Policies and Disclaimers

On my website I offer computer programs. Many, if not most of them are offered under the GPL, which includes the disclaimer:

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

In general, unless specifically stated otherwise, I intend to apply this disclaimer to all my releases, GPL or not.

Regarding Viruses and Security

I endeavor to keep my website as clean as possible - however I am facing an increasing number of virus reports - all of which to this point I believe to be false positives. Some are a little vague (for instance, 3 of the more obscure Virustotal tests showing red) while others are more obnoxious.(just today, Windows Defender deleted a fresh copy of a program I had just built for upload - then it deleted wget which I had used to test it)

I obviously can not do anything about false positives - the dirty secret behind antivirus products in general is that they are universally terrible. I am particularly at risk for false positives – in addition to the terrible signature matching I also get dinged on the behavior matching. (Network utilities use the network, who could have expected that?)

This is what I am doing:

First, the more important bit.

If computer safety is in any way important to you - please be proactive. My due diligence must not preclude your own - if you have any concerns please feel free to let me know, or build from source, or test on a throwaway machine or separate VM, or simply just don't download or use my software. Please protect yourself in general too, not just with regard to my site. Its a mess out there.

Second, the methods I am using to mitigate the problem.

As of June 2017, I have started using a separate subdomain for my downloadables. I have *not* moved and rebuilt my entire back catalog. (it is a whole lot of work for minimal gain, and I don't even have some of the development environments set up anymore) New downloads from this point on will be hosted on https://download.elifulkerson.com. The pages describing the projects won't move, just the download links.

Everything on https://download.elifulkerson.com will adhere to the following restrictions:

• I am only serving download.elifulkerson.com over https. It should be using a valid SSL certificate (not a self signed one). At the moment I am using Let's Encrypt. This should prevent anything being corrupted or modified while it is in transit.
• Every binary file (that is to say, every .exe) will be built in a dedicated development VM - not a computer that is used day to day. This should prevent anything from being infected as it is built.
• Every binary file is going to have md5 and sha hashes provided, which can be used to verify that the file you have is the same file as the file I was providing.
• Every file will have a GnuPG signature which can be used to verify that the file was uploaded by me. Here is a link to my public GnuPG key.
• I have a separate, offline system that will verify if there are any changes to the md5 and sha hashes, in case somebody breaks into the server and updates both the file and the hashes.
• I am keeping offline backups.
• There is a bird.
• Update: 2024-03-24 - I have uploaded some projects to Github at https://github.com/elifulkerson. It is just source code at the moment, I'm not going to all the trouble to sign releases etc. That account is me.