Yeah, but a browser isn’t something that you probably want to be getting from an untrusted source. Hell, random malware aside, the Kremlin themselves could probably just actively distribute a modified Firefox, see what people who don’t want to be blocked are getting up to and grab their credentials to websites.

I mean, there are ways to do it. You find some alternate source that you trust to get a hash of a browser release or a copy of signing keys or something and get a signature from someone you trust and validate that, but that’s narrowing down the pool of people for whom the browser is accessible a long ways.

I mean, yeah, if I were in Russia, I’d probably use an SSH tunnel to get out. They can block VPN providers that don’t apply the government blocklist, but I don’t believe that they’re prepared to kill outbound SSH. But the government just needs to block the vast majority, and the vast majority aren’t gonna be doing that.