Windows security check issues from UV 0.5.1 to 0.5.2.

[FishAlchemist]

winget-pkgs

• New version: astral-sh.uv version 0.5.1 microsoft/winget-pkgs#190127 (x64 Windows Only)
• New version: astral-sh.uv version 0.5.2 microsoft/winget-pkgs#191664
• New version: astral-sh.uv version 0.5.2 (x64 Windows Only) microsoft/winget-pkgs#192548
• New version: astral-sh.uv version 0.5.3 microsoft/winget-pkgs#192554 (Passed security check)

PyPI

• Windows Defender flagging uv 0.5.2 installation via pip #9143

---

Scan by VirusTotal

• Version 0.5.1 (Releases)
  • x64 Windows
    • uv0.5.1-x86_64-pc-windows-msvc.zip
    • uv0.5.1-x86_64-pc-windows-msvc.exe
    • uvx0.5.1-x86_64-pc-windows-msvc.exe
  • x86 Windows
    • uv0.5.1-i686-pc-windows-msvc.zip
    • uv.0.5.1-i686-pc-windows-msvc.exe
    • uvx0.5.1-i686-pc-windows-msvc.exe

---

I think it's because of the use of self-replace(#8914). This kind of self-updating behavior, if not digitally signed, can easily be mistaken for a virus.

Microsoft actually provides a channel to upload files for analysis.
https://www.microsoft.com/en-us/wdsi/filesubmission

[zanieb]

@charliermarsh Is the self-replace behavior worth dealing with this?

[charliermarsh]

What’s your opinion?

[zanieb]

I'm not sure. The whole "remove uv with uv" objective feels a little surprising to me. We can see if they fix this false positive before the next release?

[charliermarsh]

Yeah, it's a little surprising. I think it's even worse that it fails (probably not that controversial), but it's probably not worth what we're seeing here. Maybe we tear it out and just give a better error than before?

[charliermarsh]

@mitsuhiko -- Any opinion here?

[FishAlchemist]

Hi UV Team,
Given that both 0.5.1 and 0.5.2 have this issue and I've removed x86 Windows support for version 0.5.1 in my pr for winget-pkgs, do you think it's still worthwhile to merge the x64 Windows version of uv 0.5.1 into winget-pkgs?

Note

I've removed the support for the x86 architecture in version 0.5.1 of winget-pkgs. This is finally allow it to pass their pipeline checks ( x86 still doesn't pass the security checks). I'm not sure if they'll approve the merge given that the new version lacks x86 installation compared to the previous one.

• New version: astral-sh.uv version 0.5.1 microsoft/winget-pkgs#190127

Edit:
Oh, the members of winget-pkgs have agreed to merge.

[FishAlchemist]

As of now, winget-pkgs offers x64 Windows for 0.5.1 and 0.5.2, while 0.5.3 is available for both x86 and x64 Windows platforms.

[zanieb]

Is this still being flagged?

[FishAlchemist]

@zanieb
I think we can close this issue for now. Since the x64 versions of winget 0.5.1 and 0.5.2 and the subsequent version x86 and x64 versions of later versions are all working fine