Why did the installer size increased that much?

[GitMensch]

0.1.1 = 4.05MB vs. 1.0.0 = 20.4 MB

[maphew]

I think it's because the VC 2017 Runtime is included now.

[tibold]

We can do a diff, 7zip should be able extract files from the installers. I think @maphew got it right, plus we also upgraded from Qt4 to Qt5.

[GitMensch]

Yes, I've just seen that the runtime is included - I urge to undo this, especially as the installer does a system-reboot without any user-interaction.

[tibold]

I'm not sure if we can remove the vcredist. As far as I know it is a functional dependency which without the DLL cannot be loaded. It is not supposed to do a system reboot though. I'll check on that.

[GitMensch]

Isn't it possible to build (at least on Appveyor) with MinGW? Using so would remove the need for any dependency but Qt (I just hope here that they don't need the vcredist).

[maphew]

7zip v19.0 can't open the installer .exe.

[yenlui]

So basically, I've installed it just now and I've to restaure my system because it installed a Troyan Pretty sure it's the reason of the size ...

[tibold]

@yenlui, What makes you think you got a Trojan?

[yenlui]

13 menaces detected right after installation including some named troyan and others named bitcoin miner

and that the only thing I've installed the last 2 weeks

maybe the vsredist dep you've added is corrupted, else the packager, but it's clearly because of the installation of the tool

[tibold]

Could you verify the hashes for the installers? Also do you happen to have the reports?

[yenlui]

I don't have hashes right now and I've clean everything as quick as possible, but the link for the download was directly redirected to: https://github-production-release-asset-2e65be.s3.amazonaws.com/97976246/c3f8fc00-2cec-11ea-8cb0-6fc148307f21?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A/20200113/us-east-1/s3/aws4_request&X-Amz-Date=20200113T213639Z&X-Amz-Expires=300&X-Amz-Signature=33a45b58502a6b1ee0faa5ef142e87a7c7601d0c74d2d1a86d7cd6d75ed18f2b&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment;+filename=svg_explorer_extension_x64.exe&response-content-type=application/octet-stream

So sounds like something stored on amazon S3 (which should not be the case I guess)

[tibold]

@yenlui, I double checked the installers and there is no evidence that they would contain any malware. The hashes are correct, I myself use it on several systems and the VirusTotal report is clean too: https://www.virustotal.com/gui/file/41ffc71789830720d465576dfdc8ec235f9464eec5c96d72f1a8d215676125a1/detection

Unfortunately there is not a lot I can do here to help you. We have seen anti virus software reporting false positive on this tools over the years. See #43 for one example. The Amazon S3 URL looks fine. I've not looked into where GitHub stores assets, but S3 would be a fine place.

Another scenario that may happen, since the installers are not signed, is for a malware to be injected into the installer after download. This may be verified using the hashes and we have a task #50, to provide pgp signatures until digital signatures are available.

What we can do is to submit the installer to the antivirus provider for analysis. What anti virus software are you using?

[yenlui]

Thanks for the effort, I don't actually need help, everything back to normal after McAfee (which is the one I use) quarantine + W10 restoration point.

Hopes I'm the only one having this kind of trouble, and also sorry for having polluted this thread as it seems it's not the cause of .exe size increase.

I've found another way of previewing SVG (in my vscode, with an add-on) so I think I won't try and reinstall your tool, but good reactivity ;)

[GitMensch]

... and verify what you've downloaded, I've installed the 64 bit version coming from the GH release page and for no troyan.

[GitMensch]

@tibold Where are we now here? Can we have an installer with the redist included (ideally with not doing a restart without a question) and more important an installer without any redist included?

[tibold]

@GitMensch, I have fixed the installer not to request a reboot in 86a87587670da6d00ec9857b11831bb030faf63a

It is possible to build an installer without the vcredist, however the vcredist included must be installed on the target system for the DLLs to load properly. If you happen to have the vcredist installed already all is fine, but otherwise it wouldn't work.

Considering that the installer is ~20MB I don't think it is worth the hassle trying to explain when to download which installer. Instead our switching to cairo (#44) would hopefully reduce the size of the dependencies.

[GitMensch]

Switching to cairo will remove the dependency on QT, as this is a huge package this is reasonable and useful in any case. But to remove the VC dependency we'll additionally have to switch the "default" build and the installer to mingw. As long as this is finished: please have two installers available. As soon as this is done it would be a good time to have 1.0.1 released ;-)

[tibold]

I tried to set up a MingW build, but it doesn't like the Windows API headers, see #59

[GitMensch]

So we do have a 1+ release which is good. The installer size is still that big. Question @tibold: can you provide two binaries - one with and one without the vcredist included?