On Mon, Aug 20, 2012 at 12:37 PM, Tal Dayan <[email protected]> wrote:
> I am looking at these malware notices and they made we worry. Does it mean > that google can shut down any project's repository, with no advance notice, > because it was classified as malware? If so, what are the avenues to > appeal such decisions? > As the Google engineer who responds the most to reports of malware (both from our own crawlers and from external reports), I should chime in here with a few points: 1. The number of new malware-project reports we get each day from all sources combined is small enough that an engineer can spot check them, so we have a good chance of distinguishing between malicious malware-only projects (the vast majority) and legitimate projects that happen to have one infected file or a false positive. 2. The projects that contain only malware-infested binaries are immediately taken down, but their contents remain for at least 90 days in case we receive an appeal. I'm talking about projects that are clearly malicious: their project descriptions are nonsense, they have no source code commits (here or anywhere else, e.g., Github), they have no issues, and they have no wiki pages. 3. The projects that appear to be legitimate aren't necessarily taken down immediately. One of us usually notifies the project owner(s) and gives them a bit of time to clean house. If the malware is particularly nefarious, we may have to take it down immediately, but we'll still notify the owner(s). 4. We see dozens or hundreds of projects in category (2) for every one in category (3). 5. If your project is taken down, send us email (here or at any of our other mailing lists), and we'll see what's going on. Your project's contents are safe for at least 90 days after a takedown. I use google code as the sole repository for my open source app but start > thinking about having a independent repository such as github mirroring it. > We encourage you to preserve your code however you like. The great thing about distributed version control is that you have lots of mirrors, including Github and all your repositories' clones, everywhere. -- Lucas -- You received this message because you are subscribed to the Google Groups "Project Hosting on Google Code" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-code-hosting?hl=en.
