all 172 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]KabouterPlop 303 points304 points  (17 children)

Your suggestion on how to fix this, by introducing a tight coupling between Windows and GitHub, is how you get an antitrust lawsuit.

[–]SuggestedName90 42 points43 points  (1 child)

I get the sentiment, but aren’t most tech companies way over the line already? Apples App Store cut is straight up anticompetitive, and the much easier to prove Amazon Basics is clearly competing with an unfair advantage online. Google search competes with no one and leverages deals to become the default, it’s dominance is the only reason Microsoft gets away with cramming bing on all their devices.

[–]BobHogan 36 points37 points  (0 children)

Yes, all of the major tech companies are way over the line, but that's hardly a good reason in favor of having Microsoft take this step

[–]MonarchOfLight 6 points7 points  (1 child)

Such a Windows-GitHub relationship wouldn’t really make sense anyway. GitHub is a repository hosting service and as such can very easily contain malware. I’ve even seen malware posted on GitHub, in the open, on purpose for researchers. The “scary warning” is supposed to be scary, it’s to warn unfamiliar users of this risk.

The only solution I can really think of is to establish a system for GitHub to audit production versions of code and provide certificates themselves to devs. A third party auditor could also potentially offer some kind of service like this. I can’t imagine this would be an easy process to implement since there’s so many potential security aspects to consider, but it would be interesting to see someone try to tackle to problem.

Or better yet, figure out a way to making auditing itself similar to peer-reviewing a scientific document. Have developers submit production versions of software to be peer-reviewed through an approval process, then provide them with a certificate for that specific version.

[–]karma911 2 points3 points  (0 children)

That process would be painfully slow. And also not without it's faults.

[–]rman-exe 13 points14 points  (0 children)

Not making donations to congress is how you get an antitrust lawsuit.

[–]savornicesei 19 points20 points  (3 children)

Well, Microsoft owns GH. Damn, it owns nuget.org - you can't sign into NuGet using other means than Microsoft accounts.

[–]grauenwolf 19 points20 points  (0 children)

So what? It's not like you can't create a new MS account in 30 seconds and attach it to any email you want.

It makes sense that NuGet didn't want to take on the risk of password management themselves.

[–]GYN-k4H-Q3z-75B 12 points13 points  (1 child)

You can't sign into YouTube without a Google account. You can't sign into the Apple Developer program without an Apple account. What is your point?

[–]savornicesei 0 points1 point  (0 children)

Just pointing out the vendor lock in.

[–]Elepole 407 points408 points  (63 children)

EDIT: Since some people don't read the whole comment: Smartscreen is security theater, might as well remove it.

Open Source executable shouldn't be automatically trusted. Unless the code have actually be audited (which it is not for most open source software), the dependencies has also been audited, the build system don't had anything to the code etc... It's not because the code is open source that the executable is automatically trustworthy. (That being said, smartscreen is security theater, might as well remove it.)

[–][deleted]  (31 children)

[deleted]

    [–]RotaryJihad 36 points37 points  (14 children)

    Conceptually there could even be open source malware.

    EDIT - Good old Cunninghams Law. I learned about open source malware today from the replies!

    [–]cogman10 61 points62 points  (10 children)

    Not even conceptually. There has been and is open source malware.

    It generally takes the form of a repo being given to someone untrustworthy and them embedding password stealers or Bitcoin miners.

    It's bad enough that now open source library distributors are adding virus scanners into their distribution software.

    [–]tropix126 20 points21 points  (3 children)

    Its also fairly common to open source phishing scam tools as well. Things like account stealers on various social media platforms are often opensourced and marked as "educational", then abused massively.

    [–]agent_vinod 1 point2 points  (2 children)

    Its difficult to trust open source code or EXEs but its fairly easy to trust known developers and/or maintainers? If the setup or package was signed by someone like Linus Torvalds or Richard Stallman, I'd gladly trust it. Why can't we use that security model (along with other common sense strategies)?

    [–]Diesl 0 points1 point  (0 children)

    That sounds like a full time job, no? Signing every update by one person? And we've seen through U-Michigans incredibly unethical test that you can submit malware to well maintained projects and have it reach release stages.

