On Sun, 2020-06-28 at 15:12 +1200, David Harris wrote: > I normally compile OpenSSL with "no-asm", but this time I thought I'd > try > installing NASM and seeing what difference, if any, it actually made. > > I downloaded NASM from the official site (which I believe to be > http://www.nasm.us) and, as I always do with anything I source from > outside my > firewall, ran it through virustotal ( > https://www.virustotal.com/gui/home/upload). > > It reports 11 different scanners out of 72 finding malware in the > file > (nasm-2.15.01-installer-x86.exe). Now, one or two reports from > Virustotal is > normal - there are so many scanners out there that there are bound to > be > occasional false-positives... But 11 is more than I have ever seen on > something > that supposedly wasn't infected. Interestingly, VirusTotal did not > have cached > results for this file, meaning that nobody else has tested it in the > last month or > so. > > Google didn't reveal any insight, and the NASM project doesn't have > any contact > options that don't involve registration or mailing lists or I'd > report this to them. > There is no mention of anything like this in their forum. > > 11 reports is too many for me to feel safe using this product, so for > now I'll keep > using no-asm, and hope that it's not going to get more deprecated > than it > apparently is at present (based on the comments in INSTALL). > > If anyone on the list has a NASM account or knows any of the > maintainers, > could they pass this on? They really should be aware of it. I'd recommend reporting your findings to the NASM bugzilla http://bugzilla.nasm.us/ or to their forum at https://forum.nasm.us/ -- Tomáš Mráz No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.]
