https://issues.dlang.org/show_bug.cgi?id=18786
--- Comment #8 from David M <vintaged...@gmail.com> ---
Greenify, I hear you in that I know D is open source software run by
volunteers, and that means no-one needs to look after reports like this if they
don't want to.
If it was one AV vendor, I'd happily report it. It's up to 21% of vendors on
Virustotal now, though, and that means a couple of things:
* I, as a new D user, do not have the knowledge and background to state to a
vendor that it is truly virus free. If the runtime causes problems, I can't
explain what and why. You can't ask I report it, because you're asking me to
make statements to the vendor that I don't have the knowledge to back up.
("Can you take this package on board the airplane for me? No bombs, promise."
Later, at security, "No, no bombs. Oh, no, it's not my package. No, I don't
know what's in it. It's locked, I don't have the key. But no bombs. I'm
sure.")
The only people who can speak to an AV with authority and assist them in
finding why it is a false positive are those with a good understanding of the
RTL and the patterns in it that are causing the AV to be concerned.
* A large number of AVs is a danger sign, and if this was my own software I'd
be investigating, even if I believed there was no cause for concern. I have
done that in the past for even a single AV report.
* This impacts your users. Currently, no-one on Windows 10 can install D
because the installer is captured by Windows Defender. The importance of that
depends on the value you put on allowing Windows users to use D. I'll be
frank: I'm new to D, and I downloaded to try it out and learn it. It's not
reasonable to expect any new user to ignore thirteen different antivirus
vendors screaming "don't run it!" and to bypass security on their local system
to install.
--
