Re: [Numpy-discussion] Verify your sourceforge windows installer downloads
28.05.2015, 20:35, Sturla Molden kirjoitti: Pauli Virtanen p...@iki.fi wrote: Is it possible to host them on github? I think there's an option to add release notes and (apparently) to upload binaries if you go to the Releases section --- there's one for each tag. And then Sourceforge will put up tainted installers for the benefit of NumPy users. :) Well, let them. They may already be tainted, who knows. It's phishing and malware distribution at that point, and there are some ways to deal with that (safe browsing, AV etc). ___ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion
Re: [Numpy-discussion] Verify your sourceforge windows installer downloads
On 28.05.2015 19:46, Pauli Virtanen wrote: 28.05.2015, 20:35, Sturla Molden kirjoitti: Pauli Virtanen p...@iki.fi wrote: Is it possible to host them on github? I think there's an option to add release notes and (apparently) to upload binaries if you go to the Releases section --- there's one for each tag. And then Sourceforge will put up tainted installers for the benefit of NumPy users. :) Well, let them. They may already be tainted, who knows. It's phishing and malware distribution at that point, and there are some ways to deal with that (safe browsing, AV etc). there is no guarantee that github will not do this stuff in future too, also PyPI or self hosting do not necessarily help as those resources can be compromised. The main thing that should be learned this and the many similar incidents in the past is that binaries from the internet need to be verified of they have been modified from their original state otherwise they cannot be trusted. With my mail I wanted to bring to attention that both numpy (since 1.7.2) and scipy (since 0.14.1) allow users to do so via the signed README.txt containing checksums. ___ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion
Re: [Numpy-discussion] Verify your sourceforge windows installer downloads
28.05.2015, 20:05, David Cournapeau kirjoitti: [clip] In any case I've always been surprised that NumPy is distributed through SourceForge, which has been sketchy for years now. Could it simply be hosted on PyPI? They don't accept arbitrary binaries like SF does, and some of our installer formats can't be uploaded there. Is it possible to host them on github? I think there's an option to add release notes and (apparently) to upload binaries if you go to the Releases section --- there's one for each tag. Pauli ___ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion
Re: [Numpy-discussion] Verify your sourceforge windows installer downloads
Pauli Virtanen p...@iki.fi wrote: Is it possible to host them on github? I think there's an option to add release notes and (apparently) to upload binaries if you go to the Releases section --- there's one for each tag. And then Sourceforge will put up tainted installers for the benefit of NumPy users. :) ___ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion
Re: [Numpy-discussion] Verify your sourceforge windows installer downloads
28.05.2015, 21:52, Julian Taylor kirjoitti: there is no guarantee that github will not do this stuff in future too, also PyPI or self hosting do not necessarily help as those resources can be compromised. The main thing that should be learned this and the many similar incidents in the past is that binaries from the internet need to be verified of they have been modified from their original state otherwise they cannot be trusted. Indeed, but on the other hand, there's no reason for us to continue cooperating with shady partners, especially when there are easy alternatives. We can just quietly change the main binary distribution channel and be done with it. ___ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion
Re: [Numpy-discussion] Verify your sourceforge windows installer downloads
On May 28, 2015 7:06 PM, David Cournapeau courn...@gmail.com wrote: On Fri, May 29, 2015 at 2:00 AM, Andrew Collette andrew.colle...@gmail.com wrote: In any case I've always been surprised that NumPy is distributed through SourceForge, which has been sketchy for years now. Could it simply be hosted on PyPI? They don't accept arbitrary binaries like SF does, and some of our installer formats can't be uploaded there. David Is that something that could be fixed? Has anyone asked the pypi maintainers whether they could change those rules, either in general or by granting exceptions on a case-by-case basis to projects that have proven track records and importance? It would seem to me that if the rules on pypi are forcing critical projects like numpy to host elsewhere, then the rules are flawed and are preventing pypi from serving is intended purpose. ___ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion
Re: [Numpy-discussion] Verify your sourceforge windows installer downloads
Julian Taylor jtaylor.deb...@googlemail.com wrote: It has been reported that sourceforge has taken over the gimp unofficial windows downloader page and temporarily bundled the installer with unauthorized adware: https://plus.google.com/+gimp/posts/cxhB1PScFpe WTF? ___ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion
Re: [Numpy-discussion] Verify your sourceforge windows installer downloads
David Cournapeau courn...@gmail.com wrote: IMO, this really begs the question on whether we still want to use sourceforge at all. At this point I just don't trust the service at all anymore. Here is their lame excuse: https://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-just-abandoned/ It probably means this: If NumPy installers are moved away from Sourceforge, they will set up a mirror and load the mirrored installers with all sorts of crapware. It is some sort of racket the mob couldn't do better. Sturla ___ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion
Re: [Numpy-discussion] Verify your sourceforge windows installer downloads
