Windows security check issues from UV 0.5.1 to 0.5.2.

FishAlchemist commented 4 days ago

winget-pkgs

https://github.com/microsoft/winget-pkgs/pull/190127
https://github.com/microsoft/winget-pkgs/pull/191664
PyPI
https://github.com/astral-sh/uv/issues/9143

Scan by VirusTotal
Version 0.5.1 (Releases)
- x64 Windows
- x86 Windows
  - uv0.5.1-i686-pc-windows-msvc.zip
  - uv.0.5.1-i686-pc-windows-msvc.exe
  - uvx0.5.1-i686-pc-windows-msvc.exe
    
    I think it's because of the use of self-replace(https://github.com/astral-sh/uv/pull/8914). This kind of self-updating behavior, if not digitally signed, can easily be mistaken for a virus.

Microsoft actually provides a channel to upload files for analysis. https://www.microsoft.com/en-us/wdsi/filesubmission

zanieb commented 4 days ago

@charliermarsh Is the self-replace behavior worth dealing with this?

charliermarsh commented 4 days ago

What’s your opinion?

zanieb commented 4 days ago

I'm not sure. The whole "remove uv with uv" objective feels a little surprising to me. We can see if they fix this false positive before the next release?

charliermarsh commented 3 days ago

Yeah, it's a little surprising. I think it's even worse that it fails (probably not that controversial), but it's probably not worth what we're seeing here. Maybe we tear it out and just give a better error than before?

charliermarsh commented 3 days ago

@mitsuhiko -- Any opinion here?

astral-sh / uv

Windows security check issues from UV 0.5.1 to 0.5.2. #9144

winget-pkgs

PyPI

https://github.com/astral-sh/uv/issues/9143

Scan by VirusTotal

uvx0.5.1-i686-pc-windows-msvc.exe