SourceForge vs using a second store
Moderator: Forum Moderators
- Pentarctagon
- Project Manager
- Posts: 5587
- Joined: March 22nd, 2009, 10:50 pm
- Location: Earth (occasionally)
SourceForge vs using a second store
To document something I brought up on Discord where it's easier to find:
What are people's thoughts on using GOG or itch.io instead of SourceForge for the Windows and macOS releases if the SmartScreen/anti-virus problem gets worse (aka not something that's being considered to be done now or in the near future)? The options are essentially:
I've been thinking about this a bit recently since it's obviously not a good thing for the largest part of the player base to be getting warnings about possible malware from the current standalone windows installer.
---
Some additional notes:
What are people's thoughts on using GOG or itch.io instead of SourceForge for the Windows and macOS releases if the SmartScreen/anti-virus problem gets worse (aka not something that's being considered to be done now or in the near future)? The options are essentially:
- do nothing: just keep telling people who ask that it's a known problem and they should ignore the warning.
- pay digicert effectively $223/year for an EV (extended verification) certificate, and the Board go through everything that needs to be done to validate Wesnoth Inc for one of those certs, and then use it to sign the Windows release.
- put the Windows and macOS releases up on GOG and link there instead of to the standalone SourceForge installers in the release announcements.
- put the Windows and macOS releases up on itch.io and link there instead of to the standalone SourceForge installers in the release announcements.
I've been thinking about this a bit recently since it's obviously not a good thing for the largest part of the player base to be getting warnings about possible malware from the current standalone windows installer.
---
Some additional notes:
- Changing from a .exe (current installer) installer to a .msi one makes no difference since SmartScreen will block the .msi as well: https://stackoverflow.com/questions/631 ... msi-to-run
- It might be possible to avoid the issues with SmartScreen by pre-submitting the standalone installer to Microsoft for scanning at https://www.microsoft.com/en-us/wdsi/filesubmission, which would seem to avoid the issue with SmartScreen at least (according to https://stackoverflow.com/questions/488 ... 6#66462106). This wouldn't help with the various antivirus providers however.
99 little bugs in the code, 99 little bugs
take one down, patch it around
-2,147,483,648 little bugs in the code
take one down, patch it around
-2,147,483,648 little bugs in the code
Re: SourceForge vs using a second store
My (non-dev) inclinement is towards 4., because:
1. really is not a good option.
I don't like about 2. that we'd basically be forced to pay money because of something that's not our fault.
And I tend to 4. instead of 3., because I've never heard of GoG before, while I sometimes download games from itch.io.
1. really is not a good option.
I don't like about 2. that we'd basically be forced to pay money because of something that's not our fault.
And I tend to 4. instead of 3., because I've never heard of GoG before, while I sometimes download games from itch.io.
- Elvish_Hunter
- Posts: 1580
- Joined: September 4th, 2009, 2:39 pm
- Location: Lintanir Forest...
Re: SourceForge vs using a second store
Unless I missed something, I'd go for option 4, because GoG requires you to open an account to download games (even free ones), whereas itch.io allows downloading even without an account (free games can accept donations, which I suppose would be useful, but there's always a link that says "No thanks, just take me to the downloads").
Also, I wouldn't remove the SourceForge links: I'd just link to both itch.io and SF, putting a fair warning before the SF links (which should be placed after the itch.io links).
Also, I wouldn't remove the SourceForge links: I'd just link to both itch.io and SF, putting a fair warning before the SF links (which should be placed after the itch.io links).
This should be considered at least for stable versions; it's true that it won't help with antiviruses, but not every antivirus flags Wesnoth as an unwanted program (Avira, for example, never warned me about it).Pentarctagon wrote: ↑April 3rd, 2021, 6:43 am It might be possible to avoid the issues with SmartScreen by pre-submitting the standalone installer to Microsoft for scanning at https://www.microsoft.com/en-us/wdsi/filesubmission, which would seem to avoid the issue with SmartScreen at least (according to https://stackoverflow.com/questions/488 ... 6#66462106). This wouldn't help with the various antivirus providers however.
Current maintainer of these add-ons, all on 1.16:
The Sojournings of Grog, Children of Dragons, A Rough Life, Wesnoth Lua Pack, The White Troll (co-author)
The Sojournings of Grog, Children of Dragons, A Rough Life, Wesnoth Lua Pack, The White Troll (co-author)
- Pentarctagon
- Project Manager
- Posts: 5587
- Joined: March 22nd, 2009, 10:50 pm
- Location: Earth (occasionally)
Re: SourceForge vs using a second store
I feel like it sends a mixed signal to have to mention that there's another download method that may trigger your antivirus software or SmartScreen at all to be honest, nor does it seem like it makes much sense to essentially say "here's three ways to download Wesnoth, however this last one may require you to click through SmartScreen warnings and-or fiddle with your antivirus software's settings".
I don't think there's a reason to stop uploading the installers to SourceForge entirely (if nothing else as a historical archive of the releases), nor would this affect the source code tar upload, but I do think it would make sense to effectively indefinitely deprecate SourceForge as an installer distribution method at that point.
I don't think there's a reason to stop uploading the installers to SourceForge entirely (if nothing else as a historical archive of the releases), nor would this affect the source code tar upload, but I do think it would make sense to effectively indefinitely deprecate SourceForge as an installer distribution method at that point.
99 little bugs in the code, 99 little bugs
take one down, patch it around
-2,147,483,648 little bugs in the code
take one down, patch it around
-2,147,483,648 little bugs in the code
Re: SourceForge vs using a second store
Are #3 and #4 really guaranteed to avoid issues with antimalware solutions? Both invididual GOG downloads (as opposed to using GOG Galaxy) and itch.io require the player to run the installer themselves instead of through a "trusted" (read: backdoored) process.
I would assume it would help build up trust with other AVs regardless, kind of like how spam filters work.Pentarctagon wrote: ↑April 3rd, 2021, 6:43 amIt might be possible to avoid the issues with SmartScreen by pre-submitting the standalone installer to Microsoft for scanning at https://www.microsoft.com/en-us/wdsi/filesubmission, which would seem to avoid the issue with SmartScreen at least (according to https://stackoverflow.com/questions/488 ... 6#66462106). This wouldn't help with the various antivirus providers however.
Author of the unofficial UtBS sequels Invasion from the Unknown and After the Storm.
- Pentarctagon
- Project Manager
- Posts: 5587
- Joined: March 22nd, 2009, 10:50 pm
- Location: Earth (occasionally)
Re: SourceForge vs using a second store
For itch.io it has this which looks like it just uploads individual files and folders as needed rather than us giving the full executable installer for each update, so I don't think it'd involve an installation process like the SourceForge releases do currently.
99 little bugs in the code, 99 little bugs
take one down, patch it around
-2,147,483,648 little bugs in the code
take one down, patch it around
-2,147,483,648 little bugs in the code
Re: SourceForge vs using a second store
The struggles of small projects and organizations dealing with SmartScreen seem to be known well enough, or at least easy enough to find reference to. Giving options isn't bad, if it's not requiring extra maintenance.Pentarctagon wrote: ↑April 3rd, 2021, 6:41 pm I feel like it sends a mixed signal to have to mention that there's another download method that may trigger your antivirus software or SmartScreen at all to be honest, nor does it seem like it makes much sense to essentially say "here's three ways to download Wesnoth, however this last one may require you to click through SmartScreen warnings and-or fiddle with your antivirus software's settings".
I don't have enough experience with Windows installers to have an opinion here, though neither options 1 or 2 sound great. But if there is an option to install Wesnoth in a way that doesn't trigger antivirus, offering another method along with a warning seems fine. Wesnoth should be casting a wide net.
BfW 1.12 supported, but active development only for BfW 1.13/1.14: Bad Moon Rising | Trinity | Archaic Era |
| Abandoned: Tales of the Setting Sun
GitHub link for these projects
| Abandoned: Tales of the Setting Sun
GitHub link for these projects