SourceForge vs using a second store

Discussion among members of the development team.

Moderator: Forum Moderators

Post Reply
User avatar
Pentarctagon
Project Manager
Posts: 5496
Joined: March 22nd, 2009, 10:50 pm
Location: Earth (occasionally)

SourceForge vs using a second store

Post by Pentarctagon »

To document something I brought up on Discord where it's easier to find:

What are people's thoughts on using GOG or itch.io instead of SourceForge for the Windows and macOS releases if the SmartScreen/anti-virus problem gets worse (aka not something that's being considered to be done now or in the near future)? The options are essentially:
  1. do nothing: just keep telling people who ask that it's a known problem and they should ignore the warning.
  2. pay digicert effectively $223/year for an EV (extended verification) certificate, and the Board go through everything that needs to be done to validate Wesnoth Inc for one of those certs, and then use it to sign the Windows release.
  3. put the Windows and macOS releases up on GOG and link there instead of to the standalone SourceForge installers in the release announcements.
  4. put the Windows and macOS releases up on itch.io and link there instead of to the standalone SourceForge installers in the release announcements.
Some background as well: https://github.com/wesnoth/wesnoth/issues/5568

I've been thinking about this a bit recently since it's obviously not a good thing for the largest part of the player base to be getting warnings about possible malware from the current standalone windows installer.

---

Some additional notes:
99 little bugs in the code, 99 little bugs
take one down, patch it around
-2,147,483,648 little bugs in the code
Konrad2
Forum Moderator
Posts: 3330
Joined: November 24th, 2010, 6:30 pm

Re: SourceForge vs using a second store

Post by Konrad2 »

My (non-dev) inclinement is towards 4., because:
1. really is not a good option.
I don't like about 2. that we'd basically be forced to pay money because of something that's not our fault.
And I tend to 4. instead of 3., because I've never heard of GoG before, while I sometimes download games from itch.io.
User avatar
Elvish_Hunter
Posts: 1575
Joined: September 4th, 2009, 2:39 pm
Location: Lintanir Forest...

Re: SourceForge vs using a second store

Post by Elvish_Hunter »

Unless I missed something, I'd go for option 4, because GoG requires you to open an account to download games (even free ones), whereas itch.io allows downloading even without an account (free games can accept donations, which I suppose would be useful, but there's always a link that says "No thanks, just take me to the downloads").
Also, I wouldn't remove the SourceForge links: I'd just link to both itch.io and SF, putting a fair warning before the SF links (which should be placed after the itch.io links).
Pentarctagon wrote: April 3rd, 2021, 6:43 am It might be possible to avoid the issues with SmartScreen by pre-submitting the standalone installer to Microsoft for scanning at https://www.microsoft.com/en-us/wdsi/filesubmission, which would seem to avoid the issue with SmartScreen at least (according to https://stackoverflow.com/questions/488 ... 6#66462106). This wouldn't help with the various antivirus providers however.
This should be considered at least for stable versions; it's true that it won't help with antiviruses, but not every antivirus flags Wesnoth as an unwanted program (Avira, for example, never warned me about it).
Current maintainer of these add-ons, all on 1.16:
The Sojournings of Grog, Children of Dragons, A Rough Life, Wesnoth Lua Pack, The White Troll (co-author)
User avatar
Pentarctagon
Project Manager
Posts: 5496
Joined: March 22nd, 2009, 10:50 pm
Location: Earth (occasionally)

Re: SourceForge vs using a second store

Post by Pentarctagon »

I feel like it sends a mixed signal to have to mention that there's another download method that may trigger your antivirus software or SmartScreen at all to be honest, nor does it seem like it makes much sense to essentially say "here's three ways to download Wesnoth, however this last one may require you to click through SmartScreen warnings and-or fiddle with your antivirus software's settings".

I don't think there's a reason to stop uploading the installers to SourceForge entirely (if nothing else as a historical archive of the releases), nor would this affect the source code tar upload, but I do think it would make sense to effectively indefinitely deprecate SourceForge as an installer distribution method at that point.
99 little bugs in the code, 99 little bugs
take one down, patch it around
-2,147,483,648 little bugs in the code
User avatar
Iris
Site Administrator
Posts: 6796
Joined: November 14th, 2006, 5:54 pm
Location: Chile
Contact:

Re: SourceForge vs using a second store

Post by Iris »

Are #3 and #4 really guaranteed to avoid issues with antimalware solutions? Both invididual GOG downloads (as opposed to using GOG Galaxy) and itch.io require the player to run the installer themselves instead of through a "trusted" (read: backdoored) process.
Pentarctagon wrote: April 3rd, 2021, 6:43 amIt might be possible to avoid the issues with SmartScreen by pre-submitting the standalone installer to Microsoft for scanning at https://www.microsoft.com/en-us/wdsi/filesubmission, which would seem to avoid the issue with SmartScreen at least (according to https://stackoverflow.com/questions/488 ... 6#66462106). This wouldn't help with the various antivirus providers however.
I would assume it would help build up trust with other AVs regardless, kind of like how spam filters work.
Author of the unofficial UtBS sequels Invasion from the Unknown and After the Storm.
User avatar
Pentarctagon
Project Manager
Posts: 5496
Joined: March 22nd, 2009, 10:50 pm
Location: Earth (occasionally)

Re: SourceForge vs using a second store

Post by Pentarctagon »

For itch.io it has this which looks like it just uploads individual files and folders as needed rather than us giving the full executable installer for each update, so I don't think it'd involve an installation process like the SourceForge releases do currently.
99 little bugs in the code, 99 little bugs
take one down, patch it around
-2,147,483,648 little bugs in the code
User avatar
doofus-01
Art Director
Posts: 4121
Joined: January 6th, 2008, 9:27 pm
Location: USA

Re: SourceForge vs using a second store

Post by doofus-01 »

Pentarctagon wrote: April 3rd, 2021, 6:41 pm I feel like it sends a mixed signal to have to mention that there's another download method that may trigger your antivirus software or SmartScreen at all to be honest, nor does it seem like it makes much sense to essentially say "here's three ways to download Wesnoth, however this last one may require you to click through SmartScreen warnings and-or fiddle with your antivirus software's settings".
The struggles of small projects and organizations dealing with SmartScreen seem to be known well enough, or at least easy enough to find reference to. Giving options isn't bad, if it's not requiring extra maintenance.

I don't have enough experience with Windows installers to have an opinion here, though neither options 1 or 2 sound great. But if there is an option to install Wesnoth in a way that doesn't trigger antivirus, offering another method along with a warning seems fine. Wesnoth should be casting a wide net.
BfW 1.12 supported, but active development only for BfW 1.13/1.14: Bad Moon Rising | Trinity | Archaic Era |
| Abandoned: Tales of the Setting Sun
GitHub link for these projects
Post Reply