this post was submitted on 02 Feb 2026
304 points (99.4% liked)

Programming

25504 readers
393 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 2 years ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
UlrikHD@programming.dev
bugsmith@programming.dev
Spyro@programming.dev
304
Notepad++ Hijacked by State-Sponsored Hackers (notepad-plus-plus.org)
submitted 1 week ago by who@feddit.org to c/programming@programming.dev
50 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] Lojcs@piefed.social 53 points 1 week ago (27 children)

Sign the updates before uploading them so they can't be faked?

[–] yetAnotherUser@discuss.tchncs.de 21 points 1 week ago (26 children)

It's astounding this wasn't done years sooner to be honest. I mean, signing software with keys is not something invented recently. Not doing so is akin to storing passwords in plain text.

[–] 9tr6gyp3@lemmy.world 16 points 1 week ago* (last edited 1 week ago) (24 children)

I think they want to, but Microsoft has made it expensive for open source developers who do this as a hobby and not as a job to sign their software. I know not too long ago, this particular dev was asking its users to install a root certificate on their PC so that they wouldn't have to deal with Microsofts method of signing software, but that kind of backfired on them.

[–] TeamAssimilation 8 points 1 week ago (1 children)

Let’s Encrypt is a trusted, established alternative, it could replace Microsoft for long-lived software certificates.

Or tarnish its name associating it with malware and bad actors, who knows?

[–] Luminous5481@anarchist.nexus 3 points 1 week ago (1 children)

Let’s Encrypt is a trusted, established alternative, it could replace Microsoft for long-lived software certificates.

Uh, no it could not.

First of all, the whole point of signing software is to ensure it comes from a reputable source. Let’s Encrypt signs certificates with an automated process that does no verification whatsoever of the identity of the person asking for a certificate. It would make the whole process completely pointless.

Second, Let’s Encrypt has stated themselves over a decade ago that they have no intention of doing this because it would render the whole system pointless.

[–] piccolo@sh.itjust.works 8 points 1 week ago* (last edited 1 week ago) (1 children)

The point of signing software is to ensure the software was not tampered from the publisher. Linux package managers solve this by comparing a gpg key from the publisher with the software's. There is no need for a corporate giant to "vet" software.

[–] sukhmel@programming.dev 1 points 1 week ago

I guess, the point was there's nothing doing that in windows, and you will have to check manually or use an expensive M$ certificate

load more comments (22 replies)
load more comments (23 replies)
load more comments (23 replies)