Open Bug 1628078 Opened 6 years ago Updated 3 years ago

Should download pre-built fzf binaries and check their hashes (perhaps through a fetch task and taskcluster)

Categories

(Developer Infrastructure :: Try, defect, P3)

Product:
Developer Infrastructure
Component:
Try
Type:
defect

Tracking

(Not tracked)

People

(Reporter: Gijs, Unassigned)

Details

This means I can't push with mach try fuzzy unless I tell Windows that I don't want to quarantine the thing, which seems like something that's just a zipfile checked into a random github repo, on which we (AFAICT) do no further integrity checks. I'm not super comfortable doing that...

Summary: Windows Defender quarantines fzf for being malware (Trojan:Win32/Wacatac.D!ml) → Windows Defender quarantines fzf.exe for being malware (Trojan:Win32/Wacatac.D!ml)

The current automated bootstrap clones the fzf repo and runs the ./install script. But yeah, we don't do any additional integrity checks. We should probably just download the pre-built binaries and check the hash (maybe even wrap them in a fetch task first and download them from TC).

In the meantime, the automatic bootstrap only runs if fzf was not found on the $PATH. So you are free to install it in whatever way you are most comfortable from here:
https://github.com/junegunn/fzf#installation

If you do this, you can clobber ~/.mozbuild/fzf to remove the old installation.

I'm not really sure what (if anything) we can do about Windows Defender though.

Priority: -- → P3

(In reply to Andrew Halberstadt [:ahal] from comment #2)

I'm not really sure what (if anything) we can do about Windows Defender though.

I submitted as a false report (through https://www.microsoft.com/en-us/wdsi/filesubmission ) given the github issues indicate this has happened before... submission ID 635f068b-fc52-4622-bc0e-7c122e27f355 .

(In reply to Andrew Halberstadt [:ahal] from comment #2)

We should probably just download the pre-built binaries and check the hash (maybe even wrap them in a fetch task first and download them from TC).

I'll morph this bug for this.

I'm not really sure what (if anything) we can do about Windows Defender though.

They got back to me within a few hours (I was asleep...) and, having updated through windows update, the problem has gone away today \o/ .

Summary: Windows Defender quarantines fzf.exe for being malware (Trojan:Win32/Wacatac.D!ml) → Should download pre-built fzf binaries and check their hashes (perhaps through a fetch task and taskcluster)

Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is P3 (Backlog,) indicating it has been triaged, the bug's Severity is being updated to S3 (normal.)

Severity: normal → S3
Product: Firefox Build System → Developer Infrastructure
You need to log in before you can comment on or make changes to this bug.