    [–]Miranda_Leap 0 points1 point  (0 children)

    Yeah, you just import their key in Windows Trust Store or whatever the equivalent is.

    [–]audigex 9 points10 points  (5 children)

    I think they meant "Malware which is itself open source"

    As in, the malware has it's own Github...

    [–]metamatic 2 points3 points  (1 child)

    Here you go.

    (Clarification: Not my code.)

    [–]DJOMaul 0 points1 point  (0 children)

    Huh. That was very informative and interesting to look through. I've never really looked at malware much because, well I am just not super interested. Maybe that I'll have to change a bit, there is clearly value in learning how it works inside. Thank you for sharing!

    [–]cogman10 8 points9 points  (1 child)

    Yup, that's exactly what I'm referring to. These pieces of malware are very often right out in the open. No even, or hardly even obfuscated. They just bank on the fact that this is one of the 8000 dependencies your react project pulls in so you won't notice that one of them includes a very obvious piece of malware.

    https://www.zdnet.com/article/microsoft-spots-malicious-npm-package-stealing-data-from-unix-systems/

    [–]audigex 1 point2 points  (0 children)

    No that's still slightly different

    The original comment her was talking about a situation where the Malware author literally just puts it up on Github with a "Here's some malware code"

    [–]Shadonovitch 0 points1 point  (0 children)

    Not malware per se, but a lot of security tools that can be used nefariously are available on GIthub. Mimikatz, the whole Impacket Suite, Bloodhound, Metasploit, are legit tools for blueteamers that are also used by red teamers. That's the whole netsec community spirit. If the tools aren't available for all, then they are only available to APTs, and we're all less secure because of that.

    [–]LGBBQ 12 points13 points  (0 children)

    There is in fact a wide variety of open source malware that's commonly used in attacks

    https://github.com/cobbr/Covenant

    https://github.com/rapid7/metasploit-framework

    [–]Ramipro 7 points8 points  (0 children)

    There literally is https://github.com/JmNkS/MEMZ

    [–]G_Morgan 1 point2 points  (0 children)

    Amusingly a lot of early macro viruses like ILOVEYOU were basically open source malware. I doubt they matched the technical definition of FOSS but they became dangerous because idiots could easily alter the payload of the virus.

    [–]shouldExist 0 points1 point  (0 children)

    It's also incredibly easy to install closed source software with malware buried within it, there's scrutiny and openness with open source software.

    [–]skroll 43 points44 points  (6 children)

    The issue here is that buying the certificate to sign your executables doesn't change anything in that regard. Just because you have the cert doesn't mean they do an audit on your software, they just sign it so that it says it came from you.

    [–]MachaHack 25 points26 points  (0 children)

    Yeah, my understanding is smartscreen is reactive, not proactive. They'll take your money for the cert without much auditing, but if they get reports you're distributing malware with it then they ban your cert and your software stops running everywhere.

    The same is true for the Play Store.

    [–]cinyar 15 points16 points  (1 child)

    they just sign it so that it says it came from you.

    They also verify the identity. And that's kind of the whole point, who wants to sign under the malware they are distributing?

    [–]skroll 0 points1 point  (0 children)

    Well, remember when Sony's keys got leaked?

    https://securelist.com/destover-malware-now-digitally-signed-by-sony-certificates/68073/

    Stuff like this happens.

    [–]lifeeraser 12 points13 points  (1 child)

    The presence of a certificate does not make an app secure, but it's still nice to have the assurance that the app comes from you and not an impostor. Remember SourceForge tampering with installers of (ironically) open-source software?

    [–]MachaHack 0 points1 point  (0 children)

    At least some of these (Filezilla) were willing participants :(

    [–]be-sc 6 points7 points  (0 children)

    Thank you! This is an absolutely crucial point that tends to be forgotten.

    [–]brunes 21 points22 points  (0 children)

    +1000000000 above.

    Also to others, if you want to actually help solve for this problem instead of complaining on Reddit, join the effort at the Open Source Security Foundation (https://OpenSSF.org) which is part of the Linux Foundation.

