Friend wary of downloading Vassal.

I have a newbie wargaming friend who is unwilling to load Vassal unless he feels it is safe to download. I did not find anything in the wiki or FAQ on this subject. What can I tell him about security and Vassal?

Thus spake wolvenwood:

I have a newbie wargaming friend who is unwilling to load Vassal unless
he feels it is safe to download. I did not find anything in the wiki or
FAQ on this subject. What can I tell him about security and Vassal?

Why would your friend trust what we write in on the wiki or in the FAQ
if he’s already dubious about the software?

Is there something more specific your friend wants to know? There are
no risks beyond what you get from any userspace application.


J.

He mentioned things like trackers and stuff. He does a lot of banking and other sensitive work on his one and only machine, so he’s not willing to load anything he’s unsure oF. I checked the wiki and faq just to see if they could point me to something I could show him. The phrase “userspace” is new to me. i guess that means something like Sourceforge? What are the normal risks of userspace applications? This question is coming from a couple older guys who are not hugely tech savvy.

Thus spake wolvenwood:

He mentioned things like trackers and stuff.

VASSAL contains no malware. We don’t do anything to track users.

He does a lot of banking
and other sensitive work on his one and only machine, so he’s not
willing to load anything he’s unsure oF. I checked the wiki and faq just
to see if they could point me to something I could show him. The phrase
“userspace” is new to me. i guess that means something like Sourceforge?

No, “userspace” is where unprivileged applications run. It has nothing
to do with SourceForge at all.

What are the normal risks of userspace applications? This question is
coming from a couple older guys who are not hugely tech savvy.

The normal risks of running applications are that the applications could
do anything that the user account being used to run them has permission
to do. I wouldn’t recommend running VASSAL using an account with admin
privileges, but that has nothing to do with VASSAL in particular—I
wouldn’t recommend running any app using an account with admin privileges
unless they’re essential.


J.

I’ve been using Vassal extensively for over 7 years and I’m very security conscious. I’ve never experienced any problems with Vassal whatsoever.

I installed Vassal from Sourceforge on Jan 4th. It seems to be only malware. What exactly is being installed?

Thus spake Jarl67:

I installed Vassal from Sourceforge on Jan 4th. It seems to be only
malware. What exactly is being installed?

  1. What exactly did you click on to download VASSAL?

  2. What was downloaded when you did that? (Filename, file size)

  3. What did the installer look like? (Screenshot would be helpful.)


J.

Hi J,

I am fairly certain it was link on vassalengine.org/ which goes to Sourceforge where I clicked on the vassal download button. I didn’t download it but instead just ran it from dialog box. Sorry I am unable to give you more information, like screenshots, filename, etc.

-Jarl

Thus spake Jarl67:

Hi J,

I am fairly certain it was link on vassalengine.org/[1] which
goes to Sourceforge where I clicked on the vassal download button. I
didn’t download it but instead just ran it from dialog box. Sorry I am
unable to give you more information, like screenshots, filename, etc.

-Jarl

Just now I downloaded and hashed each of the five files we offer via
our Downloads page for 3.2.15 and found that in each case the hash
matched the hash of files I uploaded when we released 3.2.15. I.e.,
barring someone having found a way to produce SHA1 hash collisions,
the files I downloaded are identical to the ones I uploaded. There
isn’t any malware in the files I uploaded.

I can’t comment further on what you’re seeing without more details,
but I can conclusively say that there’s nothing wrong with the files
I downloaded.


J.

The Vassal download should start automatically, you shouldn’t have to click on anything.

It sounds like you clicked on one of those prominent green-colored Download buttons, which indeed are just advertisements, malware or other assorted garbage.
You need to be real careful about what you click on at these various filehosting sites, like Sourceforge. They all have these advertisements that look like you need to click on to get the file you want.