pspp-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: installation of /2016-01-24/pspp-090+20160124-snapshot-64bits-setup.

From: John Darrington
Subject: Re: installation of /2016-01-24/pspp-090+20160124-snapshot-64bits-setup.exe
Date: Fri, 29 Jan 2016 06:31:36 +0100
User-agent: Mutt/1.5.21 (2010-09-15) 
No offence was taken.  

And you are right, it is always possible that you have been victim of
a man-in-the-middle attack - and these kinds of attacks are on the rise.
Obviously, if that is the case, then nobody who does not have access
to your machine  *whilst it is disconnected from any network* can give
you any meaningful advice.

As for your motor vehicle comparison, let me simply mention that I 
own a VW.  Should I turn to the people I bought it from if I'm concerned
that its ECS is not working properly?

J'



On Fri, Jan 29, 2016 at 12:18:10AM +0100, ftr wrote:
     I asked the question because I was puzzled. I found a virus alarm
     message that I found difficult to believe. This was the first
     time that this happened with PSPP. So I asked my questions.
     
     I would like John to understand that and not think that I wanted
     by intent insult the voluntary developers of my stats program !
     The questions was not if you deliberately infected the installer
     - what an idea - but if somewhere some man-in-the-middle might
     have found an entry, for instance.
     
     When my car breaks down as a non-mechanics who bought a car not
     to study the physics of automotive propulsion but to go from here
     to there I turn to the people from where I got the car. It is as
     basic as that.
     
     It must be allowed to ask a question if a user does not
     understand what happens. This is not a moment of psychological
     drama, of faith in people, but of solving a technical question.
     
     My own opensource life has been marked with one (1) bad
     experience. In 2013 I downloaded NbuExplorer from sourceforge, a
     viewer for Nokia telephone backup files which made all the AV
     bells ring (with Avast AV at that time). And the prog site shows
     that I was not the only one who complained about virus and
     crapware installed (and was insulted in PM by the developer
     afterwards). So, open source can carry infections. BTW,
     NbuExplorer is a sort of ADE651 device that works and that
     infects at the same time (and gives you a nasty time when you try
     to uninstall it).
     
     To be sure, I sent the question to Panda support but did not yet
     get an answer. Panda does not give precise reasons why a program
     has been neutralised. The intention of my question was to get an
     answer from the list to demand Panda to review its code. So your
     answer is: no, there is no info on any tentative to infect the
     prog or the site, if I understand you well.
     
     The usable part of the answer was: If you checked the GPG
     signature after download, then you can be sure it was not
     tampered with.
     
     I never did a GPG signature test so I shall have to learn that.
     
     Thank you for the experience.
     
     ftr
     
     
     On 27/01/2016 15:09, John Darrington wrote:
     >On Tue, Jan 26, 2016 at 11:32:14PM +0100, news wrote:
     >
     >      Are you sure there is no virus and the 2nd Panda message is a
     >      false positive ?
     >
     >Interesting question.  It raises a number of issues:
     >
     >1. The short answer is "no" we cannot be absolutely sure.  But at the
     >    same time, there are lots of putative "virus checking" programs which
     >    "work" in exactly the same way as http://en.wikipedia.org/wiki/ADE651
     >
     >    If somebody (or some program) thinks it has discovered malware, then 
the
     >    onus is on them to provide evidence.  Does your Panda program say WHY 
it thinks
     >    there is a virus?
     >
     >
     >2. You should note the warranty that comes with PSPP  - you can see it by 
executing
     >    the command "SHOW WARRANTY."  and I have reproduced it at the bottom 
of
     >    this mail.
     >
     >
     >3. You must ask yourself: Who do you trust more?  The people who 
distribute
     >    PSPP or the  people who distribute your virus checker?  When I say 
"trust"
     >    I mean trust NOT to have (either deliberately or inadvertently) to 
have
     >    introduced something BAD into the software.
     >
     >
     >4. Assuming that you trust the PSPP developers, do you trust your ISP and
     >    all intermediate carriers not to have tampered with the software 
during
     >    download?  -- If you checked the GPG signature after download, then 
you
     >    can be sure it was not tampered with.  Did you check it?
     >
     >
     >5. If you do not trust the developers, fortunately you can examine the 
source
     >    code to ensure that there is nothing malicious there, before you
     >    start building it.
     >
     >
     >6. However, I think you mentioned windows, so there is a good chance that
     >    you did not build it yourself but downloaded Harry's prebuilt binary.
     >    Do you trust Harry?  Do you trust his toolchain?   Do you trust the
     >    people who built Harry's toolchain for him?   All of those stages are
     >    opportunities to insert something malicious.  On the other hand, if
     >    you are using windows why do you care - it is common knowledge that 
the
     >    operating system contains malware by design.
     >
     >
     >7. My personal opinion is that I think it unlikely that any version of 
PSPP
     >    contains a virus. -- but do you trust ME?
     >
     >
     >
     >
     >
     >Pspp's warranty:
     >
     >   THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
     >APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
     >HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
     >OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
     >THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     >PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
     >IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
     >ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
     >
     >   IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
     >WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
     >THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING 
ANY
     >GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
     >USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
     >DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
     >PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
     >EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
     >SUCH DAMAGES.
     >
     >
     >
     
     
     _______________________________________________
     Pspp-users mailing list
     address@hidden
     https://lists.gnu.org/mailman/listinfo/pspp-users

-- 
Avoid eavesdropping.  Send strong encryted email.
PGP Public key ID: 1024D/2DE827B3 
fingerprint = 8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.

Attachment: signature.asc
Description: Digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]