Provide binary downloads as attachments to Github Releases

Xpra-org / xpra

Persistent remote applications for X11; screen sharing for X11, MacOS and MSWindows.

https://xpra.org/

GNU General Public License v2.0

1.9k stars 163 forks source link

Provide binary downloads as attachments to Github Releases #3640

Closed gdevenyi closed 1 year ago

gdevenyi commented 1 year ago

Instead of providing downloads from a potentially comprisable host (xpra.org), you can attach official binaries to the Github releases for download.

https://docs.github.com/en/repositories/releasing-projects-on-github/managing-releases-in-a-repository

totaam commented 1 year ago

I very much doubt that we can attach hundreds of gigabytes to github. That's the size of the download directory. To compromise xpra.org, one would need to compromise my systems, at which point they could also publish compromised binaries to github.

gdevenyi commented 1 year ago

Sure, I don't think it makes sense for the linux stuff, but for OSX and Windows, it may convince the security scanners that the software isn't so scary.

totaam commented 1 year ago

The problem with the scanners is their new smart "AI" scanning which sees things like keylog (shorthand for keyboard logging) in the xpra source and then decides that this is malware. The APIs that we use are also the same that real malware use: capturing keyboard input, watching the screen etc. I don't think that the download URL is used by the virus scanners at that point.

totaam commented 1 year ago

The proper way to bypass the anti-virus nonsense is probably to go via the appstore for MacOS (#1366) and MS Windows (#3923).