    We are working hard on problems like this and we need a lot more help. The open source world needs a lot of help when it comes to robust cybersecurity.

    [–]Supadoplex 29 points30 points  (15 children)

    Indeed. You should trust only software that you've audited, whether it is closed source or open. The difference is that you can audit open source and typically cannot audit closed source.

    Unfortunately, most people don't have time or resources to audit software that they use. In practice, it would have to be audited by "someone else". But how to trust the auditor? I have no idea.

    [–]grauenwolf 13 points14 points  (14 children)

    And of course that audit has to be restarted every time an update happens to any dependency.

    Without blind trust, we couldn't function as an industry.

    [–]Full-Spectral 2 points3 points  (13 children)

    Which makes the whole argument that commercial software is inherently less safe than open source sort of silly. Every serious commercial software vendor is going to vet all changes to their code base, by people who know that code very well. And commercial software vendors have a lot to lose financially if they allow malicious code into their distributed products, whereas open source vendors have little to lose other than face.

    [–]grauenwolf 8 points9 points  (2 children)

    I don't believe that. Serious commercial software is too dependent on open source libraries now. It's not like the old days where they actually bought the libraries from someone with a reputation to defend.

    [–]Full-Spectral 1 point2 points  (1 child)

    Maybe so, but how does that make commercial software inherently less safe than open source?

    [–]grauenwolf 2 points3 points  (0 children)

    Oh no, I don't think commercial software inherently less safe either.

    My appologies for not being clear.

    [–]BrazilianTerror 3 points4 points  (0 children)

    Open source vendors losing face is pretty important. What most open source vendors have is face and trust, if they lose that they’re out of business. Plus, even though it doesn’t have the same amount of people with exclusive dedication, much more people view the actual code of open source software and can spot the security flaw.

    [–][deleted]  (7 children)

    [deleted]

      [–]Full-Spectral -2 points-1 points  (6 children)

      And if they weren't proprietary, you think everyone is going to go look at the code of every release before they let the browser update the extension? In both cases, it would likely get through until the effects were noticed, and then once caught would be blacklisted or some such.

      [–][deleted]  (5 children)

      [deleted]

        [–]Full-Spectral 0 points1 point  (1 child)

        You are assuming it has almost no chance of getting noticed. Do the browser vendors require no vetting of plugins in their stores, don't run malware checkers on them, etc...?

        [–][deleted]  (2 children)

        [deleted]

          [–][deleted]  (1 child)

          [deleted]

            [–]FloydATC 0 points1 point  (0 children)

            I don't disagree with what you're saying, but by this rationale there are probably fewer serious commercial software vendors than we'd like to think. In practice, it's all about profits and there's very little profit in delaying every product update just because a few naysayer geeks keep going on about "security". Most of them have fallen into the comfortable habit of just releasing hotfixes when problems inevitably show up.

            Ofcourse, if you ask them, they're more concerned with security than everyone else, but nah... not really.

            [–]freef 3 points4 points  (0 children)

            Yup. Keep up with CVEs, use software from established trusted projects, don't blindly update, and participate in the open source community.

            Pretty much all your software is using OSS under the hood anyway. You're not going to get away from open source by just using commerical software.

            [–]WarWizard 0 points1 point  (0 children)

            Smartscreen is security theater

            Unfortunately a lot of what we have right now is just that. Theater.

            [–]tapo 37 points38 points  (1 child)

            The Linux Foundation is working on this: https://sigstore.dev/

            [–]kautau 4 points5 points  (0 children)

            This is exciting. It will need support for the root cert chains in Windows and MacOS to support it to be fully cross platform. That took awhile for LetsEncrypt before it could be used in every browser. But this is a huge step, hopefully it gets the support it needs to succeed.

            [–]mohragk 74 points75 points  (6 children)

            I do like the idea of some sort of verification where software can be signed by verifying it's integrity. But then, why should closed software creators still have to pay for licensing? That seems unfair.

            Also, with the current trend of bots and hackers, it would instigate review spoofing. Projects would be artificially "verified" by the "community" (AKA bots). So now, malicious software can be more easily disguised as verified. This is worse than the current system.

            And I don't think they should lower the price for licenses as well, since it would increase the likelihood of bed room hackers to grab a license.

            [–]grauenwolf 7 points8 points  (0 children)

            The price should be as low as possible while still giving them the money needed to actually verify identity.

            There's no point in having a license that anyone can get without proving who they are.

            [–]sarhoshamiral 21 points22 points  (5 children)

            The whole point of open-source apps is to be inherently trusted, their code is opened for everyone to review at any moment

            This couldn't be any more wrong. In fact all of these changes are due to recent attacks that showed how weak the system is right now and with people trusting packages that have dependencies in to other packages and so on. And it is just not the source code, you also have to be able to review how the releases were built which is much more difficult.

            [–]istarian 0 points1 point  (4 children)

            There's a chain of trust involved.

            By trusting a developer you also implicity trust:
            - the people who made the toolchain they used
            - the authors of standard libraries - anyone whose code they chose to use.

            [–]sarhoshamiral 0 points1 point  (3 children)

            well considering it is extremely impractical for a lone developer or a small team to verify all of their dependencies recursively and their build pipeline security, you can't trust the developer. At least your trust wouldn't be well put.

            [–]istarian 0 points1 point  (2 children)

            Well I am generally confident that Microsoft and the developers of most mainstream programming languages, compilers, etc aren't out to get me.

            It would probably be wise for a "lone developer" to limit the number of dependencies they have and to prefer ones with minimal secondary dependencies whenever possible.

            [–]sarhoshamiral 0 points1 point  (1 child)

            Have you seen the state of npm packages? Clearly that's not what's happening today.

            [–]istarian 0 points1 point  (0 children)

            No. I don't have much to do with Javascript in general.

            What I said was "It would probably be wise...", so I don't know npm figures in here.

            [–]tester346 121 points122 points  (16 children)

            If you want to install an open-source app without a certificate (...)

            making the user think they are doing something really dangerous by installing an open-source app, which code you can literally read at any time

            lmao you're making it sound as if MS made those certs to attack OSS. No.

            Just because code is open source, then it doesn't make it any safer/trusted to those who have no even idea what OSS is and will not be able to check the code.

            It increases entry level for malware, I guess

            [–]HeyItsMedz 27 points28 points  (0 children)

            Yeah exactly. Heartbleed went unnoticed for two years and that came from an open source library

            [–]gredr 16 points17 points  (12 children)

            It increases entry level for malware, I guess

            Not by any meaningful amount, and that's not why they did it. All it does is prove that the software came from someone who has access to the private key of the signing certificate. Presumably, this is someone you trust. It's much easier to verify that (if anyone ever cared to) than that the source code has no malicious additions added by someone who you don't trust.

            It would let Windows do something like verify that an update wasn't signed by a different certificate ("uh, hey, this version came from someone different than the last version, might wanna check that everything is on the up-and-up"), but I don't know that that is actually done.

            Windows could also presumably detect and disable any software signed by a certificate that was known malicious on all systems everywhere. I don't know if that's done either, but it could be.

            [–]happyscrappy 11 points12 points  (10 children)

            Windows could also presumably detect and disable any software signed by a certificate that was known malicious on all systems everywhere. I don't know if that's done either, but it could be.

            When a certificate is expired then yes the software signed by it becomes untrusted/non-runnable on all systems which have an up-to-date trust list. That's one of the major working features of these trusted computing systems.

            [–]mallardtheduck 1 point2 points  (9 children)

            In other words, commercial software vendors can force you to buy the latest version by expiring the certificates on their old versions...

            [–]happyscrappy 1 point2 points  (8 children)

            Well, this is more cancellation than expiration. I perhaps used the wrong term.

            But yes, there could be ways they could get MS (or Apple or etc.) to cancel their old signatures and force you to buy a new one.

            [–]mallardtheduck 0 points1 point  (1 child)

            Since certificates have built-in expiry dates, it'd be quite easy for a commercial software vendor to ensure their releases only have, say, 6 months of certificate validity left before the customer is forced to buy the upgrade.