IMO, this really begs the question on whether we still want to use sourceforge at all. At this point I just don't trust the service at all anymore. Could we use some resources (e.g. rackspace ?) to host those files ? Do we know how much traffic they get so estimate the cost ? David On Thu, May 28, 2015 at 9:46 PM, Julian Taylor jtaylor.deb...@googlemail.com wrote: hi, It has been reported that sourceforge has taken over the gimp unofficial windows downloader page and temporarily bundled the installer with unauthorized adware: https://plus.google.com/+gimp/posts/cxhB1PScFpe As NumPy is also distributing windows installers via sourceforge I recommend that when you download the files you verify the downloads via the checksums in the README.txt before using them. The README.txt is clearsigned with my gpg key so it should be safe from tampering. Unfortunately as I don't use windows I cannot give any advice on how to do the verifcation on these platforms. Maybe someone familar with available tools can chime in. I have checked the numpy downloads and they still match what I uploaded, but as sourceforge does redirect based on OS and geolocation this may not mean much. Cheers, Julian Taylor ___ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion ___ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion
Re: [Numpy-discussion] Verify your sourceforge windows installer downloads
Migrating from SourceForge seems worth considering. I also agree this is a breach of trust with the open source community. It is my impression that the GIMP team stopped using SF for downloads some time ago in favour of using their own website, leaving the SF account live to maintain the old release downloads: https://mail.gnome.org/archives/gimp-developer-list/2015-May/msg00098.html According to the SourceForge blog, they assumed the GIMP for Windows account was abandoned, and it appears SF decided to make some money off it as a mirror site offering adware-bundled versions of the official releases: http://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-just-abandoned/ We would not want the same thing to happen to NumPy, but on the other hand deleting all the old releases on SourceForge would break a vast number of installation scripts/recipes. Peter On Thu, May 28, 2015 at 2:35 PM, David Cournapeau courn...@gmail.com wrote: IMO, this really begs the question on whether we still want to use sourceforge at all. At this point I just don't trust the service at all anymore. Could we use some resources (e.g. rackspace ?) to host those files ? Do we know how much traffic they get so estimate the cost ? David On Thu, May 28, 2015 at 9:46 PM, Julian Taylor jtaylor.deb...@googlemail.com wrote: hi, It has been reported that sourceforge has taken over the gimp unofficial windows downloader page and temporarily bundled the installer with unauthorized adware: https://plus.google.com/+gimp/posts/cxhB1PScFpe As NumPy is also distributing windows installers via sourceforge I recommend that when you download the files you verify the downloads via the checksums in the README.txt before using them. The README.txt is clearsigned with my gpg key so it should be safe from tampering. Unfortunately as I don't use windows I cannot give any advice on how to do the verifcation on these platforms. Maybe someone familar with available tools can chime in. I have checked the numpy downloads and they still match what I uploaded, but as sourceforge does redirect based on OS and geolocation this may not mean much. Cheers, Julian Taylor ___ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion ___ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion ___ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion
[Numpy-discussion] Verify your sourceforge windows installer downloads
hi, It has been reported that sourceforge has taken over the gimp unofficial windows downloader page and temporarily bundled the installer with unauthorized adware: https://plus.google.com/+gimp/posts/cxhB1PScFpe As NumPy is also distributing windows installers via sourceforge I recommend that when you download the files you verify the downloads via the checksums in the README.txt before using them. The README.txt is clearsigned with my gpg key so it should be safe from tampering. Unfortunately as I don't use windows I cannot give any advice on how to do the verifcation on these platforms. Maybe someone familar with available tools can chime in. I have checked the numpy downloads and they still match what I uploaded, but as sourceforge does redirect based on OS and geolocation this may not mean much. Cheers, Julian Taylor ___ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion
Re: [Numpy-discussion] Verify your sourceforge windows installer downloads
Here is their lame excuse: https://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-just-abandoned/ It probably means this: If NumPy installers are moved away from Sourceforge, they will set up a mirror and load the mirrored installers with all sorts of crapware. It is some sort of racket the mob couldn't do better. I noticed that like most BSD-licensed software, NumPy's license includes this clause: Neither the name of the NumPy Developers nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission. There's an argument to be made that SF isn't legally permitted to distribute poisoned installers under the name NumPy without permission. I recall a similar dust-up a while ago about Standard Markdown using the name Markdown; the original author (John Gruber) took action and got them to change the name. In any case I've always been surprised that NumPy is distributed through SourceForge, which has been sketchy for years now. Could it simply be hosted on PyPI? Andrew ___ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion
Re: [Numpy-discussion] Verify your sourceforge windows installer downloads
On Fri, May 29, 2015 at 2:00 AM, Andrew Collette andrew.colle...@gmail.com wrote: Here is their lame excuse: https://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-just-abandoned/ It probably means this: If NumPy installers are moved away from Sourceforge, they will set up a mirror and load the mirrored installers with all sorts of crapware. It is some sort of racket the mob couldn't do better. I noticed that like most BSD-licensed software, NumPy's license includes this clause: Neither the name of the NumPy Developers nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission. There's an argument to be made that SF isn't legally permitted to distribute poisoned installers under the name NumPy without permission. I recall a similar dust-up a while ago about Standard Markdown using the name Markdown; the original author (John Gruber) took action and got them to change the name. In any case I've always been surprised that NumPy is distributed through SourceForge, which has been sketchy for years now. Could it simply be hosted on PyPI? They don't accept arbitrary binaries like SF does, and some of our installer formats can't be uploaded there. David Andrew ___ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion ___ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion