You apologise way too often for your own good. Even for your own bad.
I know, and it makes people assume less sincerity when it's something really important (even though that's definitely not the case.)
a possible bug in the user interface: The checkbox for the NTSC filter's merge-fields setting doesn't seem to work (i.e. the fields are never merged regardless of the checkbox setting).
Oh well. At least it defaults to the much more useful non-merged mode. We'll have to get it in v042.
* AVs need to improve thier static unpackers. UPX is dead easy to unpack
The tool itself is under the GPL. Include the executable and shell it with upx -d before scanning. Perhaps do this only when you get a 'potential positive' on a virus.
They make the tool that scans for viruses, so it is
their responsibility to be as thorough as possible.
I don't refuse to fix Mecarobot Golf or Megalomania for relying on obscure HDMA timing conditions, saying the game should be more like other games. I fix my emulator (while simultaneously bitching about how poorly programmed the game is.)
To an extent, then the costs incurred by going further begin to outweigh the benefits.
Option 1) distribute raw EXE. 6.3MB per download.
Option 2) distribute 7-zip file. 2.35MB per download, ~90% of users need to get a new utility to extract it.
Option 3) distribute ZIP file. 3.1MB per download, everyone post-Win9x can extract it, but they have to take an extra step after downloading.
Option 4) UPX. 2.3MB per download, end-users don't need any additional software anywhere. Just run the program directly.
$perGB in bandwidth and hard drive space drops year after year
95% of hosts lie their asses off about "unlimited" bandwidth and such. They just cancel your account for TOS / AUP violations if you actually end up using it. Remind you of US cable / DSL companies much? They want to sell the "unlimited" plans to old ladies hosting cat picture websites.
20GB of bandwidth a month from a real host costs roughly $150 a year. That equates to:
3,100 downloads / raw EXE
6,450 downloads / ZIP
8,700 downloads / UPX EXE
Each new releases causes a massive spike in downloads.
If you want to pay me $100-200 a year for my hosting bill, then I can provide a ZIP version. $300 and I'll post it as a raw EXE. Otherwise, I'd rather conserve the bandwidth.
It should be pretty obvious that statement is like saying "the very concept of locks is fundamentally flawed, because there is no material so strong that it cannot be broken with sufficient force". Let's move on.
I took it as more 'anti-virus software is the wrong approach.'
This notion that apps should have 100% access to your entire hard disk, and able to install ring-0 drivers when run, is ridiculous. OpenBSD doesn't even take security seriously enough.
No application should have access even to a user's home directory unless the user explicitly grants it. Apps should default to being self-contained file systems ala OS X .dmg files. The user should be able to grant read and/or write access to recursive paths at their preference via the OS. It can do this with ring-0 popup warnings whenever the app tries to do something restricted for the first time, and ONLY one time.
Now what can malware do if you run it? It can't read or write any personal documents in your home folder. It can't communicate online. It can't install key logging drivers or query the real-time state of your keyboard when it does not have focus.
Why would its self-extracting nature absolve it? Do developers not expend time learning about it and using it? Do users and those trying to help them not expend time troubleshooting false positives begotten by it?
Developers: upx --best file.exe
99% of users: run like a normal EXE
1% of power users with broken AVs: upx -d file.exe once; run like a normal EXE
I thought I was clear that I'm keeping the current model, so I'm not sure what the problem is with arguing its merits. You guys are free to debate anything you want ad infinitum, that's not limited to UPX.