• Rel (5/5) Jul 25 2018 To be exact as a "HEUR:Trojan-Downloader.Win32.Agent.gen".
• rikki cattermole (3/10) Jul 25 2018 This is a pretty regular problem for Windows.
• Radu (8/18) Jul 25 2018 It is a very simple thing to do. But the foundation hasn't
• Seb (27/47) Jul 26 2018 It's not about paying for the certificate, if that would be all,
• Radu (10/49) Jul 26 2018 It is important to have that certificate, as you can see from
• Vladimir Panteleev (3/8) Jul 26 2018 Does anti-virus software exempt signed executables?
• Suliman (4/13) Jul 26 2018 I really think that it's problem of Kaspersky than D. They should
• rikki cattermole (3/16) Jul 26 2018 Yes, but it'll be a lot easier to convince them that we are ok, if they
• rikki cattermole (5/14) Jul 26 2018 It really depends upon the AV engine as to what extent it is beneficial.
• Mike Franklin (6/11) Jul 25 2018 It's been reported at
• FeepingCreature (9/21) Jul 25 2018 Possibly because anything that says "pay money or we'll flag your
• Uknown (6/16) Jul 25 2018 To add to this, I've had issues with kaspersky tagging any 50
• Seb (4/16) Jul 26 2018 See

Rel <relmail rambler.ru> writes:

To be exact as a "HEUR:Trojan-Downloader.Win32.Agent.gen".
Few other AV software does the same:
https://www.virustotal.com/#/file/0aa364c5cb90630a5757aacc0c3c05a2273f5fdb88e14e2b80d4c19ee5b16d10/detection

I think, we should do something about it, at very least report
for false-positive to Kaspersky or something.

rikki cattermole <rikki cattermole.co.nz> writes:

On 25/07/2018 8:27 PM, Rel wrote:
 To be exact as a "HEUR:Trojan-Downloader.Win32.Agent.gen".
 Few other AV software does the same:
 https://www.virustotal.com/#/file/0aa364c5cb90630a5757aacc0c3c05a2273f5fdb88e14e2b80d4c1
ee5b16d10/detection 
 
 
 I think, we should do something about it, at very least report
 for false-positive to Kaspersky or something.

This is a pretty regular problem for Windows.
Until we start signing the executables, it will never end.

Radu <void null.pt> writes:

On Wednesday, 25 July 2018 at 08:31:05 UTC, rikki cattermole 
wrote:
 On 25/07/2018 8:27 PM, Rel wrote:
 To be exact as a "HEUR:Trojan-Downloader.Win32.Agent.gen".
 Few other AV software does the same:
 https://www.virustotal.com/#/file/0aa364c5cb90630a5757aacc0c3c05a2273f5fdb88e14e2b80d4c19ee5b16d10/detection
 
 
 I think, we should do something about it, at very least report
 for false-positive to Kaspersky or something.

 This is a pretty regular problem for Windows.
 Until we start signing the executables, it will never end.

It is a very simple thing to do. But the foundation hasn't 
bothered buying a code signing certificate, even though it is 
cheap.

Would be nice to hear why they haven't done this yet, considering 
that just the recurring open collective donations could cover 
expenses like this.

Seb <seb wilzba.ch> writes:

On Wednesday, 25 July 2018 at 09:49:54 UTC, Radu wrote:
 On Wednesday, 25 July 2018 at 08:31:05 UTC, rikki cattermole 
 wrote:
 On 25/07/2018 8:27 PM, Rel wrote:
 To be exact as a "HEUR:Trojan-Downloader.Win32.Agent.gen".
 Few other AV software does the same:
 https://www.virustotal.com/#/file/0aa364c5cb90630a5757aacc0c3c05a2273f5fdb88e14e2b80d4c19ee5b16d10/detection
 
 
 I think, we should do something about it, at very least report
 for false-positive to Kaspersky or something.

 This is a pretty regular problem for Windows.
 Until we start signing the executables, it will never end.

 It is a very simple thing to do. But the foundation hasn't 
 bothered buying a code signing certificate, even though it is 
 cheap.

 Would be nice to hear why they haven't done this yet, 
 considering that just the recurring open collective donations 
 could cover expenses like this.

It's not about paying for the certificate, if that would be all, 
we would have done this long ago!

The problem is to integrate it in our release process and that no 
one involved has much experience with Windows. It doesn't make 
things easier that we run Windows via VirtualBox for the release 
building and the snake oil industry requires a hardware 2FA 
process when signing binaries with their certificate.

Let me quote Martin (our release tzar) from one of the many 
internal mails:




I can figure this all out, it's again a small but lower-priority 
issue cutting the line though.

After my vacation I'm currently finalizing the highly-available 
code.dlang.org migration.
Next will be migrating ci.dlang.io to Buildkite, then beginning 
the research for use-after-free/alias tracking.

---
Would be great if someone with actual interest in this would take 
care of it completely.

Win binary builds to sign .exe and .dll:
https://github.com/dlang/installer/blob/master/create_dmd_release/create_dmd_release.d#L267-L268
Win installer build:
https://github.com/dlang/installer/blob/e780ad79a1b2721f3c1a3c841bd46a4bd39b37dc/create_dmd_release/build_all.d#L313-L322
Setup script for Win box in case we need to install tools:
https://gist.github.com/MartinNowak/8270666
---

<<<

Radu <void null.pt> writes:

On Thursday, 26 July 2018 at 07:25:24 UTC, Seb wrote:
 On Wednesday, 25 July 2018 at 09:49:54 UTC, Radu wrote:
 On Wednesday, 25 July 2018 at 08:31:05 UTC, rikki cattermole 
 wrote:
 [...]

 It is a very simple thing to do. But the foundation hasn't 
 bothered buying a code signing certificate, even though it is 
 cheap.

 Would be nice to hear why they haven't done this yet, 
 considering that just the recurring open collective donations 
 could cover expenses like this.

 It's not about paying for the certificate, if that would be 
 all, we would have done this long ago!

 The problem is to integrate it in our release process and that 
 no one involved has much experience with Windows. It doesn't 
 make things easier that we run Windows via VirtualBox for the 
 release building and the snake oil industry requires a hardware 
 2FA process when signing binaries with their certificate.

 Let me quote Martin (our release tzar) from one of the many 
 internal mails:

[...]



 I can figure this all out, it's again a small but 
 lower-priority issue cutting the line though.

 After my vacation I'm currently finalizing the highly-available 
 code.dlang.org migration.
 Next will be migrating ci.dlang.io to Buildkite, then beginning 
 the research for use-after-free/alias tracking.

 ---
 Would be great if someone with actual interest in this would 
 take care of it completely.

 Win binary builds to sign .exe and .dll:
 https://github.com/dlang/installer/blob/master/create_dmd_release/create_dmd_release.d#L267-L268
 Win installer build:
 https://github.com/dlang/installer/blob/e780ad79a1b2721f3c1a3c841bd46a4bd39b37dc/create_dmd_release/build_all.d#L313-L322
 Setup script for Win box in case we need to install tools:
 https://gist.github.com/MartinNowak/8270666
 ---

 <<<

It is important to have that certificate, as you can see from 
this 
https://forum.dlang.org/post/siugqkvkngnzdgqulaxo forum.dlang.org 
signing the installer is not a big deal. `osslsigncode` runs on 
Linux so I think it should be fairly straight forward to add it 
as a step in the build script.
The example command from the link I gave is used in production 
somewhere and it works.

So, buy a certificate :)

Vladimir Panteleev <thecybershadow.lists gmail.com> writes:

On Wednesday, 25 July 2018 at 08:31:05 UTC, rikki cattermole 
wrote:
 On 25/07/2018 8:27 PM, Rel wrote:
 I think, we should do something about it, at very least report
 for false-positive to Kaspersky or something.

 This is a pretty regular problem for Windows.
 Until we start signing the executables, it will never end.

Does anti-virus software exempt signed executables?

Suliman <evermind live.ru> writes:

On Thursday, 26 July 2018 at 08:27:33 UTC, Vladimir Panteleev 
wrote:
 On Wednesday, 25 July 2018 at 08:31:05 UTC, rikki cattermole 
 wrote:
 On 25/07/2018 8:27 PM, Rel wrote:
 I think, we should do something about it, at very least report
 for false-positive to Kaspersky or something.

 This is a pretty regular problem for Windows.
 Until we start signing the executables, it will never end.

 Does anti-virus software exempt signed executables?

I really think that it's problem of Kaspersky than D. They should 
fix they crap, not we.

rikki cattermole <rikki cattermole.co.nz> writes:

On 26/07/2018 8:39 PM, Suliman wrote:
 On Thursday, 26 July 2018 at 08:27:33 UTC, Vladimir Panteleev wrote:
 On Wednesday, 25 July 2018 at 08:31:05 UTC, rikki cattermole wrote:
 On 25/07/2018 8:27 PM, Rel wrote:
 I think, we should do something about it, at very least report
 for false-positive to Kaspersky or something.

 This is a pretty regular problem for Windows.
 Until we start signing the executables, it will never end.

 Does anti-virus software exempt signed executables?

 
 I really think that it's problem of Kaspersky than D. They should fix 
 they crap, not we.

