On Thu, Feb 04, 2016 at 02:22:03PM -0500, Martin Owens wrote:

Hi Liam,

I think you meant to send this to the list, let me know if I'm being naughty by publishing your response back to the list.

On Thu, 2016-02-04 at 13:00 -0500, Liam White wrote:

...

Unlikely — the number of false flags that modern Windows AVs issue is so high that I would be quick to condemn many of them as malware myself.

IMO, _anybody_ distributing releases should digitally sign them to help avoid this situation in the future. If somehow the copy of the file on the server were to become infected or replaced, we could easily verify it against the digital signature

The resource system allows for gpg or md5 signatures to be uploaded with your file. These are checked by the server, compare the windows download to the source package:

https://inkscape.org/en/gallery/item/3860/

There are four levels: no signature, an md5 hash, a gpg signature against your own public key and a gpg signature and you being in the "packagers" team.

Thanks for testing everyone.

I strongly agree with Liam.

I know having to figure out public key encryption can be a bit of a pain in the ass for the distributor, but for this exact situation it can end up saving a huge amount of time and angst for everyone involved. This is more or less a standard on the Linux side, but with all the false flags Liam mentions (not to mention the larger userbase) the potential benefit is even larger on the windows and osx side.

Indeed, I would +1 making signatures a firm requirement in the website download system, for all publically downloadable packages that might have executable code in them.

Bryce