> It's similar to other third-party component libraries out there. There are open source and closed source ones.
You're trying to side-step the fact that a random user uploaded binaries that were crafted to do god knows what to the host's computer in a way that circumvents basic auditing and security checks, and did so while hijacking/piggybacking on popular software projects.
You can try to spin this any way you want, but you need to be crazy to download and run these binaries as there is zero assurance they are not malware.
It isn't a random user. The author of the repo has quite an online presence and track record.
My top choice, all other things equal, is open source code but I know I don't read all the code and rely on a trust network.
A lot of open source code is distributed as binaries these days, in go, rust, docker, and others. Developers have an option to download the source and compile it ourselves but they don't always do it. It's convenient to be able to download a self-contained binary.
I'm not trying to spin it, just to point out that I'd have an easier time trusting this than I'd have trusting many open source projects.
"a random user" is the developer of Sciter, which is the UI engine used by practically every antivirus software on the planet. This is just a demo of his new project that combines Sciter with a JS engine. He only provided demo binaries because he is running a crowdfunding campaign to release the opensource version.
According to this SO question [1] with the OP's answer, it seems that most AVs share the Material-like design for which Sciter suits. Using Electron in AVs (among others that would only require the layout engine) would be silly.
Security, for starters.
There is no way around this.
> It's similar to other third-party component libraries out there. There are open source and closed source ones.
You're trying to side-step the fact that a random user uploaded binaries that were crafted to do god knows what to the host's computer in a way that circumvents basic auditing and security checks, and did so while hijacking/piggybacking on popular software projects.
You can try to spin this any way you want, but you need to be crazy to download and run these binaries as there is zero assurance they are not malware.