Reply to topic

Avast blocks Neon images

raddison
Registered Member
Posts
513
Karma
0

Re: Avast blocks Neon images

Tue Jan 24, 2017 10:08 am
scummos wrote:
raddison wrote:Agreed. However, some Windows users (and wannabe Neon users) can't use that method without a third party app. And that app is more of a headache than anything else.

I think a SHA256 would be beneficial if hosted on a Ubuntu secure server and would practically cure my headache.

I think the problem is that the KDE mirror network can't use SSL, because SSL doesn't work well with distributed mirror networks, and thus providing SHA sums is not very useful ... GPG signatures, on the other hand, rely on a different path for verification of the key trust, and thus are useful even if both image and signature come from an unreliable source.

I guess people should consider distributing checksums with their release announcements, be it by email or blog.



The gpg method is just fine if one is on Linux. If one is (still) on Windows, it's a headache.

A SHA256 posted by the builder on this very forum should do the job just fine. Just an example though.

A double blind method is recommended when "visting" a checksum.

False positives are likely to occur quite frequently. It's just that it never happened to me before (at least not in conjunction with Neon).

https://youtu.be/6WuTNMleuQI

Best wishes community,
Richard Addison


Proud to be powered by Plasma
User avatar scummos
Global Moderator
Posts
1138
Karma
7
OS

Re: Avast blocks Neon images

Tue Jan 24, 2017 9:22 pm
raddison wrote:False positives are likely to occur quite frequently.

False positives occur frequently because, frankly, heuristic antivirus software is complete nonsense. ;)


I'm working on the KDevelop IDE.
User avatar compatico
Registered Member
Posts
87
Karma
0
OS

Re: Avast blocks Neon images

Wed Jan 25, 2017 5:06 am
scummos wrote:False positives occur frequently because, frankly, heuristic antivirus software is complete nonsense. ;)

Good answer! :)

When I used Windows, I always disabled antivirus heuristics...it would trigger false positives and not catch all sorts of new junk out there. Since switching to linux, no more worries. ;D ;D ;D
nalvarez
Registered Member
Posts
6
Karma
0
OS

Re: Avast blocks Neon images

Wed Jan 25, 2017 6:22 am
scummos wrote:I think the problem is that the KDE mirror network can't use SSL, because SSL doesn't work well with distributed mirror networks, and thus providing SHA sums is not very useful ... GPG signatures, on the other hand, rely on a different path for verification of the key trust, and thus are useful even if both image and signature come from an unreliable source.

We're actually considering SSL. The important factor here is: will modern browsers complain if files.kde.org with SSL redirects to a mirror without SSL?
raddison
Registered Member
Posts
513
Karma
0

Re: Avast blocks Neon images

Wed Jan 25, 2017 10:06 am
scummos wrote:
raddison wrote:False positives are likely to occur quite frequently.

False positives occur frequently because, frankly, heuristic antivirus software is complete nonsense. ;)



Hi,

I agree on the fact that heuristics is nonsense. Moreover, I think the very concept of "antivirus" is obsolete (any platform). Some people are working on implementing other concepts. Not there yet though.

It seems Avast have solved their issue but chances are it'll come back. At any rate, can someone confirme they don't detect anything malicious in the images?

Best wishes community,
Richard Addison

Last edited by raddison on Fri Jan 27, 2017 5:12 pm, edited 1 time in total.


Proud to be powered by Plasma
raddison
Registered Member
Posts
513
Karma
0

Re: Avast blocks Neon images

Thu Jan 26, 2017 7:09 pm
Hi guys,

Me again :) New images have been released today. I expect Avast won't find false positives again. Shall see. Either way, I consider the matter closed.

Thank you all for your support.


Best wishes community,
Richard Addison


Proud to be powered by Plasma
raddison
Registered Member
Posts
513
Karma
0

Re: Avast blocks Neon images

Tue May 23, 2017 4:19 pm
GPG signatures, on the other hand, rely on a different path for verification of the key trust, and thus are useful even if both image and signature come from an unreliable source.


@Scummos Body, most would say that I'm not dumb but I still don't understand how to perform a GPG check.

I have the .iso and the .sig in the same folder. I know where's the Ubuntu keyserver but other than that I'm clueless. I've checksummed the images (and the re-imaged install disk too :)) and everything is fine BUT I want GPG as well.

Could you give me some guidance, please? Much appreciated in advance.


Proud to be powered by Plasma
User avatar scummos
Global Moderator
Posts
1138
Karma
7
OS

Re: Avast blocks Neon images

Wed May 24, 2017 7:08 am
Try this:

gpg --recv-keys <the long fingerprint ID the image is signed with>
gpg --verify foo.sig (or foo.asc)


I'm working on the KDevelop IDE.
raddison
Registered Member
Posts
513
Karma
0

Re: Avast blocks Neon images

Wed May 24, 2017 8:08 pm
@scummos Thank you.


Proud to be powered by Plasma

 
Reply to topic

Bookmarks



Who is online

Registered users: Baidu [Spider], Bing [Bot], Google [Bot], lueck, Mamarok, Sogou [Bot]