Yes, but it'll be a lot easier to convince them that we are ok, if they 
can check for a cert.

rikki cattermole <rikki cattermole.co.nz> writes:

On 26/07/2018 8:27 PM, Vladimir Panteleev wrote:
 On Wednesday, 25 July 2018 at 08:31:05 UTC, rikki cattermole wrote:
 On 25/07/2018 8:27 PM, Rel wrote:
 I think, we should do something about it, at very least report
 for false-positive to Kaspersky or something.

 This is a pretty regular problem for Windows.
 Until we start signing the executables, it will never end.

 
 Does anti-virus software exempt signed executables?

It really depends upon the AV engine as to what extent it is beneficial.

But they can do white listing[0] and a few other things which would be 
very good on our end.

[0] https://forum.avast.com/index.php?topic=202088.0

Mike Franklin <slavo5150 yahoo.com> writes:

On Wednesday, 25 July 2018 at 08:27:25 UTC, Rel wrote:
 To be exact as a "HEUR:Trojan-Downloader.Win32.Agent.gen".
 Few other AV software does the same:
 https://www.virustotal.com/#/file/0aa364c5cb90630a5757aacc0c3c05a2273f5fdb88e14e2b80d4c19ee5b16d10/detection

 I think, we should do something about it, at very least report
 for false-positive to Kaspersky or something.

It's been reported at  
https://issues.dlang.org/show_bug.cgi?id=18786

For some reason it's not being taken seriously.  It's 
embarrassing to say the least.

Mike

FeepingCreature <feepingcreature gmail.com> writes:

On Wednesday, 25 July 2018 at 09:13:27 UTC, Mike Franklin wrote:
 On Wednesday, 25 July 2018 at 08:27:25 UTC, Rel wrote:
 To be exact as a "HEUR:Trojan-Downloader.Win32.Agent.gen".
 Few other AV software does the same:
 https://www.virustotal.com/#/file/0aa364c5cb90630a5757aacc0c3c05a2273f5fdb88e14e2b80d4c19ee5b16d10/detection

 I think, we should do something about it, at very least report
 for false-positive to Kaspersky or something.

 It's been reported at  
 https://issues.dlang.org/show_bug.cgi?id=18786

 For some reason it's not being taken seriously.  It's 
 embarrassing to say the least.

 Mike

Possibly because anything that says "pay money or we'll flag your 
binary and scare our users about it!" sounds like a scam. Also, 
nowadays virus scanners arguably cause more problems than they 
prevent - viruses have already exploited vulns in virus scanners, 
which usually run as root. And if somebody breaks into Github or 
dlang.org and replaces the binary with a backdoored one, they 
won't use a backdoor that'll be detected by common scanners 
because why would they?

Uknown <sireeshkodali1 gmail.com> writes:

On Wednesday, 25 July 2018 at 14:30:57 UTC, FeepingCreature wrote:
 On Wednesday, 25 July 2018 at 09:13:27 UTC, Mike Franklin wrote:
 On Wednesday, 25 July 2018 at 08:27:25 UTC, Rel wrote:

 Possibly because anything that says "pay money or we'll flag 
 your binary and scare our users about it!" sounds like a scam. 
 Also, nowadays virus scanners arguably cause more problems than 
 they prevent - viruses have already exploited vulns in virus 
 scanners, which usually run as root. And if somebody breaks 
 into Github or dlang.org and replaces the binary with a 
 backdoored one, they won't use a backdoor that'll be detected 
 by common scanners because why would they?

To add to this, I've had issues with kaspersky tagging any 50 
line program I wrote as a virus, as long as it had a do{} while() 
loop in main. Very annoying. At some point people need to realize 
that anti-viruses are not simply never going to improve computer 
security.

Seb <seb wilzba.ch> writes:

On Wednesday, 25 July 2018 at 09:13:27 UTC, Mike Franklin wrote:
 On Wednesday, 25 July 2018 at 08:27:25 UTC, Rel wrote:
 To be exact as a "HEUR:Trojan-Downloader.Win32.Agent.gen".
 Few other AV software does the same:
 https://www.virustotal.com/#/file/0aa364c5cb90630a5757aacc0c3c05a2273f5fdb88e14e2b80d4c19ee5b16d10/detection

 I think, we should do something about it, at very least report
 for false-positive to Kaspersky or something.

 It's been reported at  
 https://issues.dlang.org/show_bug.cgi?id=18786

 For some reason it's not being taken seriously.  It's 
 embarrassing to say the least.

 Mike

See 
https://forum.dlang.org/post/reccnvpdbboenpomexxz forum.dlang.org 
- I also forwarded a few internal mails to you.