PureBasic 6.03 digital signature

[Marc56us]

Kuron is right:

[...]PB is targeted to programmers and coders, not the general home user with little experience.[...]

For coders who still have doubts, it would be enough, as is often done, to put a checksum on each package on the download site.

[Oso]

Kudos to Fred for refusing to participate in the shakedowns anymore!

I've always held that view, that certs were nothing more than a blackmail industry. I don't sign my apps and people still download and pay for them.

Out of interest, BarryG, how do you tend to answer people's queries on false positives, assuming of course that it happens in your case? There's obviously a right way of explaining this to non-technical users who perhaps haven't encountered it before. They'll not have seen it for example, when installing a mainstream application.

[BarryG]

Oso: I never get asked about it. I assume those people just didn't buy? My website does link to VirusTotal though, which shows 0 false-positives (after I contact 2 vendors to remove their false flags).

[Kuron]

Oso: I never get asked about it. I assume those people just didn't buy? My website does link to VirusTotal though, which shows 0 false-positives (after I contact 2 vendors to remove their false flags).

Said by Ole' Kuron several years ago on another forum:

The mafioso protection racket designed by AV authors with their false positives has become absurd.

These AV authors have literally made it almost impossible for an indie developer to exist. Something I have raved about for years, but it is getting increasingly worse over the years. Even if indie developers tell their customers the truth, that the program is fine and the AV company is wrong, the customers are still going to believe the multi-million dollar AV company and not run your software and bad mouth it for viruses.

As indie developers, we are expected to do the work of the lazy and incompetent AV authors and report false positives and hope and pray they safe list our program, which may or may not happen and may or may not require money changing hands. Self-proclaimed AV experts, have been running roughshod over indie authors for many years. The only ones who are not routinely dealing with false positives are the major software companies who do exchange some $$ with the AV authors.

I am amazed there have not been multiple class action suits against every AV author out there due to their continued false allegations that a program is or may be harmful when it is not.

Very hard to think about even trying to compete in today's software market...

[Oso]

Oso: I never get asked about it. I assume those people just didn't buy? My website does link to VirusTotal though, which shows 0 false-positives (after I contact 2 vendors to remove their false flags).

Okay, I understand, Barry. They can download a trial version then, before they pay you for a permanent licence.

The false positive problem may depend in part, on the relationship with the customer. At the moment we're developing something for a customer, although in this particular instance, not with PureBasic. The customer knows the software is from ourselves and we might need to explain the situation about AV to their IT department and advise them to make our programme sub-folder an exception.

Presenting software on a website, for download, is different. Here the relationship with the customer may be a new one and consequently the trust is still being built.

[BarryG]

They can download a trial version then, before they pay you for a permanent licence

That's exactly how I'm doing it.

These AV authors have literally made it almost impossible for an indie developer to exist

True! I've often seriously considered making a website that is a directory of legit safe software to counter the AV claims. It's a nagging thought that goes through my head from time to time, but then I wonder if sites like MajorGeeks are just doing that anyway (which they do; they test what they list). So not sure if it'd be worth my time and effort; plus the legal liability if I got something wrong.

[Oso]

Oso: I never get asked about it. I assume those people just didn't buy? My website does link to VirusTotal though, which shows 0 false-positives (after I contact 2 vendors to remove their false flags).

I am amazed there have not been multiple class action suits against every AV author out there due to their continued false allegations that a program is or may be harmful when it is not.

It would be interesting to see that, because it might be necessary to prove that the AV vendors were deliberate in trying to discredit software vendors' products that are non-mainstream, even when they could easily do otherwise. They might argue that they already have provisions in place to allow independent software authors to submit their product for verification, which I think some members on this forum have mentioned has been successful.

If the AV vendors make a charge for that service, or if the industry as a whole collects substantial fees, then it could be argued that they were not doing so in good faith and instead using what I think we might term, a carrot and stick approach, in this case using a threat of defamation to induce payment. All in all quite a complex situation. The right lawyer to use might be the UK's famous Michael Mansfield KC, who despite lawyers' occasional reputation for dishonest fees and practices, has often taken on cases on the basis of the common good.

[BarryG]

[The AV vendors] might argue that they already have provisions in place to allow independent software authors to submit their product for verification, which I think some members on this forum have mentioned has been successful

A very good point! A lawsuit against AV vendors would be pointless if they can show we never submitted our exes for white-listing with them.

[Oso]

True! I've often seriously considered making a website that is a directory of legit safe software to counter the AV claims. It's a nagging thought that goes through my head from time to time, but then I wonder if sites like MajorGeeks are just doing that anyway (which they do; they test what they list). So not sure if it'd be worth my time and effort; plus the legal liability if I got something wrong.

You could do that Barry but it becomes a form of AV in its own right I suppose, as you'd be taking on a certain amount of liability in claiming that the vendors you list are not going to cause problems with people's systems.

What I think could be helpful, is for a short page on the PureBasic website, to which anyone querying false positives on software written by PB developers, could be referred. The page might explain that PureBasic consists of an informal community of developers interested in making their products and software tools available to the public and to commercial enterprises but that users need to ensure they are satisfied themselves that the vendor is trustworthy. They can be reassured that PureBasic itself is a trusted product and is widely used commercially. It can also explain that the increasing threat of malware in software downloads, has made the industry over-zealous in detecting false cases in software that is not mainstream and therefore not a household name, even to the extent that the default result, if no result is found, is to flag the software as a possible threat. It might also include a link to an AV product that is known to be supportive of independent vendors' software, which can then be used to counter the argument that if any AV product flags a positive detection, then there must be reason to believe it. To some extent, it can cast some doubt over the false-positive-prone AVs.

[Kuron]

A very good point! A lawsuit against AV vendors would be pointless if they can show we never submitted our exes for white-listing with them.

Many do absolutely nothing when you submit your EXEs. We are lucky that the 64 bit version of PB only triggers two which actually do whitelist something.

You should NOT have to send your EXEs to them, as they should not be allowed to legally flag something unless they can prove it is malicious.

No different than you or me creating a company and flagging all software and offering developer accounts for $199 per year and up that will allow your company's software to automatically be declared safe.

Back in the day, I had a very good page on my site explaining the issue with false positives and why unscrupulous AV companies resort to it and what a detriment it is to the industry and how it hurts indie developers. I will likely put up a new version next year when I am up and running again. It helps to educate our EUs.

[Kuron]

I have seen one indie developer who makes some software I use, under the FAQs and "Is it safe to download" question, he answers:

Yes, the software passed 42 anti-virus software detection. No virus is contained.

Sadly it is flagged by numerous AV programs, but we are reduced to advertising the number that did NOT flag it, due to the mafioso tactics these companies use. *shakes head*

[BarryG]

Many do absolutely nothing when you submit your EXEs

True. Seen that before, and one (Cylance) has no false-positive website form and they never respond to my emails. Bastards.

The three that always respond to me and white-list are Microsoft, Bkav Pro, and SecureAge. Much respect to them!

they should not be allowed to legally flag something unless they can prove it is malicious

This. 100% agreed.