AutoHotkey Community

There have been lengthy discussions on the topic of selling scripts, but that is outside the scope of this thread.

Anyway, there were two parts to my question:

1. Why would encrypting only the script part vs. encrypting the entire binary make any difference to licensing?
2. Semantics: Would it not be the license of the script which is affected, if anything, rather than the license of ahk?

Sry, I read the Thread (at least the first posts where Chris said that it's ok to sell) and I see it was a mistake.

So, that's done.

Note to myself: Don't post after 4 Beer...

the poll is missing option, "get rid of it"

_________________

You want to git rid of it, and not implement an alternative? In other words, you want to make compiled scripts impossible...

Besides, this thread is about AutoHotkey_L. If you're not going to use it, there isn't any reason for you to have your say. AutoHotkey Basic will not be changing.

Lexikos, PLEASE PLEASE do rewrite exearc! Otherwise we won't be able to do any admin tasks in future versions of windows …
http://www.autohotkey.com/forum/viewtopic.php?t=67416

Yeah i just found ANSI. but what is exearc, the compresser?

_________________

daorc, that document applies to Windows Vista. They haven't done that in Windows 7 and the next Windows is probably a fair way off, so I wouldn't worry about it just yet.

gamax92, don't post again until you've read and understand the first post on page 1.

I think you guys are missing the real issue entirely. This is just a band aid on a cut jugular. A temporary solution at best.

If you change the "signature" of compiled scripts, but that "signature" remains the same for each compile from that compiler version then the antivirus companies will just mark that "signature" as malicious eventually as well. As with any programming language it will be used maliciously eventually.

The only way I see any of this working is if we can convince the antivirus companies to do more than just a "signature" check to verify that not only is it an ahk built exe but that it is actually one that is malicious.

Or perhaps somehow the "signature" could be altered per compile so the chances of two being the same are slim to none.

I think that's not necessarily true. I suppose you're assuming that it's the signature of compiled scripts, specifically, that is causing them to raise false positives. Exearc uses some black-box techniques to encrypt and compress data inside the executable, which may be similar to some actual viruses. Note that last I checked, most of the false positives were caused by Ahk2Exe.exe.

Furthermore, a band-aid solution is better than no solution. Call me pessimistic, but I don't see anti-virus vendors ever implementing your idea. Even if some of them do, removing exearc is one effective (at least in the short term) measure I can take which no one else can. By the way, I suppose they would need to reverse-engineer exearc or a compiled script to know exactly how it stores the script.

Finally, even without anti-virus software causing problems, I have considered removing exearc for the following reasons:

• It is closed source, which means we cannot fix any bugs it may have or enhance it in any way. For instance, it doesn't support Unicode file paths.
• I have suspicions that anyone redistributing compiled scripts or AutoHotkeySC.bin is in fact violating the GPL, since the source code for the exearc module is not available. However, IANAL. I read somewhere that an explicit exception can be made, but it requires the permission of every contributing author. (Edit: I believe it was here.)
• Using more open/standard means to store the script in the executable would allow the compiler to be written as an AutoHotkey script, which would allow it to be maintained by the community, taking some of the burden off us C++ programmers.

I may not be understanding it correctly but bear with me just in case I do.

The way I see this is like the topic of gun control. Guns; like any tool; can be used for good or evil. Some people are against gun ownership for everyone simply because they can and have been used for evil. However many still find guns a very important and useful tool for doing good things.

Similarly ahk is a tool. Eventually a 'clean' version will be used for evil and AV companies will probably again label all. This is what I think is the root problem.

I think the terms for this are generalizing and stereotyping.

* I don't want to derail the topic with this analogy so please don't focus on the words I use but instead the ideas.

Hopefully you are 100% right - it may have to do with only Exearc - and then we will not see a a bad mark again. Regardless of future outcomes, I'm very thankful for your efforts. You are a credit to team.

First, there are two things that are entirely separate:
1. False positive on the AHK installer.
2. False positives on compiled scripts.

If the first problem, with the AHK installer, can be fixed by replacing Ahk2Exe, then cool. But I'm not too worried about it because it doesn't affect me nearly as much as the second problem. It does affect people new to AHK, so I would say it's still important.

But the second problem, with the compiled scripts, is more of a problem. To ask my customers to kindly ignore a false positive is really bad, almost enough to make me abandon AHK for programs I sell.

The key question is why the compiled programs are wrongly flagged. I doubt that a lot of AHK malware is causing a "signature" problem with AHK. To me it seems more likely that it's due to the parts of the windows API that AHK binds against. But I could be wrong, I'm only guessing.

It's unclear to me whether changing how compilation is done would affect compiled scripts, but since they are currently flagged as having viruses, I don't see how it could be worse.

bump Lexikos, are you still considering implementing this? I'm still very much in favour!

Yes. It's not high on my priorities.