[chirp_users] Panda reported a virus in Oct 9 and Oct 13 daily builds.

Dan Smith
Thu Oct 15 09:57:12 PDT 2015


> Every few months we get a message like this to the mailing list. It's
> usually one of the smaller antivirus packages reporting a virus. So
> far they have all been false positives. My guess is there are actual
> viruses out there using Python libraries, and not realizing they're
> looking at popular open source software, the antivirus company flags
> it.

Yep, and just to further explain how these builds are created for those
that are interested (and/or are wondering how we attempt to protect our
users who trust our builds):

Every night, when a change is pending, the build server literally builds
an entirely new Windows 7 virtual machine with known-good copies of all
of our base dependencies. It then creates the new chirp build on that
machine and uploads it to the chirp website. When it's done, it
*destroys* the temporary machine it created. The next day, the whole
thing starts from scratch.

The process takes about 10 minutes total and occurs on an almost
completely sealed private network. There's really no opportunity for
anything to get on the build machine and disrupt the process, and it
certainly wouldn't change day-to-day, build-to-build.

--Dan



More information about the chirp_users mailing list