From d0149720b46d56acf238250b4ddeb959cf92ec6d Mon Sep 17 00:00:00 2001 From: Athanasius Date: Sun, 8 Aug 2021 16:45:17 +0100 Subject: [PATCH] Troubleshooting: AV: We now build/release wholly on GitHub --- Troubleshooting.md | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/Troubleshooting.md b/Troubleshooting.md index 548ed9d..f11a312 100644 --- a/Troubleshooting.md +++ b/Troubleshooting.md @@ -230,9 +230,18 @@ can sometimes report that either one of our installers (e.g. EDMarketConnector_win_5.0.0.msi) or an executable therein is malicious in some manner. This has invariably always been a false positive. -The .msi files we distribute are built either on a trusted developer's -machine, or on GitHub itself (but then downloaded to a developer's machine -in order to upload as part of the GitHub release process) using +Since release 5.1.3, the .msi files we distribute are built on GitHub itself, +and a draft of the release created directly there. This means that the +installer a user downloads has never been on a developer's machine since it +was built, so there is no opportunity for an infected developer's machine +to insert malware into it or the executable files it contains. + +If you trust our source then the only way for malware to make it into our +installers or executables would be a supply chain attack affecting GitHub's +version of files, or the WinSparkle (update checker DLL we use) +distribution that we ask GitHub to download for us. + +We convert our python source code into executables using [py2exe](https://github.com/py2exe/py2exe/). See discussion in [EDMC 5.0.0. Flagged at Malware by AVG Anti Virus #1058](https://github.com/EDCD/EDMarketConnector/issues/1058)