Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows security check issues from UV 0.5.1 to 0.5.2. #9144

Closed
FishAlchemist opened this issue Nov 15, 2024 · 9 comments
Closed

Windows security check issues from UV 0.5.1 to 0.5.2. #9144

FishAlchemist opened this issue Nov 15, 2024 · 9 comments
Labels
windows Specific to the Windows platform

Comments

@FishAlchemist
Copy link
Contributor

FishAlchemist commented Nov 15, 2024
edited
Loading

winget-pkgs

PyPI

Scan by VirusTotal

I think it's because of the use of self-replace(#8914). This kind of self-updating behavior, if not digitally signed, can easily be mistaken for a virus.

Microsoft actually provides a channel to upload files for analysis.
https://www.microsoft.com/en-us/wdsi/filesubmission
@zanieb
Copy link
Member

zanieb commented Nov 15, 2024

@charliermarsh Is the self-replace behavior worth dealing with this?

@charliermarsh
Copy link
Member

What’s your opinion?

@zanieb
Copy link
Member

zanieb commented Nov 15, 2024

I'm not sure. The whole "remove uv with uv" objective feels a little surprising to me. We can see if they fix this false positive before the next release?

@charliermarsh
Copy link
Member

Yeah, it's a little surprising. I think it's even worse that it fails (probably not that controversial), but it's probably not worth what we're seeing here. Maybe we tear it out and just give a better error than before?

@zanieb zanieb mentioned this issue Nov 15, 2024
Merged
@charliermarsh
Copy link
Member

@mitsuhiko -- Any opinion here?

@charliermarsh charliermarsh added the windows Specific to the Windows platform label Nov 16, 2024
This was referenced Nov 16, 2024
Closed
Closed
@FishAlchemist
Copy link
Contributor Author

FishAlchemist commented Nov 19, 2024
edited
Loading

Hi UV Team,
Given that both 0.5.1 and 0.5.2 have this issue and I've removed x86 Windows support for version 0.5.1 in my pr for winget-pkgs, do you think it's still worthwhile to merge the x64 Windows version of uv 0.5.1 into winget-pkgs?

Note

I've removed the support for the x86 architecture in version 0.5.1 of winget-pkgs. This is finally allow it to pass their pipeline checks ( x86 still doesn't pass the security checks). I'm not sure if they'll approve the merge given that the new version lacks x86 installation compared to the previous one.

Edit:
Oh, the members of winget-pkgs have agreed to merge.

@FishAlchemist
Copy link
Contributor Author

As of now, winget-pkgs offers x64 Windows for 0.5.1 and 0.5.2, while 0.5.3 is available for both x86 and x64 Windows platforms.

@zanieb
Copy link
Member

zanieb commented Dec 10, 2024

Is this still being flagged?

@FishAlchemist
Copy link
Contributor Author

@zanieb
I think we can close this issue for now. Since the x64 versions of winget 0.5.1 and 0.5.2 and the subsequent version x86 and x64 versions of later versions are all working fine

@zanieb zanieb closed this as completed Dec 10, 2024
@zanieb zanieb mentioned this issue Dec 21, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
windows Specific to the Windows platform
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@charliermarsh @zanieb @FishAlchemist