I've had to remove all binary software downloads from my website because they are being falsely flagged. I wrote about the issue in more detail here:

@byuu Thank you for sharing.

The wording in the feedback from Google is interesting, "Secure your site from any future attacks. Identify and fix vulnerabilities that caused your site to be compromised" - as if it is an absolute fact that your site was compromised when it's actually just Google mislabeling it. It would be interesting to know just how common it is for them to deem any "unknown" .exe file to be malware with zero checks to see if it actually is.

@byuu "we found a file on your server that was not commonly downloaded"

I guess I should just download it more times, then? What the fuck does that even mean as a warning? Is Google upset that you're not distributing pirated software from some popular company or something?

Asking to confirm, @absturztaube, are we blocked by, or is @byuu blocking me?
Either ways, I'm starting to despise his deceptiveness.

@IRC @absturztaube I didn't block you. Signing my binary with GPG doesn't do anything to solve the specific problem I'm having. I thought it would be rude to say that so I just didn't say anything. I appreciate the suggestion all the same though.

@IRC @absturztaube Anyway, Japan is really great, thank you. New years is especially fun with the end-of-year izakaya hopping, Comiket, and shrine visits. I'll throw up some more pictures in the coming days.

@byuu ah, np, but it does:
I have been forced to do so in, so even the antivirus mafia can't say my builds aren't mine.
It's no trouble, I just laughed because:
And have fun! Comiket 96 was indeed a blast this year;)
@absturztaube thanks.

@IRC @absturztaube The thing is, I can't use signtool with a GPG key, it won't be recognized as a valid signature. I'd have to pay $70 a year to Digicert or Comodo and doxx myself, or pay $400 a year to get a certificate in my business name.

@byuu or, you can self sign your own CA like Google does.
The point I'm getting across, nobody can prove your website and files are even yours. You're already using AlphaSSL and Positive SSL on your domains, it costs nothing with Let's Encrypt, if you even want to trust trust them.
Take false flags as an opportunity to increase your credibility as software provider, and maybe add some security. I've long signed off the clearnet, and I can't wait for ICANN & DNS to crash with all the bad acting.
See as a contemporary on how you should serve documents in this post quantum era.

“If code signing is a requirement to distribute free software, then we need a Let’s Encrypt-style alternative for code signing— yesterday.” — @byuu


@byuu so all of your software is now non-binary? What are their pronouns xD


.......isn't the standard way to distribute FOSS binaries to make some kind of 3rd party apt repo?

that way you can automatically distribute updates, & i think for legitimacy you really only need to use gpg signing

(personally i'd probably just use a gitea repo's releases tab because it's a single place to upload the source & stable versions without fiddling with website code)

@valenoern This is just for Windows binaries, so no repository unfortunately.

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!