On 06/07/2015 11:33 AM, Martin Peach wrote:
On Sat, Jun 6, 2015 at 9:52 PM, Jonathan Wilkes via Pd-list
<[email protected] <mailto:[email protected]>> wrote:
Hi list,
tldr; Sourceforge has bundled malware with older Windows binaries
for Gimp and apparently moved an old Sourceforge repo for nmap to
a mirror where the nmap author does not have access. (Sourceforge
claims it never bundles adware with security software, but that
isn't at all reassuring.)
Please search the web for "sourceforge and gimp" and "sourceforge
and nmap" and read a few of the relevant news items for further
detailes.
Three suggestions:
1) We should migrate away from Sourceforge.
2) We should make sure the current Pd Sourceforge repo doesn't
become inactive.
3) Once safely migrated, we should change to the Sourceforge code
and release a Pd-extended binary on Sourceforge whose only
function is to display a warning message to the user in the main
Pd window. The warning should alert the user that Sourceforge is
no longer the repo for any flavor of Pd, and that they should
uninstall it and scan for malware.
4) We should maintain active accounts on Sourceforge to make sure
the current binaries never become a target for delivering malware.
This may be true for the compiled binaries but I think the svn
repository should be safe, no?
I don't think anyone could add malware to the repository without svn
being aware of it.
That sounds reasonable. But it also sounds reasonable that a repo
catering to FLOSS would
refrain from wrapping old binaries in a malware installer. So...
-Jonathan
Martin
_______________________________________________
[email protected] mailing list
UNSUBSCRIBE and account-management ->
http://lists.puredata.info/listinfo/pd-list
