I normally compile OpenSSL with "no-asm", but this time I thought I'd try installing NASM and seeing what difference, if any, it actually made. I downloaded NASM from the official site (which I believe to be http://www.nasm.us) and, as I always do with anything I source from outside my firewall, ran it through virustotal (https://www.virustotal.com/gui/home/upload). It reports 11 different scanners out of 72 finding malware in the file (nasm-2.15.01-installer-x86.exe). Now, one or two reports from Virustotal is normal - there are so many scanners out there that there are bound to be occasional false-positives... But 11 is more than I have ever seen on something that supposedly wasn't infected. Interestingly, VirusTotal did not have cached results for this file, meaning that nobody else has tested it in the last month or so. Google didn't reveal any insight, and the NASM project doesn't have any contact options that don't involve registration or mailing lists or I'd report this to them. There is no mention of anything like this in their forum. 11 reports is too many for me to feel safe using this product, so for now I'll keep using no-asm, and hope that it's not going to get more deprecated than it apparently is at present (based on the comments in INSTALL). If anyone on the list has a NASM account or knows any of the maintainers, could they pass this on? They really should be aware of it. Cheers! -- David --
