[PD] some repo house cleaning
Jonathan Wilkes
jancsika at yahoo.com
Tue Jun 9 03:49:03 CEST 2015
On 06/07/2015 11:33 AM, Martin Peach wrote:
> On Sat, Jun 6, 2015 at 9:52 PM, Jonathan Wilkes via Pd-list
> <pd-list at lists.iem.at <mailto:pd-list at lists.iem.at>> wrote:
>
> Hi list,
> tldr; Sourceforge has bundled malware with older Windows binaries
> for Gimp and apparently moved an old Sourceforge repo for nmap to
> a mirror where the nmap author does not have access. (Sourceforge
> claims it never bundles adware with security software, but that
> isn't at all reassuring.)
>
> Please search the web for "sourceforge and gimp" and "sourceforge
> and nmap" and read a few of the relevant news items for further
> detailes.
>
> Three suggestions:
> 1) We should migrate away from Sourceforge.
> 2) We should make sure the current Pd Sourceforge repo doesn't
> become inactive.
> 3) Once safely migrated, we should change to the Sourceforge code
> and release a Pd-extended binary on Sourceforge whose only
> function is to display a warning message to the user in the main
> Pd window. The warning should alert the user that Sourceforge is
> no longer the repo for any flavor of Pd, and that they should
> uninstall it and scan for malware.
> 4) We should maintain active accounts on Sourceforge to make sure
> the current binaries never become a target for delivering malware.
>
>
> This may be true for the compiled binaries but I think the svn
> repository should be safe, no?
> I don't think anyone could add malware to the repository without svn
> being aware of it.
That sounds reasonable. But it also sounds reasonable that a repo
catering to FLOSS would
refrain from wrapping old binaries in a malware installer. So...
-Jonathan
>
> Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.puredata.info/pipermail/pd-list/attachments/20150608/ff35fa49/attachment.html>
More information about the Pd-list
mailing list