[QGIS-Developer] Potential Security Issue with latest OSGeo4W release
Brian M Hamlin
maplabs at light42.com
Thu Nov 28 18:09:23 PST 2024
>> On Thu, 28. Nov 2024 at 08:31:38 -0500, Greg Troxel via QGIS-Developer wrote:
>>> C Hamilton via QGIS-Developer <qgis-developer at lists.osgeo.org> writes:
>>>> I just installed the latest QGIS versions of the OSGeo4W installer. I
>>>> received a warning saying, "We moved libgrass_parson.8.4.dll to your
>>>> Quarantine because it was infected with Win64:Evo-gen[Trj]"
>>> In general, I think people should file a support issue with their
>>> antivirus provider, asking to fix or to really provide evidence. There
>>> is a long history of negligent accusations from antivirus.
>>>
>>> Better yet: people could just stop to produce malicious code.
>>>
>>> But probably neither will happen ;)
>> I know you are kind of kidding, but AV vendors are charging money for
>> products that make untrue allegations without due care. This behavior
>> is not ok and they should be called on it, putting the burden of dealing
>> with it where it belongs instead of havng the Free Software community be
>> asked to do work.
comment here on a challenging topic : commercial security software
starts with a concept of paid services, while QGIS has different social
contracts and no common concepts of paid service. Given an imbalance of
"error condition by paid software requires QGIS response" .. ask "Is
this handled by the QGIS social contracts?" and "Is this a liability
of the paid security software?" .. a response is demanded, security is
increasingly emphasized.
This starts to look like many kinds of negotiations in civil society. It
is inherently political. A wild guess by me is that at least one third
of QGIS users worldwide live in very different legal environments for
software and IP than the EU, Commonwealth or US markets.
How is QGIS even able to respond if there are false positives in
commercial (low-quality) security software.? Anyone can imagine that
false positives on QGIS may be considered a feature by some actors out
there.
$DIETY help you regarding the MSFT Windows OS base.. from a Linux
perspective, there are also troubles of this kind.
A politician said recently "It is how people are doing, and how people
think they are doing" that matters for political situations. The QGIS
project has to show in a marketing way, stability and competence with
security scares.. and secondly, the internal project gets prepared for
more of this, and worse, in the next decade.
best regards from Berkeley, California --Brian M Hamlin /
MAPLABS / OSGeoLive PSC
More information about the QGIS-Developer
mailing list