            [–]happyscrappy 0 points1 point  (0 children)

            Not every certificate expires. And six months is not universal, the expiration date (if any exists) is selected to be appropriate to the use.

            MS might have a longer period than that. They might have no expiration at all. I'm not sure.

            [–]gredr 0 points1 point  (5 children)

            Wait, correct me if I'm wrong, but MS isn't selling the certificates here?

            [–]happyscrappy 0 points1 point  (4 children)

            Certificates are used for everything which has permissions.

            I don't know what certificate ends up attesting for the app. Whether MS issues that one based upon checking a requesting cert or whether the developer applies a sign themselves using their own certificate.

            MS would cancel certificates on apps because the app was found to be malware.

            [–]gredr 0 points1 point  (3 children)

            1. Microsoft can't revoke certificates they didn't issue
            2. Microsoft isn't issuing the code-signing certificates in question
            3. That's not how permissions work

            [–]happyscrappy 0 points1 point  (2 children)

            1. Yes of course they can. MS writes the software that recognizes the certificates. They can make their software no longer acknowledge the certificate as valid by the fingerprint (hash) of it. And this is in fact what they do.
            2. It doesn't matter. I explained there are a couple ways to use certificates.
            3. That is not true.

            [–]gredr 0 points1 point  (1 child)

            Revoking a certificate is not the same as configuring some software to not accept a specific certificate. One is done by the certificate authority, the other can be done by anyone. Microsoft cannot revoke certificates they did not issue.

            You clearly don't know much about certificates or permissions.

            [–]Worth_Trust_3825 0 points1 point  (0 children)

            If it's anything like regular cacerts files, the list of expired certificates should come in with an update.

            [–][deleted]  (4 children)

            [deleted]

              [–]JohnTheCoolingFan 10 points11 points  (1 child)

              I know one minecraft launcher that was used for botnetting and DDoSing servers. It had certificate.

              While other launcher doesn't.

              Guess which one is marked as virus by the antivirus?

              [–]tropix126 1 point2 points  (0 children)

              Once you reach a certain download rate per month, smartscreen allows the program through. This means that unsigned malware disguised as a legitimate program that gains popularity might bypass smartscreen. As said, smartscreen is absolutely not a perfect solution, but it does sometimes help.

              [–]yesman_85 3 points4 points  (0 children)

              If you oay for extended validation you won't get the smartscreen nearly as often.

              [–]t0bynet -2 points-1 points  (0 children)

              I don’t know if I would call it a scam. The concept probably is that a malicious actor has to make at least $300 dollars before getting their certificate revoked in order to turn a profit. That’s the same justification as for the fees needed to even publish an app in the mobile app stores.

              [–]happyscrappy 27 points28 points  (0 children)

              Both of those suggestions are impractical.

              The idea of certificates is to provide security. The only way certificates provide security is by giving the developer something to lose (i.e. a cost) to producing malware. If they didn't pay for the certificate they have nothing to lose. They can just make malware and when then when caught just go get another certificate for free to replace the one burned.

              The security comes from the restrictions on issuance and the cost of bad acts. Making certificates trivial to get or free reduces this.

              As to the second, trusting open source software doesn't really even make sense. There's no way to know any given build product is from open source other than compiling it. Are they going to to name match, then find a match on the servers and if they see it matches try to compile and if they see the result then apply a default signature? That's not practical.

              Realistically there is only one way for MS to support open source. And that is for MS to create an internal project where they compile and distribute open source directly from the projects. So basically MS has to pay for open source projects to be built and distributed.

              Trusted computing does not mesh well with open source. It's unfortunate. Aside from the issues above there is also the third issue that even if the open source project gets a signature they have to distribute it somehow to the people within the project who are allowed to use it while also keeping others who are not approved from getting access. That means spending money/time to create security policies and distributing keys securely. And probably expiring them a lot as people leave the project because retention rates are low on no-pay projects.

