[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: installation of /2016-01-24/pspp-090+20160124-snapshot-64bits-setup.
From: |
John Darrington |
Subject: |
Re: installation of /2016-01-24/pspp-090+20160124-snapshot-64bits-setup.exe |
Date: |
Fri, 29 Jan 2016 06:31:36 +0100 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
No offence was taken.
And you are right, it is always possible that you have been victim of
a man-in-the-middle attack - and these kinds of attacks are on the rise.
Obviously, if that is the case, then nobody who does not have access
to your machine *whilst it is disconnected from any network* can give
you any meaningful advice.
As for your motor vehicle comparison, let me simply mention that I
own a VW. Should I turn to the people I bought it from if I'm concerned
that its ECS is not working properly?
J'
On Fri, Jan 29, 2016 at 12:18:10AM +0100, ftr wrote:
I asked the question because I was puzzled. I found a virus alarm
message that I found difficult to believe. This was the first
time that this happened with PSPP. So I asked my questions.
I would like John to understand that and not think that I wanted
by intent insult the voluntary developers of my stats program !
The questions was not if you deliberately infected the installer
- what an idea - but if somewhere some man-in-the-middle might
have found an entry, for instance.
When my car breaks down as a non-mechanics who bought a car not
to study the physics of automotive propulsion but to go from here
to there I turn to the people from where I got the car. It is as
basic as that.
It must be allowed to ask a question if a user does not
understand what happens. This is not a moment of psychological
drama, of faith in people, but of solving a technical question.
My own opensource life has been marked with one (1) bad
experience. In 2013 I downloaded NbuExplorer from sourceforge, a
viewer for Nokia telephone backup files which made all the AV
bells ring (with Avast AV at that time). And the prog site shows
that I was not the only one who complained about virus and
crapware installed (and was insulted in PM by the developer
afterwards). So, open source can carry infections. BTW,
NbuExplorer is a sort of ADE651 device that works and that
infects at the same time (and gives you a nasty time when you try
to uninstall it).
To be sure, I sent the question to Panda support but did not yet
get an answer. Panda does not give precise reasons why a program
has been neutralised. The intention of my question was to get an
answer from the list to demand Panda to review its code. So your
answer is: no, there is no info on any tentative to infect the
prog or the site, if I understand you well.
The usable part of the answer was: If you checked the GPG
signature after download, then you can be sure it was not
tampered with.
I never did a GPG signature test so I shall have to learn that.
Thank you for the experience.
ftr
On 27/01/2016 15:09, John Darrington wrote:
>On Tue, Jan 26, 2016 at 11:32:14PM +0100, news wrote:
>
> Are you sure there is no virus and the 2nd Panda message is a
> false positive ?
>
>Interesting question. It raises a number of issues:
>
>1. The short answer is "no" we cannot be absolutely sure. But at the
> same time, there are lots of putative "virus checking" programs which
> "work" in exactly the same way as http://en.wikipedia.org/wiki/ADE651
>
> If somebody (or some program) thinks it has discovered malware, then
the
> onus is on them to provide evidence. Does your Panda program say WHY
it thinks
> there is a virus?
>
>
>2. You should note the warranty that comes with PSPP - you can see it by
executing
> the command "SHOW WARRANTY." and I have reproduced it at the bottom
of
> this mail.
>
>
>3. You must ask yourself: Who do you trust more? The people who
distribute
> PSPP or the people who distribute your virus checker? When I say
"trust"
> I mean trust NOT to have (either deliberately or inadvertently) to
have
> introduced something BAD into the software.
>
>
>4. Assuming that you trust the PSPP developers, do you trust your ISP and
> all intermediate carriers not to have tampered with the software
during
> download? -- If you checked the GPG signature after download, then
you
> can be sure it was not tampered with. Did you check it?
>
>
>5. If you do not trust the developers, fortunately you can examine the
source
> code to ensure that there is nothing malicious there, before you
> start building it.
>
>
>6. However, I think you mentioned windows, so there is a good chance that
> you did not build it yourself but downloaded Harry's prebuilt binary.
> Do you trust Harry? Do you trust his toolchain? Do you trust the
> people who built Harry's toolchain for him? All of those stages are
> opportunities to insert something malicious. On the other hand, if
> you are using windows why do you care - it is common knowledge that
the
> operating system contains malware by design.
>
>
>7. My personal opinion is that I think it unlikely that any version of
PSPP
> contains a virus. -- but do you trust ME?
>
>
>
>
>
>Pspp's warranty:
>
> THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
>APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
>HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
>OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
>THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
>PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
>IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
>ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
>
> IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
>WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
>THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING
ANY
>GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
>USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
>DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
>PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
>EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
>SUCH DAMAGES.
>
>
>
_______________________________________________
Pspp-users mailing list
address@hidden
https://lists.gnu.org/mailman/listinfo/pspp-users
--
Avoid eavesdropping. Send strong encryted email.
PGP Public key ID: 1024D/2DE827B3
fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.
signature.asc
Description: Digital signature