive for them to build and adopt technology that would kill their $100+ million CA industry.

P=V x I

65W ≠ 5V x 2A