Comment by josephcsible
1 year ago
It's not just Python apps. It's anything by small-time developers without expensive certificates. I once used MSVC to compile a C program that was little more than a "Hello, World", and Defender called it the Win32/Wacatac Trojan.
The code signing certificates that MS requires are ridiculously expensive. It's a cartel of certificate isseuers. It's a downright robbery. We need something similar to Let's Encrypt for code signing.
SignPath gives free certs to OSS projects:
https://signpath.org/about/
We (sqlitebrowser.org) have recently started using them for signing our Windows builds.
If it's limited to OSS projects then it's not like LetsEncrypt
1 reply →
Defender calls anything Wacatac.
Ironically I've seen tons of actual malware that doesn't even give the slightest warning.
Even when legit malware gets flagged as "Wacatac" some percentage of users are sure to google the name, see that for years (if not decades) MS has wrongly flagged a ton of legitimate software as being that virus and then whitelist the actual malware on their machine assuming that Microsoft must have just screwed up again. I'm not surprised that MS hasn't fixed the problem after all this time, just disappointed.
This is how malware propagates. Most apps you get from questionable places have instructions that say disable your antivirus. I get it....but I don't want to play a game that bad.
I made a single for loop in Go at work to show a coworker, that binary got flagged as malware.
> It's not just Python apps. It's anything by small-time developers without expensive certificates.
This is definitely the case and has been my experience, as well.
We live in some dark times when it comes to building and sharing anything as small developers, especially if the things you're building are free.
I stopped updating my open-source Mac apps because I can't justify the cost of jumping over artificial hurdles Apple puts in place that ensure users can't run the apps they want to use. I have other hobbies where spending money actually gives me tangible goods and benefits versus paying an arbitrary yearly tax for the privilege to build stuff that ultimately benefits Apple.
> stopped updating my open-source Mac apps because I can't justify the cost of jumping over artificial hurdles Apple puts in place that ensure users can't run the apps they want to use.
hah, that's the exact reason I stopped using os x and went full Linux on my old Mac book air about 8 years ago.
This was the case for our open source app as well. The only reason we're on Apple is one of our users likes the app so much, they handle the certificates.
Which is deeply ironic, if you think about it.
It is super interesting that someone who is not you can take care of proving to Apple that you are really you so that Apple can assert to all other users that they have verified that you are really you because they made you prove it.
This world is just awesome. :)
I think Homebrew is the best solution for shipping open source Mac apps if you don't want to pay the developer fee or jump through any hurdles, assuming your users are technical enough to use it.
The alternative is not signing your binaries and explaining to users that they can run them by right clicking and selecting "Open" from the menu.
Unfortunately, getting users to install Homebrew is a hurdle that's hard to pass for what I'm dealing with. It's a non-starter if users have to open a terminal to install anything, even though Homebrew has a .pkg installer now. The users typically don't know what a terminal even is.
> The alternative is not signing your binaries and explaining to users that they can run them by right clicking and selecting "Open" from the menu.
That's what I'm doing now, and it's still an issue, unfortunately. Non-power users are not going to remember the right-click -> Open ritual when they just double-click on everything else.
And the warnings Gatekeeper shows also caused users to think their apps, and even computers, were broken or hacked.
2 replies →
This is not my experience but maybe I'm doing something different. I ship an electron app. I build it into an installer with electron-builder. I'm not sure I set any configuration settings. It's set to install in the user's folders, not at the system level. My understanding is that's allowed and just works.
This is usually caused by their machine learning virus scanner. For some reason it determines basically anything that you compile yourself to be a virus. Can't miss a virus if you call everything a virus, I guess.
Tbf the gamedev community has seen people submit Trojans to game jams
This is not relevant to the topic.
2 replies →
Okay?
1 reply →