Arch Linux User Repository

I don't use clamAV, so I don't really know how its signature database works. I spent a bit of time just now reading about it, but none of the documentation I read was really helpful. (there's like, six different signature formats?)

The purpose of flagging a false positive is to alert the team that maintains the signature database that there might be a false positive - it is up to them (the Cisco Talos team if clamAV's documentation is correct) to manually review the information we provide and then perform the necessary modifications to the database, which may take several days if the team is busy.

If you know of other places where this could be escalated, that might help. But again, I don't use clamAV (I didn't even know it existed until yesterday :P) so I don't think I'll be of much help to you here.

Thanks for responding! @neoninteger! Why is this happening in the first place with clamAV? It came across few more files having the same signature. Should I escalate this to clamAV?

That false positive report didn't really helped

@romelsalwi I've just submitted the below report to clamAV's false positive report page, and I encourage you to do the same:

A user of my Arch Linux package for Turtl (an end-to-end-encrypted note-taking app written in JavaScript and Rust) reported that one of its dependencies (imurmurhash) is falsely flagged by clamAV as "PUA.Win.Trojan.Xored-1". According to the project's issue tracker (https://github.com/jensyt/imurmurhash-js/issues/1) this has been happening for at least two years now. This is an NPM package which currently sees over 25 million weekly downloads, and the SHA-256 checksum of the version included with the Turtl binary distribution (which I've attached below) matches that of the GitHub download (https://github.com/jensyt/imurmurhash-js/blob/master/imurmurhash.min.js) which is known to not have been tampered with.

I just ran a clanAV scan on my system and found out imurmurhash.min.js is bugged with PUA.Win.Trojan.Xored-1 trojan

gconf is still needed, removing it from my system results in a dynamic linking error whenever I try to launch Turtl, specifically error while loading shared libraries: libgconf-2.so.4: cannot open shared object file: No such file or directory

It's probably possible to run Turtl without gconf however doing so would require building Turtl from source (probably with a newer Electron version, we're still using v1.8.3 here!) which I have yet to successfully accomplish. Remember that this package just pulls a prebuilt version of Turtl from GitHub Releases.

As for why I am unable to build from source, I'm running into https://github.com/turtl/tracker/issues/338 and https://github.com/turtl/tracker/issues/361

BTW also agree that turtl should be renamed to turtl-bin.

gconf is very outdated and is now in the AUR. Please check if turtl really still depends on gconf (it probably doesn't) and then remove it. Many other packages could already successfully remove gconf from their dependencies. Turtl is the only package remaining on my system why gconf is still pulled as a dep.

@neoninteger Thanks

v0.7.2.6-sqlite-fix appears to be a Mac-specific update, there's no Linux build for it that I can pull from. v0.7.2.6-pre-sync-fix appears to be the latest version for Linux.

@neoninteger: Newer Turtl release on Github - (v0.7.2.6-sqlite-fix) dated Nov 5, 2019