This is more than entitled behavior, it’s downright harmful.

When (not if, when) binaries get trojanned, this causes blame to be directed at the original author, and takes a lot of work to explain that they are not at fault - this has happened in many supposedly reputable download sites including SourceForge, TUCOwS, Download.com and many others (yes, I haven’t used windows in 20 years or so, no idea what the hip new places are)

Say “thank you”, and spend 10 more minutes yourself to set it up (even if compilation takes 5 hours, it’s usually 10 mins to get it started). And then offer it for others, and handle the ricochets when it gets trojanned with no wrong done by you.

If just 20 people adopted such a process, there would be 98% less complaints of this kind.

How can a binary I provided possibly be trojanned by someone else?

Genuinely curious.

Trojaned installers by download.com were rampant back in the day. They would take your program and wrap it up in a nice little installer wizard and then also stuff a bunch of adware and spyware in there with it

I don't understand what's the harm of having a releases page with a binary and its md5 hash, or how that keeps anyone from just compiling an unofficial binary themselves and adding malware to it.

Anyone not technical enough to compile a binary has to give up trying to use it or risk some unnoficially distributed executable .

But not on the official page, right? And there's nothing stopping someone from doing that now is there? I don't see how the original authors providing binaries is less secure than anything else.

The official page can be hacked, and both malware and md5 of the malware can be placed there.

That's the whole point of using a cryptographic signature backed by a web of trust instead of a mere hash.

Where would the hash be advertised?

Yeah but still hackers can abuse SEO and direct visits to their pages. If you are not careful you might accidentally download a malicious binary.

Sure, but what does that have to do with distributing binaries off Github? Maybe if Bonzie Buddy and IE6 make a comeback but I don't see that happening.

> If just 20 people adopted such a process, there would be 98% less complaints of this kind.

Okay so if 20 people did the same work over and over it would reduce 98% of the complaints.

Contrast that to if the author did the work once, it would reduce 100% of the complaints!

If every author did.

Do they owe you anything?

A checksum can be falsified as easily as a binary, and so can a signature. Only if you participate in a web or trust are you theoretically better off... but most people don't, so all such measures do is give a false sense of security.

Besides what beagle3 wrote: Providing binaries for various platforms is more work than you might think and the people who like to do development work are rarely the same people that like packaging and distribution. That's why developer and maintainer are separate persons more often than not.

Had not thought to make a binary for this project. I will look into this

Because it's a Python project (like most AI code) and distributing Python code in easily usable form is an absolute nightmare.

I've not tried it with AI projects, but pyinstaller does a usually pretty solid job of packing up most python projects, and it's pretty simple to get started with.

Will that package all the dependencies in?

I am not a python dev and testing AI stuff in Python made me hate python ecosystem (not the language ) a lot. All this new AI projects are made by enthusiaste, they depend on a specific CUDA version, a specific A,B,D python lib versions. Very often shit does not work anymore and you need to google and hope other person was unlucky before you and posted some commit version of the stuff that still works.

My advice for people that test AI stuff, after you get it working do not update, try if possible to install the new version side by side and see if it works, it saves you the pain to roll back to a good version.

Better yet make a Dockerfile

I've packaged various AI/ML/PyTorch/TensorFlow things with PyInstaller in the past. It took some hours of initial work, but the result was good. Things might be easier now.

Encouraging users to run some random binary from GitHub is a really good way to spread all kinds of viruses. People should only run binaries from trusted sources.

Compiling and running random git projects isn't that big of a step up.

You're totally right, it's just as bad, maybe even worse because build tools sometimes ask for admin permissions. People should ideally really on some kind of reputation system or get software from trusted vendors.

Like a package manager with maintainers, ie. Deb, RPM, etc.

You probably don't run curl | sudo bash either but other people have different threat models.

I do sometimes, when the source is trustworthy.

My problem is the assumption by authors that the project being installed is the only one on the machine, and the fact that projects get so tied to particular versions of libraries. Therefore installing the PyTorch specified in this version is likely to be injurious to other existing installations, unless you handle it all in a Conda wrapper.

Would roads be safer, or would there be more mechanics? They seem like different skills.

Roads would be safer, because people would understand more about their car that "PUSH BUTAN GO FAST"

Everyone would be too busy wrenching on their cars to drive them

Roads would be more dangerous. I put the work into my car, I'll drive how I want.