@aeva @glyph I remember when this was a distinction held by perl. I doubt there's much of anything that can meaningfully be done there which doesn't also eliminate python's utility as a programming language.

@wuest @aeva okay let me be clearer here: I don't mean we need to make Python not turing-complete so it can't be weaponized, but it might be nice if the *community* developed a slightly more hostile attitude towards this usage. it's not like there aren't things that have *already* been done. PyPI scans for and rejects malicious packages so malware has a harder time using it as a distribution or C&C channel

@wuest @aeva also like maybe we could just make python packaging really *good* so that python apps look more like regular binaries and thus malware would have less of a "oh it's Python" signature (hence false AV flags) and more of its own distinctive signature because every app would be more tool-legible. I definitely do not want to make deployment _harder_ somehow

@glyph @wuest I just assume windows defender is just the libel generator at this point. I remember someone reaching out to me because it said one of my itch demos (totally custom rendering experiment written in C# + an experimental build of SDL3 + and plutosvg) as some random virus. Despite confidently falsely claiming that I had tried to dupe someone into downloading a virus, the person nevertheless remained calm, correctly assumed it was a false positive, notified me, and moved on.

@glyph @wuest point is, windows defender produces false positives so often people are *completely* desensitized to it. that is on them.

@glyph @wuest I think it's a valid question to ask why the windows defender team hasn't made windows defender able to recognize "this is an unmodified release build of python stuffed into an archive it fights for freedom" yet

@aeva @wuest okay yeah this was a bad example because the entire concept of "AV" is intellectually bankrupt and never really worked in the first place and doesn't even _appear_ to work now

@aeva @wuest I was committing the category error where Python has agency but AV developers don't, but in fairness to me, I only make that assumption because AV companies act like phototactic bugs seeking enterprise procurement contracts and not like thinking feeling human beings

@aeva @wuest there was a period of time where some of Twisted's copy literally said 'supported platforms: Linux, mac, FreeBSD, Windows*, NetBSD

*: without Avast installed

@glyph @wuest I imagine windows defender mostly exists to ineffectually bully people into distributing their stuff on the windows store

@glyph @wuest @aeva I think you overestimate how much different teams cooperate with each other or even want each other to succeed at all.

(I don't think you overestimate their capacity for being nefarious, only their institutional competence. Even that I can well be wrong on.)

@aeva @glyph @wuest I fully agree and have nothing to add but my reaction to windows defender smartscreen: grr

@xgranade @glyph @wuest the sorts of situations where the answer to the question "why has this been allowed to continue" is "the purpose of a system is what it does" are imo usually happy accidents for the beneficiaries

@xgranade @glyph @wuest @aeva yea when you ask the question, "why does windows defender still exist in the face of demonstrably doing none if the things it is notionally intended to do?", that doesn't end up pointing at the windows defender development team, it ends up pointing at whoever in microsoft is responsible for it's continued existence, and oh look there is no publicly available information about who that is our why they are doing anything. 1/2