13

I run into this answer while doing first posts review.

The question is "How to force a Google Drive sync from windows 7 command prompt".

Provided answer is basically "I wrote application to address this problem. Try it out. Link to download.".

The application:

  • could be harmful and buggy and might not solve the problem at all;
  • or it actually could be a good program which solves the problem.

My question is - what is our policy regarding such answers? I understand that this is link only answer anyway, but besides of this fact, how should we treat "Try the application I wrote" answers?


Answer screenshot


4
  • 1
    Does it answers the question? No? Flag as spam is mostly a safe bet. It answers the question: VTC/flag the question for closure. That particular is a valid answer, not stelar, but valid (if the program he recommends actually do what he says and only that).
    – Braiam
    Commented Feb 10, 2015 at 2:11
  • 2
    Oh, btw, provided an answer that does fix the problem without downloading anything.
    – Braiam
    Commented Feb 10, 2015 at 3:08
  • If it's a genuine solution maybe it's worth asking the poster to improve their answer by elaborating how the program works.
    – stib
    Commented Feb 18, 2015 at 5:06
  • 2
    Running a program posted by user with 1 reputation is a bad idea even if it's virustotal-safe.
    – Sanya_Zol
    Commented Feb 18, 2015 at 13:52

1 Answer 1

15

Well, there's nothing particularly wrong with that - if there's proper attribution, and the user's not falling afoul of our community guidelines for self promotion, and such its ok.

In general we hope people are smart enough to do a virus scan before downloading, and the main concern I would have is reliability of the download.

Feel free to flag anything you've found that's actually malware - virustotal and a linux box is awesome for that.

13
  • 3
    linux box is awesome for that. except when it only runs on windows
    – Jon
    Commented Feb 10, 2015 at 15:06
  • 5
    I wouldn't run it until I ran it past virustotal
    – Journeyman Geek Mod
    Commented Feb 10, 2015 at 15:06
  • 7
    Is there an obligation for reviewers to actually check out the linked application? For instance, if I'm reviewing first answers and come across this, should I skip the review if I'm unwilling or unable to test the link? Or is it okay for me to click "Looks Good" if I think everything else looks okay?
    – Excellll
    Commented Feb 10, 2015 at 16:58
  • No, but I wouldn't consider a link to bespoke software automatically to be malicious. I'd flag based on the totality of the answer. I've at least once improved an answer cause it was crap, but the software it recommended was pretty uniquely useful.
    – Journeyman Geek Mod
    Commented Feb 10, 2015 at 23:40
  • I think Blatant Self Promotion (BSP) is okay if the software is free of malware, states cost even if free, and actually does what it says.
    – Sun
    Commented Feb 11, 2015 at 20:43
  • 3
    The fact is that AV scanners will fail to find most malware when it's been recompiled with a different compiler. An AV scanner has about zero chance of catching a zero day virus. We're talking about a trojan here and that has an even lower chance of being detected than a zero day virus because those do perfectly normal things that will never be detected using heuristics, they are zero day if they were posted here, and they were purposely installed. Show us the source, be MS or Apple or IBM, or GFY IMHO.
    – krowe2
    Commented Feb 11, 2015 at 21:14
  • 1
    @krowe2, Show us the source, be MS or Apple or IBM, or GFY. Make sense. But who will be studying these sources? What if there are 3000 rows of code or 5000. What if code is a pure sh*t and horrible to follow? I think if we are going to let such answers to stay, then there should be warning added - download and use at your own risk.
    – VL-80
    Commented Feb 11, 2015 at 21:45
  • @Nikolay If the source is there then it is at least possible to know what's going on. It is actually fairly easy to scan over much more code than 5k lines fairly quickly as well. OTOH, there really is no way to reliably tell weather compiled code is malware (unless you are mythically good at reading ASM code). Who's to say that a perfectly fine compiled app won't turn into malware one day (eg Blackworm, Kama Sutra Worm)? If the code is garbage, then you want the source even more; because you'll probably need to fix it.
    – krowe2
    Commented Feb 11, 2015 at 22:52
  • @krowe2 For example, the compiled binary can be signed. With trusted Symantec/VeriSign code signing certificate, for instance. We're not paranoids here =)
    – thims
    Commented Feb 16, 2015 at 16:15
  • @thims I wasn't aware that you spoke for the group. Digital signing doesn't tell us anything about the content of the binary. So you're saying that you are expecting for people to give away free binaries which are signed using 'for pay' certs? Is someone going to bankroll this or are we expecting the authors to not only give us free software but to also pay for us to use it? In the end, it still does very little unless you first trust both the issuer of the cert and the owner of the cert (which is why ONLY pay certs would do at all).
    – krowe2
    Commented Feb 16, 2015 at 17:02
  • @krowe2, have you ever seen any single malware signed with VeriSign!?
    – thims
    Commented Feb 17, 2015 at 9:39
  • 1
    @thims Your question entirely misses the point. I have seen applications which I would consider to be malware with a signature. They are typically those borderline applications which are known as "Ad Supported". The thing you are missing is that it costs about $750/yr to get a Verisign cert for your app. No one is going to pay that kind of money just to give something away. You need to get away from Verisign if you ever hope to make a meaningful statement concerning the best way to distribute free software as an unknown vendor. Also, "Ad Supported" means that it isn't free at all.
    – krowe2
    Commented Feb 17, 2015 at 14:59
  • 1
    knowe2, "No one is going to pay that kind of money just to give something away" =) This is exactly what we do: giving away more than 100 free utils, all VeriSign-signed. No ads.
    – thims
    Commented Feb 18, 2015 at 13:26

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .