scanned it with Kaspersky Endpoint Security 10 with up to date database: no threat detected
So for me this is a workaround for a current exe and for the moment, as modifying the company Kaspersky settings always involves a round trip to the admins.
I hope that stays this way a while…
Cheers,
Theo
PS: I (obviously) don’t get a bit identical result from my compilations (it’s even 4k bytes bigger). Should Go create bit identical results for the same source code? Or are there additional flags which I should supply to the Go compiler?
Many things affect the generated binary apart from the source code. Things I know of off hand:
The source location (goes into symbol names, shown in panics etc)
Compiler environment variables like CGO_ENABLED which affect how it’s linked
Our environment variables like BUILD_USER and the host and timestamp
General compiler flags
With the same source in the same place, the same environment variables, the same compiler and the same compiler options the binary should be byte for byte identical.
It strikes me that the source location is a random-ish temporary path on the build server, which gets burned into the binary in a bunch of places and may be something that the virus checkers find suspicious…
Edit 1:
To test that theory it would be cool if you could see what it says about this build:
https://build.syncthing.net/viewLog.html?buildId=10732&buildTypeId=Syncthing_BuildWindows&tab=artifacts&guest=1 (no random paths)
compared to:
https://build.syncthing.net/viewLog.html?buildId=10685&buildTypeId=Syncthing_BuildWindows&tab=artifacts&guest=1 (standard build)
Edit 2:
Looks like my build didn’t work, so never mind that for the moment.
Edit 3:
This build is mostly without temporary paths in it:
Which raises my fears that Kaspersky may update its definitions and invalidates my work around. I will recheck next week with newer signatures if my work around still works…
Go and Syncthing both support reproducible builds just fine. Debian does it for example. It’s just a matter of controlling the environment per the checklist above (and possibly other stuff I forgot).
Virustotal seems to consider them equal, two obscure matches for both standard and without-odd-paths builds. So probably no difference. But then again it doesn’t indicate a kaspersky hit either so not sure what it means. Why would it flag our release builds but not others? There is literally no difference other than the version number.
Stop wasting your time and try to be in control of your own premsises, a.k.a. stop using snake-oil ware.
Those so called anti virus products seem to give you quite the hassle worth your money and bog you down. Additionally they rise your attack surface and worse.