We should probably use upx to package executable in torrenting space (Discussion) - eviltoast

UPX is open source and works on linux , windows and mac (ie. cross platform) I would like to know why the torrenting space isn’t using it already / having a mature discussion about it.

  • schizo@forum.uncomfortable.business
    link
    fedilink
    English
    arrow-up
    18
    arrow-down
    1
    ·
    edit-2
    2 months ago

    Politely, but no.

    It’s a compression tool that is also used to mask malware, and you’re proposing to expand it’s use in a use case that’s ALREADY coated in enough malware to give you herpes just by walking past your average tracker.

    It’s a bad idea from a security perspective, and it’s not going to outperform a LZMA-based compression tool using a large dictionary (7zip, etc.) which also isn’t fucking with binaries in a way that makes detecting and preventing malicious software more complicated for the average user, who typically knows absolutely zero about what’s going on.

    • Linuxer@discuss.onlineOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      2 months ago

      I had actually agreed with you , here was my initial comment , though I just wanted to look into upx github page more

      okay now I understand what you mean.
      Basically the same threat model follows if you want to unpack a upx
      and it also states
      - We will *NOT* add any sort of protection and/or encryption.
          This only gives people a false feeling of security because
          all "protectors" can be broken by definition.
      
      What would you recommend instead ? .
      But also if you are extracting that file , you are basically running it , but the main issue is that antivirus can't read it
      
      

      new response:

      
      But on  https://upx.github.io/ , its given as
      
      >secure: as UPX is documented Open Source since many years any relevant Security/Antivirus software is able to peek inside UPX compressed apps to verify them
      
      I am really sorry mate but please read about upx once because I don't know why but you just seem so defensive to this change without actually giving any good reason. Though you do seem knowledgable so I am obviously looking to have more discussion , but just a bit more detailed.
      Thanks , have a good day / good night