<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 06/07/2015 11:33 AM, Martin Peach
wrote:<br>
</div>
<blockquote
cite="mid:CAN5xZ3ZLuKN1tU3fuyCeN2tA6g7s5RmPuWiwpNpn+q5s7NVRAw@mail.gmail.com"
type="cite">
<div dir="ltr">On Sat, Jun 6, 2015 at 9:52 PM, Jonathan Wilkes via
Pd-list <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:pd-list@lists.iem.at" target="_blank">pd-list@lists.iem.at</a>></span>
wrote:<br>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Hi list,<br>
tldr; Sourceforge has bundled malware with older Windows
binaries for Gimp and apparently moved an old Sourceforge
repo for nmap to a mirror where the nmap author does not
have access. (Sourceforge claims it never bundles adware
with security software, but that isn't at all reassuring.)<br>
<br>
Please search the web for "sourceforge and gimp" and
"sourceforge and nmap" and read a few of the relevant news
items for further detailes.<br>
<br>
Three suggestions:<br>
1) We should migrate away from Sourceforge.<br>
2) We should make sure the current Pd Sourceforge repo
doesn't become inactive.<br>
3) Once safely migrated, we should change to the
Sourceforge code and release a Pd-extended binary on
Sourceforge whose only function is to display a warning
message to the user in the main Pd window. The warning
should alert the user that Sourceforge is no longer the
repo for any flavor of Pd, and that they should uninstall
it and scan for malware.<br>
4) We should maintain active accounts on Sourceforge to
make sure the current binaries never become a target for
delivering malware.<br>
<br>
</blockquote>
<br>
</div>
<div class="gmail_quote">This may be true for the compiled
binaries but I think the svn repository should be safe, no?<br>
</div>
<div class="gmail_quote">I don't think anyone could add
malware to the repository without svn being aware of it.<br>
</div>
</div>
</div>
</blockquote>
<br>
That sounds reasonable. But it also sounds reasonable that a repo
catering to FLOSS would<br>
refrain from wrapping old binaries in a malware installer. So...<br>
<br>
-Jonathan<br>
<br>
<blockquote
cite="mid:CAN5xZ3ZLuKN1tU3fuyCeN2tA6g7s5RmPuWiwpNpn+q5s7NVRAw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote"><br>
</div>
<div class="gmail_quote">Martin<br>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>