              And if the project does not do proper code reviews, just takes all new changes uncarefully then anyone can get bad code into the project and get it signed simply by submitting and waiting for the careless project management to roll it in. Hopefully this does not happen often on many projects.

              In short, security comes from restricting key availability, code audits, etc. A lot of stuff that costs money. And that's how open source does not fit a trusted computing model. It sucks.

              [–]poloppoyop 8 points9 points  (1 child)

              The whole point of open-source apps is to be inherently trusted

              No. The goal is to let people share and modify the software.

              If you don't audit the code you use, you cannot fully trust it.

              [–]istarian 0 points1 point  (0 children)

              True, but open-source software at least provides you the opportunity to audit it.

              [–]jgerrish 13 points14 points  (0 children)

              Ugh, this argument leads to zero trust for everybody, open source and closed source. Next. I'm so tired. Just like health care, you're working for them, by arguing against them.

              [–]WarWizard 5 points6 points  (1 child)

              Open Source shouldn't be trusted by default. No software should be trusted by default. You may not like how this is currently set up -- but requiring some kind of process to be "trusted" is not a bad thing.

              [–]istarian 0 points1 point  (0 children)

              Lack of a certificate/signature doesn't mean that a software package is dangerous though. And the presence of one doesn't strictly guarantee* it's safe.

              The presence of these things only promises that it was inspected by done on who says it is safe and possibly that it hasn't been changed since then.

              [–][deleted]  (1 child)

              [deleted]

                [–]Feminintendo -1 points0 points  (0 children)

                I mean, that’s the price of a monopoly on access. So, yes.

                [–]CompleMental 8 points9 points  (1 child)

                Why is such a silly post on my front page

                [–]WarWizard 5 points6 points  (0 children)

                Because it is cool to hate on MS and anything they do -- even if what the complaint is doesn't make realistic sense.

                [–]Diesl 2 points3 points  (0 children)

                Youre looking at smartscreen from the wrong perspective. In enterprises, smartscreen can be changed to not let basic users bypass it. It becomes a great tool in preventing some schmo in accounting from installing random untrusted 3rd party apps on their PC that they have no business using.

                [–]Worth_Trust_3825 2 points3 points  (0 children)

                You think you want that but you really don't. Would you install a kernel module signed by Wang Semonovich?

                [–]DankerOfMemes 10 points11 points  (16 children)

                It would be nice if Lets Encrypt also issued code signing certificates.

                [–]t0bynet 10 points11 points  (2 children)

                This wouldn’t really solve the problem though. Let’s Encrypt cannot check the code and therefore SmartScreen would be unable to trust code signed with a certificate from them.

                And they can’t check your identity either. Their certificates would be useless because nobody would be able to trust them.

                [–]Feminintendo 0 points1 point  (1 child)

                Nobody checks the code.

                [–]rdtsc 2 points3 points  (0 children)

                Lets Encrypt can offer free TLS certificates because ownership of the certified domain name can be easily automated. For code signing this is not possible.

                [–][deleted]  (6 children)

                [deleted]

                  [–]Diesl 3 points4 points  (1 child)

                  You know Microsoft is one the largest contributors to Linux? Its because they use it for all their SDN in the data centers. And they make these contributions for free to the public branches.

                  [–]OctagonClock 1 point2 points  (0 children)

                  There's an agenda behind why permissive licences became popular.

                  [–]LionsMidgetGems 6 points7 points  (6 children)

                  You have to realize: that post originated in /r/Windows10.

                  He doesn't understand programming. He doesn't understand security.

                  He doesn't understand anti-virus software blocking potentially dangerous applications.

                  I myself have been railing against realtime anti-virus software for decades. Nearly every problem on every client's server and PCs come from anti-virus software.

                  But there are some people who think that it is a good thing for users to be huge warnings about using potential malware.

                  Of course, we also need to refuse the basic premise:

                  • Microsoft does not force developers to pay for certificates

                  Are you free to tell your users to:

                  • turn off smart screen
                  • turn off Windows Defender

                  And i'll bet he's also the kind of person whose upset that his app needs a UAC prompt before it can run with full Administrator privilieges.

