Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

This site ahead may contain harmful programs #667

Open
net-raider opened this issue Oct 27, 2024 · 20 comments
Open

This site ahead may contain harmful programs #667

net-raider opened this issue Oct 27, 2024 · 20 comments
Labels
question Further information is requested

Comments

@net-raider
Copy link

Comment:

What????

Image

@net-raider net-raider added the question Further information is requested label Oct 27, 2024
@rbavery
Copy link

rbavery commented Oct 30, 2024

I also got an error from google chrome when downloading the miniforge installer: dangerous download blocked.

Image

@jakirkham
Copy link
Member

Thanks for letting us know! 🙏

Could you please share the steps to reproduce?

FWIW just tried googling Miniforge, clicking different links, and performing downloads of Miniforge on Safari, Chrome, and Firefox without seeing the issue. Am having a hard time getting the error so need some more pointers on how

@net-raider
Copy link
Author

to me, it happens when I get to the specific link in the screenshot

@rbavery
Copy link

rbavery commented Nov 1, 2024

for me it was downloading the arm installer from this table https://github.com/conda-forge/miniforge?tab=readme-ov-file#miniforge3

I was on really slow hotel wifi that is open access, no auth. that might have had something to do with it?

@jakirkham
Copy link
Member

Interesting thanks! 🙏

Am able to reproduce in Google Chrome when going here: https://github.com/conda-forge/miniforge?tab=readme-ov-file

Image

Note that dropping the parameter does not cause the issue: https://github.com/conda-forge/miniforge

Searching for more info about why Chrome is flagging this URL leads to this Google Support answer with recommended next steps

cc @conda-forge/core

@antonkoenig
Copy link

The warning is still active and can be reproduced.

@jaimergp jaimergp pinned this issue Nov 5, 2024
@jaimergp
Copy link
Member

jaimergp commented Nov 5, 2024

Do the links at https://conda-forge.org/download/ raise any warnings?

@net-raider
Copy link
Author

Do the links at https://conda-forge.org/download/ raise any warnings?

I tried all six links and the downloads went through

@malbergo
Copy link

malbergo commented Nov 9, 2024

I'm still having this issue. How Can I verify that the download is safe (miniforge for apple silicone)?

@jaimergp
Copy link
Member

I checked guidelines and everything but we can't pin point at what exactly is triggering the warning. There are a bunch of links to shell scripts (installers), so maybe the don't like this. We could ask for a review through their Search Console (or whatever the name is), but that requires ownership of the "website". Since this a Github repo, we can't do that. The only alternative I can think of is putting the README contents in https://conda-forge.org/download (or a more specific page like /miniforge), and then link to that page from the README. If that ever triggers a warning, then we do have the power to signup for the Search Console with conda-forge.org and ask for more detailed reviews.

WDYT @conda-forge/core?

@beckermr
Copy link
Member

Go for it!

@jaimergp
Copy link
Member

I brought this up in the core meeting and yes, looks like we have no other choice.

@jaimergp
Copy link
Member

The error still shows up despite the new README without direct links, and https://transparencyreport.google.com/safe-browsing/search?url=https:%2F%2Fgithub.com%2Fconda-forge%2Fminiforge%3Ftab%3Dreadme-ov-file says it was updated today. Let's give it a couple days more for now...

@jakirkham
Copy link
Member

On our main webpage, we have a href to the flagged link

Do we want to keep that or change that?

@jezdez
Copy link
Member

jezdez commented Nov 15, 2024

I would strongly suggest reaching out GitHub support with this, given that this relates to a github.com site and conda-forge is a Microsoft supported project.

I would be shocked if the "Install unwanted or malicious software on visitors’ computers" warning is just the linking of the .sh files, given that plenty of other READMEs contain such information and links. My guess is this is an erroneous report to Google Safe Browsing initiative. The main problem though is that requesting a review (https://web.dev/articles/request-a-review) is only possible with that site ownership, which we can't achieve in this case.

EDIT: Oh in fact there is an option on https://web.dev/articles/request-a-review:

You can also request a review at google.com/safebrowsing/report_error/. In addition to serving as a reporting tool for site owners who believe their page was incorrectly flagged for phishing, this report will trigger a review of phishing pages that have been cleaned to lift warnings.

@jaimergp
Copy link
Member

google.com/safebrowsing/report_error/.

This is for phishing reports, not malicious software, I'm afraid.

On our main webpage, we have a href to the flagged link

Well spotted, let me add a PR!

@jakirkham
Copy link
Member

We seem to still be getting reports. Should we do something more here?

Wonder if we should replace this table with a link back to our own download webpage

@jaimergp
Copy link
Member

I guess we'll need to move all the relevant README content there at this point. Not sure why it complains when we are not linking to any SH files directly anymore and it shouldn't pick up the code blocks.

@jaimergp
Copy link
Member

Just realized that maybe the reason we are (STILL!) being flagged is because of the https://conda-forge.org/miniforge minisite linked in the sidebar. I changed that now, let's see what happens

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Development

No branches or pull requests

9 participants