DonationCoder.com Software > Find And Run Robot

FARR not a commonly downloaded program?

<< < (5/7) > >>

40hz:
Great, use it.. though not sure if they are a trusted CA when it comes to code signing under Windows or not, you will have to check.
-db90h (October 15, 2011, 08:06 PM)
--- End quote ---

FYI:
Start Commercial (StartCom) Ltd. is listed as a CA on Microsoft's Root Certificate member page:

http://social.technet.microsoft.com/wiki/contents/articles/2592.aspx

So they're a trusted CA.

But you may need to do additional steps or sign a supplemental agreement of some sort before a code signing EKU gets applied to your root certificate. I'm not too up on the mechanics of obtaining certificates, but I recall a client of mine ran into something similar with Microsoft once and had to do something extra before the "code signing" part got ok'd. And IIRC, it cost considerably more than a standard SSL/TLS/MIME certificate. Something like $400-500 annually?

db90h:
I would like to further elaborate that AS trust becomes a commodity on the internet, the ability for small freeware authors to 'just author' without going through h*ll is lessened, and thus DonationCoder, by offering signing of donationware for donationware authors, could represent a substantially more compelling business model than it does today. You have the inherent trust, earned certificate trust, plus community exposure, as enticements. It would be a great platform from which new donationware could be launched.

wraith808:
I would like to further elaborate that AS trust becomes a commodity on the internet, the ability for small freeware authors to 'just author' without going through h*ll is lessened, and thus DonationCoder, by offering signing of donationware for donationware authors, could represent a substantially more compelling business model than it does today. You have the inherent trust, earned certificate trust, plus community exposure, as enticements. It would be a great platform from which new donationware could be launched.
-db90h (October 16, 2011, 02:03 AM)
--- End quote ---

Wouldn't that also put an onus on DC to vet these software programs?  I don't think there is an official policy regarding that in place now, but it would seem that this would have to change.

UPDATE: I downloaded software from my site (and I'm sure that I don't get as much traffic as even FARR, let alone the other software from DC), and I didn't get that message.  It could be as simple as the fact that my programs don't have installers (just executables in zip files), but I wouldn't think that they'd not scan zips, would they?

rxantos:
== Begin Rant ==

Thus the solution is to bend over and allow Microsoft to make false accusations on software from authors that did not pay them homage.

I guess we live in a world that people have gotten use to that.

I thought there was something called libel and slander. After all, what proof do they have that the software could harm your computer?

I guess we live in a world where justice and pride is something reserve for the rich (since is far cheaper to bend over than to get justice).

== End Rant ==

JavaJones:
I wonder if certificate signing really is the solution, do we have any definitive knowledge that it is? If so, I understand the intention, but really don't agree with the methodology. As the recent rash of compromised CAs has shown, this is hardly an effective security measure. What good is "trust" when the trusted parties don't care enough to implement proper security on their trust-granting systems?!

The idea of offering certification assistance to freeware authors who host their stuff here is interesting and worth further consideration I think.

Btw wraith, I do think they flag exes specifically with this, so your downloads probably weren't triggered precisely because they're zips. This is not an antivirus scan being run by IE, it's pattern matching, with exe as a likely component that increases risk assessment. Scanning inside ZIPs probably isn't done. That job is really up to your antivirus.

Edit: Ran some tests, interesting results. A download of one of Skwire's programs from here in ZIP format did not show the same message. A download of Terragen in MSI (installable) form from planetside.co.uk also did *not* trigger the message. To the best of my knowledge the Terragen installer is not signed, but it's also not an EXE. It may also be more popular than FARR, though that's debatable.

- Oshyan

Navigation

[0] Message Index

[#] Next page

[*] Previous page