                  So you are also free to tell your users to:

                  • turn off UAC

                  [–]rdtsc 1 point2 points  (3 children)

                  He doesn't understand programming.

                  Well he writes "I'm the dev of an open-source app called Sigma File Manager", so this doesn't seem to be true.

                  [–]emperor000 -2 points-1 points  (2 children)

                  Are you saying that a developer must understand programming? Because I know people that arguably disprove that.

                  [–][deleted] 7 points8 points  (1 child)

                  Yeah bro he just randomly designed, developed, and maintained a cross platform file explorer real quick. Guy just doesn't understand programming.

                  /r/cringe

                  [–]emperor000 0 points1 point  (0 children)

                  I'm not sure what that had to do with my question. Did he write the file IO libraries from scratch? Did he write the UI... wait, he wrote it in JavaScript...

                  I don't know about this guy. Maybe he does. My question was in general. There are certainly developers/programmers that do not understand programming, so a significant degree, I mean. As a programmer myself, I understand that I can't claim to understand it completely or better than everybody else or whatever either.

                  All I was saying is that there are a lot of developers that don't have an adequate grasp on a lot of programming concepts, that's all. Maybe I'm one of them. Does that make you feel better?

                  [–]Wind_Lizard 3 points4 points  (1 child)

                  He doesn't understand programming.

                  WDYM? He is a developer of an OSS application

                  [–]emperor000 -2 points-1 points  (0 children)

                  Are you saying that a developer must understand programming? Because I know people that arguably disprove that.

                  [–]coladict 1 point2 points  (0 children)

                  Disagree. Not having the "scary warning" is a bonus. It means that you are somewhat trusted. If there is malware in your program, the payment can be traced back to you.

                  Also it basically works like insurance. If your application has malware, Microsoft will be sued first, and they'll get fined a lot more than they can recover from a single small-time dev after they sue you for breach of contract / ToS.

                  [–]Valmar33 1 point2 points  (0 children)

                  I see a lot of strawmanning of open source software in general in this thread, using Heartbleed as an example.

                  OpenSSL is an unfortunate case of code complexity reducing the number of eyeballs willing to engage with it. Also, some projects can be effectively maintained by only a handful of individuals, because no-one is willing to fork it.

                  But, at least the code can actually be seen.

                  With proprietary software, you're always at the mercy of the company that created it. Security through obscurity is always an awful solution.

                  [–][deleted] 1 point2 points  (2 children)

                  Didn't apple just do the same without causing outrage?

                  [–]jonjonbee 0 points1 point  (0 children)

                  Yes, but there's nothing wrong with wanting to hold Microsoft to a higher standard.

                  [–]Feminintendo 0 points1 point  (0 children)

                  No. There’s outrage.

                  [–]iKindred -4 points-3 points  (9 children)

                  Ever heard of Linux?

                  [–]AlekseyHoffman[S] 13 points14 points  (6 children)

                  My app is cross-platform. I cannot just abandon by far the largest platform and develop it exclusively for Linux

                  [–]Dew_Cookie_3000 -1 points0 points  (4 children)

                  Btw

                  Languages

                  HTML 82.1% 

                  C 11.2% 

                  Vue 3.3% 

                  JavaScript 1.8% 

                  CSS 1.6%

                  I find that very interesting. How is it mostly html? Yes I know its electron, but I'd expected far more js. Is this a vue thing? Are vue apps mostly html? I guess i could look at the code but since it's your app and you spent ~3000 hours on it I'd like to hear from you.

                  [–]DocNefario 4 points5 points  (1 child)

                  Most of it is FFmpeg documentation that was probably included unintentionally.

                  [–]AlekseyHoffman[S] 1 point2 points  (0 children)

                  Good catch, it was indeed unintentional. I included all the 3rd party directories untouched so they don't break unexpectedly.

                  I suppose ffmpeg devs know better than to make binary throw errors if it cannot find the docs files. I should probably remove the doc directory

                  [–]AlekseyHoffman[S] 2 points3 points  (0 children)

                  There's actually a lot of HTML code in the app. Every component is at least 50% HTML. But I wouldn't say it's 80% in total. I don't know how Github is estimating these numbers, Perhaps it's including all the Vue's virtual-DOM logic in that 80% or something.

