Re: installation of /2016-01-24/pspp-090+20160124-snapshot-64bits-setup.exe

[ftr]

I asked the question because I was puzzled. I found a virus alarm 
message that I found difficult to believe. This was the first time that 
this happened with PSPP. So I asked my questions.

I would like John to understand that and not think that I wanted by 
intent insult the voluntary developers of my stats program ! The 
questions was not if you deliberately infected the installer - what an 
idea - but if somewhere some man-in-the-middle might have found an 
entry, for instance.

When my car breaks down as a non-mechanics who bought a car not to study 
the physics of automotive propulsion but to go from here to there I turn 
to the people from where I got the car. It is as basic as that.

It must be allowed to ask a question if a user does not understand what 
happens. This is not a moment of psychological drama, of faith in 
people, but of solving a technical question.

My own opensource life has been marked with one (1) bad experience. In 
2013 I downloaded NbuExplorer from sourceforge, a viewer for Nokia 
telephone backup files which made all the AV bells ring (with Avast AV 
at that time). And the prog site shows that I was not the only one who 
complained about virus and crapware installed (and was insulted in PM by 
the developer afterwards). So, open source can carry infections. BTW, 
NbuExplorer is a sort of ADE651 device that works and that infects at 
the same time (and gives you a nasty time when you try to uninstall it).

To be sure, I sent the question to Panda support but did not yet get an 
answer. Panda does not give precise reasons why a program has been 
neutralised. The intention of my question was to get an answer from the 
list to demand Panda to review its code. So your answer is: no, there is 
no info on any tentative to infect the prog or the site, if I understand 
you well.

The usable part of the answer was: If you checked the GPG signature 
after download, then you can be sure it was not tampered with.

I never did a GPG signature test so I shall have to learn that.

Thank you for the experience.

ftr


On 27/01/2016 15:09, John Darrington wrote:
> On Tue, Jan 26, 2016 at 11:32:14PM +0100, news wrote:
>
>       Are you sure there is no virus and the 2nd Panda message is a
>       false positive ?
>
> Interesting question.  It raises a number of issues:
>
> 1. The short answer is "no" we cannot be absolutely sure.  But at the
>     same time, there are lots of putative "virus checking" programs which
>     "work" in exactly the same way as http://en.wikipedia.org/wiki/ADE651
>
>     If somebody (or some program) thinks it has discovered malware, then the
>     onus is on them to provide evidence.  Does your Panda program say WHY it 
> thinks
>     there is a virus?
>
>
> 2. You should note the warranty that comes with PSPP  - you can see it by 
> executing
>     the command "SHOW WARRANTY."  and I have reproduced it at the bottom of
>     this mail.
>
>
> 3. You must ask yourself: Who do you trust more?  The people who distribute
>     PSPP or the  people who distribute your virus checker?  When I say "trust"
>     I mean trust NOT to have (either deliberately or inadvertently) to have
>     introduced something BAD into the software.
>
>
> 4. Assuming that you trust the PSPP developers, do you trust your ISP and
>     all intermediate carriers not to have tampered with the software during
>     download?  -- If you checked the GPG signature after download, then you
>     can be sure it was not tampered with.  Did you check it?
>
>
> 5. If you do not trust the developers, fortunately you can examine the source
>     code to ensure that there is nothing malicious there, before you
>     start building it.
>
>
> 6. However, I think you mentioned windows, so there is a good chance that
>     you did not build it yourself but downloaded Harry's prebuilt binary.
>     Do you trust Harry?  Do you trust his toolchain?   Do you trust the
>     people who built Harry's toolchain for him?   All of those stages are
>     opportunities to insert something malicious.  On the other hand, if
>     you are using windows why do you care - it is common knowledge that the
>     operating system contains malware by design.
>
>
> 7. My personal opinion is that I think it unlikely that any version of PSPP
>     contains a virus. -- but do you trust ME?
>
>
>
>
>
> Pspp's warranty:
>
>    THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
> APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
> HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
> OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
> THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
> PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
> IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
> ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
>
>    IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
> WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
> THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
> GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
> USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
> DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
> PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
> EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
> SUCH DAMAGES.