search

HinTak / Font-Validator

Font Validator is a tool for testing fonts prior to release. This testing ensures that fonts meet Microsoft's high quality standards and perform exceptionally well on Microsoft's platform.
Other
146 stars 12 forks source link

user report downloads contain virus #28

Open HinTak opened 7 years ago

HinTak commented 7 years ago

Re-visit/investigate at some point in the future:

http://www.typophile.com/node/126470 from user Chris Hopkins

Pomax commented 7 years ago

I can still highly recommend using the github release concept, rather than sourceforge, which still has zero problems slipping "not your files" into their installers =)

HinTak commented 7 years ago

@Pomax Well, FontVal 2.1's binaries are on github, and will be from here simultaneously onwards - if there is a FontVal 2.2, that is. Sourceforge is a 17(?) year of familiarity despite its flaws, compared to me being on github for less than 2 years. Perhaps github is just too young to develop flaws and annoyances ;).

Pomax commented 7 years ago

Not as young as you might think - github's been around for almost 10 years now =)

The main reason I'd recommend leaving sourceforge (even for older releases) is really more because this is a known issue with sourceforge: it has been in the news multiple time in the last few years exactly for this, slipping their own programs, as well as malware and virus payloads into their installers.

HinTak commented 7 years ago

Yes, I have read up about the sourceforge issue. I haven't used it actively much lately and have not experienced any issue first hand, so good feelings from old times die hard... or does not die...

When I posted to typedrawers for 2.1, I put the github url first before the sourceforge one. The github download area is certainly easier for non-tech people. I'll slowly adjust... give me time, old dogs and new tricks, you know ;)

Pomax commented 7 years ago

yeah, it's a weird sourceforge quirk due to the large number of servers they use - not every server is "compromised" even when someone downloads an archive that clearly has a trojan or the like in it. It's a bit if Linux distribution locations didn't sync: every sourceforge server has its own copy of the files, but unlike linux distro locations, none of them do upstream sync/verification or even with each other, to make sure the payloads are identical and match the official hashes... so unless you're basically sitting next to your reporting user, the chances of getting the same file are almost zero =(