> I'm betting you can whitelist it or otherwise bypass it
That you can easily bypass it is irrelevant - it's a bad sign to me, as a potential user, when the installer is flagged as a virus, and a far worse one when the D team seems utterly apathetic about fixing it. I see no evidence in the thread whether it's a false positive or not (though plenty of unbacked claims and some ad hominem: "you are the one using the snake oil software"), only developers asking the users to blindly report it to their AV vendor.
I also did not see any response to Mike Franklin's comment: "It's not the compiler that is reporting the virus, it's the installer. What utility are we using the generate the installer executable?"
This throws up an entire forest of red flags to me as a developer - I'll stick to languages where the contributors care enough about the language to report a false positive themselves.
Why is it on D's developers to fix a false positive in someone else's software? They redirected the reporter to the proper venue. I don't see what else they should be doing.
2. They are the only authority that can rightfully claim that their product is virus free. In time they might gain an understanding of what triggers it which might also be beneficial when reporting it. If it is a common occurrence they should probably have a template ready and a process for doing this. They also have interest in it being done correctly and that they have the ability follow up on any issues. In fact, they should prefer to do it themselves rather than random people doing it for them when they only indirectly can be informed of any progress.
3. Thank the reporter for bringing the issue to their attention.
4. Happy to answer questions related to the issue.
Doesn't matter who is to blame. The D community is taking the hit, they should act to try and avoid that.
If google erroneously blacklists your site, why should you care? You haven't done anything wrong? Some things just suck and you have to take care of it yourself.
1. these same false-positives have been a recurring issue for multiple years already
2. there is no fix for a tool which is not a mass-market-consumer-product
3. as a technologist you should know that all anti-virus is bullshit which does not work. false positives and false negatives abound. the anti-virus's job is to accurately identify viruses/malware because users can't. But the anti-virus can't do it either. It's true. Really. I figured this out on my own over 15 years ago, and it never changed.
I really hate the sentiment and consensus around anti-virus. It's like an "car-crash protection talisman". It just does not work. But if you tell some one not to use it, and they get in a car crash, it's your fault. If they use it, and they get in a car crash, oh well, what can you do. But it's truly bullshit.
> They are the only authority that can rightfully claim that their product is virus free.
This is a dumb idea. What's the point of anti-virus if we just trust the vendor.
So, the solution is to antagonize a user that is taking time and effort to inform you of the problem?
> This is a dumb idea. What's the point of anti-virus if we just trust the vendor.
The AV company will, hopefully, not... The vendor is the only one that can vet that the file on the site is the file that it is intended to be. They are also the only ones that can make changes to the their builds (which can help).
That's like asking why you should correct false data on your personal credit report. It's someone else's computer database, not yours! (Or maybe a better analogy would be "Why should I ask Google to stop marking my legit domain as spam and hiding emails to my users? It's their system!")
Software developers have to lobby on their own behalf so their software fits into larger ecosystems seamlessly. Or deal with angry users.
Angry users is not something you can opt out of. Malware reports are just another fact of life for many open source projects. I think the putty link (was posted elsewhere) is an awesome summary of the impossible fight you're asking developers off taking on.
Also, that's an insane comparison between AV reports and personal credit reports.
akavel said it best, you have to pick your battles. Who are we to tell the D programmers that this small issue affecting a tiny percentage of their users is a higher priority than any feature/bug/etc they have in their backlog?
All of this stinks of entitlement to me. "I want you to fix my problem cause by my software that only affects a small group of people".
I totally emphatically understand, that for DMD authors, reporting their binary to a truckload indifferent AV vendors is the worst kind of kafka-esque, soul-draining, burnout-inducing, and quixotic chore imaginable. While at the same time they're certainly trying to manage a lot of hard chores already, where at least they have a bit more agency over the eventual result. There's only so much they can do with limited resources. They must pick their battles, and it's fully and only their choice to make, no one can force them otherwise.
Then, they're actually still patient enough to be polite and trying to suggest to the user what he/she can do to help the project (or actually himself/herself), in order to resolve the issue he/she has. And in response, the user is only trying to deflect any responsibility and work/effort, and aggressively trying to push it back on them, using some weird, illogical, and generally absurd arguments (that they also are politely trying to explain as being invalid). Instead of actually trying to do what they suggested, and what could actually help resolve the issue.
That's how it would look like from the authors/maintainers' side of the fence.
That you can easily bypass it is irrelevant - it's a bad sign to me, as a potential user, when the installer is flagged as a virus, and a far worse one when the D team seems utterly apathetic about fixing it. I see no evidence in the thread whether it's a false positive or not (though plenty of unbacked claims and some ad hominem: "you are the one using the snake oil software"), only developers asking the users to blindly report it to their AV vendor.
I also did not see any response to Mike Franklin's comment: "It's not the compiler that is reporting the virus, it's the installer. What utility are we using the generate the installer executable?"
This throws up an entire forest of red flags to me as a developer - I'll stick to languages where the contributors care enough about the language to report a false positive themselves.