skeeto
commented
10 months ago That's a false positive. If you're worried, with a bit of effort you can verify for yourself that this make.exe is at least as trustworthy as the upstream projects. The GNU Make build is deterministic, so following the instructions in #79 you can build a make.exe from source, bootstrapped through Debian's toolchain, with all inputs cryptographically traced back to their upstream projects (GNU, etc.). You will get a binary that is bit-for-bit identical to my binary release. For the current w64devkit (1.20.0), which is built from GCC 13.2, the 32-bit make.exe SHA-256 is:
3ae005d094870bd11eb574f05c21a25a1b6832e76c44a370290051b4cdb71642
Virus scanners tend to have high false positive rates for 32-bit binaries, probably because there has been in general much more 32-bit malware and so there's more opportunity for collisions.
xparq
_(Sidenote: the Windows Security UI doesn't allow seeing/copying it as text -- you even have to engage in some bizarre courtship for just making it show these "details" at all...)_
w64devkit 1.20.0 Unpacking the 64-bit version, or an earlier gcc12 version (both 32/64) didn't trigger it.
I'm almost completely sure it's a false positive, but I'd prefer to be just completely sure, hence this heads-up here.