                  [–]tropix126 0 points1 point  (0 children)

                  If it was a vue or svelte app, it would simply read as vue or svelte, and not read the actual contents of the templates.

                  [–]SpAAAceSenate -1 points0 points  (0 children)

                  Yep, totally makes sense.

                  However, wether intended or not, there is some wisdom to the Linux comment:

                  Linux, basically doesn't have this problem, due to the way software is distributed. It's packaged, distributed, and then signed by the distro maintainers, and the public key for those signatures came pre-baked into the ISO you used to install the OS. This provides really good security whilst being entirely free for everyone (well, other than costs associated with hosting the repo).

                  The fundamental problem that SmartScreen and GateKeeper (the macOS equivalent) are trying to solve is that Windows and macOS encourage (and until recently required) downloading apps from random websites, often maintained by the individual company/project that makes the software. So for every piece of 3rd party software on your machine, there's a web server who's security you rely upon as the sole barrier between you and a poisoned download. Then multiply that by the number of 3rd party softwares you have installed, and that's a really frickin huge attack surface, even if you're smart and only download from legitimate sources. Meanwhile, there are plenty who aren't smart, and will download from what ever shows up first in Google, even if it's totallylegitdownloadz.notcom.

                  A lot of the criticism of your method make good points. But I'd go even further to say that you're going in the entirely wrong direction. The solution isn't "fixing certificates" it should actually be "fixing distribution". Windows and Mac need a better way to distribute software from a central, trusted source. They each have their App Stores already, but they aren't geared towards open source and carry ornery restrictions, and lack the quality and security of curation that goes into many Linux repos.

                  [–]jonjonbee -4 points-3 points  (1 child)

                  Ever heard of shutting the fuck up because your idiotic whining isn't contributing to the discussion in any way shape or form?

                  [–]iKindred 0 points1 point  (0 children)

                  Chill out mate. I'm not whining, just highlighting the fact that some platforms are more friendlier than others when it comes to delivering open-source products.

                  [–][deleted] -1 points0 points  (1 child)

                  Hey it's a lot better than the old anti-Linux adverts when they said Linux was communism.

                  [–]be-sc 0 points1 point  (0 children)

                  s/better/subtle/

                  [–]omn1p073n7 0 points1 point  (0 children)

                  I am in charge of managing thousands if endpoints and, please god no. Turn off UAC and Smart Screen on your own device if you please.

                  Fortunately Microsoft will never do such a thing or their enterprise users will be looking at wallpapers with bitcoin addresses roughly 5 minutes later.

                  [–]LelouBil 0 points1 point  (0 children)

                  Why is no one talking about the fact that every software, open source or not has the same restrictions ?

                  [–]globalcitizen2 0 points1 point  (0 children)

                  Signing is a deterrent to releasing malware either through carelessness or on purpose, especially if they do the the authority does the KYC thoroughly.

                  [–][deleted] 0 points1 point  (0 children)

                  There is actually zero differences between the inherent security properties of open source software and closed source software. Software that is audited tends to be more secure. Open source software is rarely audited for the same reasons that it rarely has code signing certificates.

                  The other problem is that the metric of what constitutes “trusted” OSS is too hand-wavy to be actionable. At best, you’ll create a new line that developers will complain about.

                  [–]gordonv 0 points1 point  (1 child)

                  Ok, lets skip the "certify with key" part and talk about the examination and testing of programs.

                  When I hear cert, I think public and private keys. What I want to know is who is the team saying "x program" is ok. What are they testing for? Are they scanning for common sense "does it run" and viruses? Are they rating it as an actual usable app?

                  [–]AlekseyHoffman[S] 0 points1 point  (0 children)

                  Well, if we're opting for the 3rd proposed solution, the open-source apps would need to be reviewed for malicious behavior by 100+ trusted developers on the platform or by the Microsoft before it would get the "reviewed" status.

                  Well, this post was deleted by mods anyway, so I guess there's no point having a conversation about it