Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This is more than entitled behavior, it’s downright harmful.

When (not if, when) binaries get trojanned, this causes blame to be directed at the original author, and takes a lot of work to explain that they are not at fault - this has happened in many supposedly reputable download sites including SourceForge, TUCOwS, Download.com and many others (yes, I haven’t used windows in 20 years or so, no idea what the hip new places are)

Say “thank you”, and spend 10 more minutes yourself to set it up (even if compilation takes 5 hours, it’s usually 10 mins to get it started). And then offer it for others, and handle the ricochets when it gets trojanned with no wrong done by you.

If just 20 people adopted such a process, there would be 98% less complaints of this kind.




How can a binary I provided possibly be trojanned by someone else?

Genuinely curious.


Trojaned installers by download.com were rampant back in the day. They would take your program and wrap it up in a nice little installer wizard and then also stuff a bunch of adware and spyware in there with it


I don't understand what's the harm of having a releases page with a binary and its md5 hash, or how that keeps anyone from just compiling an unofficial binary themselves and adding malware to it.

Anyone not technical enough to compile a binary has to give up trying to use it or risk some unnoficially distributed executable .


An md5 can be created for the trojaned binary and be posted along with it.

Not to mention that the md5 checksum is a very poor choice for this purpose because of the ease of creating md5 collisions.


But not on the official page, right? And there's nothing stopping someone from doing that now is there? I don't see how the original authors providing binaries is less secure than anything else.


The official page can be hacked, and both malware and md5 of the malware can be placed there.

That's the whole point of using a cryptographic signature backed by a web of trust instead of a mere hash.


Where would the hash be advertised?


Yeah but still hackers can abuse SEO and direct visits to their pages. If you are not careful you might accidentally download a malicious binary.


Sure, but what does that have to do with distributing binaries off Github? Maybe if Bonzie Buddy and IE6 make a comeback but I don't see that happening.


> If just 20 people adopted such a process, there would be 98% less complaints of this kind.

Okay so if 20 people did the same work over and over it would reduce 98% of the complaints.

Contrast that to if the author did the work once, it would reduce 100% of the complaints!


If every author did.

Do they owe you anything?


Providing a checksum along with the binary singlehandedly solves your concerns, and you can add gpg signatures if you want.


A checksum can be falsified as easily as a binary, and so can a signature. Only if you participate in a web or trust are you theoretically better off... but most people don't, so all such measures do is give a false sense of security.


GitHub will take it down if it contains blatant malware so it’s not that big of a deal


Somebody would have to report that to them first though




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: