Hi Liam,
I think you meant to send this to the list, let me know if I'm being naughty by publishing your response back to the list.
On Thu, 2016-02-04 at 13:00 -0500, Liam White wrote:
Unlikely — the number of false flags that modern Windows AVs issue is so high that I would be quick to condemn many of them as malware myself.
IMO, _anybody_ distributing releases should digitally sign them to help avoid this situation in the future. If somehow the copy of the file on the server were to become infected or replaced, we could easily verify it against the digital signature
The resource system allows for gpg or md5 signatures to be uploaded with your file. These are checked by the server, compare the windows download to the source package:
https://inkscape.org/en/gallery/item/3860/
There are four levels: no signature, an md5 hash, a gpg signature against your own public key and a gpg signature and you being in the "packagers" team.
Thanks for testing everyone.
Martin,