TagStudio icon indicating copy to clipboard operation
TagStudio copied to clipboard
verified publisher icon TagStudioDev

[Feature Request]: Switch to Nuitka for builds

Open ToasterUwU opened this issue 1 year ago • 6 comments

Checklist

  • [X] I am using an up-to-date version.
  • [X] I have read the documentation.
  • [X] I have searched existing issues.

Description

From #361

Pyinstaller is notorious for flagging anti-virus software. This makes it more difficult for users to install TagStudio.

But by the very nature of how this kind of software has to package the binary, there will always be a significant risk for anti-virus to get triggered, no matter what alternative with a similar approach is used. This includes cx_freeze. Like @MaxCordell mentioned in their Issue ( #361 ), this doesn't happen nearly as often with cx_freeze compared to pyinstaller, but it still happens.

Solution

Since the workarounds required to package a Python runtime and the Python scripts in one file tend to trigger Anti Virus software, i highly recommend switching to Nuitka. It doesn't package a runtime with the scripts, it instead translates the entire code into C code, and then compiles the C code.

So the advantages of Nuitka over something like pyinstaller and cx_freeze are:

  • Better performance since the program is compiled and runs natively now ( not interpreted like with pyinstaller and co )
  • Practically 0 risk of triggering anti virus, since this is just a normal C program after using Nuitka
  • Extremely wide range of supported platforms:
    • Android
    • Linux
    • FreeBSD
    • NetBSD
    • OpenBSD
    • macOS
    • Windows (32 bits/64 bits/ARM)
  • Big range of supported architectures:
    • x86
    • x86_64 (AMD64)
    • ARM

    • Generally, the architectures that Debian or RHEL support can be considered good and tested, too; for example, RISC-V won’t pose any issues.

Like i mentioned in #361 with my comment, Nuitka translates and compiles this software just fine. I also showed how i built the program in that comment, so read that if you wanna try Nuitka on this software yourself.

Alternatives

Of course i thought about cx_freeze as well, since this is where i started this topic about Nuitka, but at least from my experience as a Python Developer, i cannot recommend either pyinstaller or cx_freeze or anything that works similarly for that matter.

If you want something that doesn't get flagged by anti-virus, Nuitka is by far the best option.

ToasterUwU avatar Aug 30 '24 13:08 ToasterUwU

I love Nuitka, but it's also notorious for getting flagged by anti-virus software. This is something I'm struggling with in my own software at the moment. The creator said it's because Nuitka is commonly used by malware authors. I don't think I had issues when using cx_freeze, but like you, I wouldn't count on any frozen Python software not getting flagged.

JuneStepp avatar Aug 31 '24 20:08 JuneStepp

Interesting, i guess it depends on what anti virus you are using? I never ever had a single thing being flagged as malicious. But i also stay far away from extra anti virus, and only used Windows Defender. Now i use linux, so thats no more. But even so, the friends i send some things compiled by nuitka also never had any issues, and they used a variety of anti virus software.

If i remember to do that, i will spin up a Windows VM, build an EXE of this software with everything out there, throw them all in virustotal and we can see the results. That way we have some objective results, and not just subjective reports based on limited and specific situtations

ToasterUwU avatar Aug 31 '24 21:08 ToasterUwU

In my case, it wasn't getting flagged by anything until a random day when Windows Defender and others changed their mind on both current and past versions. I've seen a fair amount of other reports from other people having trouble with Windows Defender as well. Apparently there are steps that can be taken to mitigate this, but you have to pay for commercial Nuitka to get access to those instructions. It also may be that specific libraries like those involving cryptography are more likely to cause issues. That's something I'm still looking into.

What I'm saying is that even if it's not flagged now, that may change in the future. That's why switching to Nuitka (solely) for anti-virus benefits may not be the best option.

JuneStepp avatar Aug 31 '24 21:08 JuneStepp

Thats fair, but if you dont wanna give people a bunch of python code and tell them to run it, what other options are there besides Nuitka and the freeze style packagers like pyinstaller? So yes, there might also be issues here, if not now than maybe some day, but as long as there isnt a better option, i dont see how Nuitka wouldnt be the best option.

Like i said, i will do a whole test of it all, and than we can just look at numbers. If you know of anything that doesnt work like pyinstaller and cx_freeze, let me know and i will test and include it in the overview.

ToasterUwU avatar Aug 31 '24 22:08 ToasterUwU

One option is the Python Windows embeddable package. That's not as easy to set up, though.

JuneStepp avatar Aug 31 '24 22:08 JuneStepp

Ok, i did the testing i said i would. Here are the results:

Packager Detection Rate Notes
Nuitka 12 / 72 From the 12 things that think this is a virus, i only recognize two as a consumer style anti virus, that being Avast and AVG. Windows Defender doesnt think TagStudio is a virus when packaged with Nuitka.
Pyinstaller 1 / 72 This boggles my mind. How can it be that @CyanVoxel makes a video where they mentioned Pyinstaller causing a bunch of issues with AV, but than only one single AV gets triggered by it. Im not a living breathing Anti Virus, so no idea whats up with that, but this feels at least suspicious. Any ideas and Explanations are welcome.
cx_freeze 0 / 64 I cant even make a fair comparison with cx_freeze, since it turns out that it cannot do portable exe files. For that to work, i need to use another tool on top of what cx_freeze produces. I also couldnt even make the result cx_freezes produces run. First i had a to manually specify all the packages to include, and even then it wouldnt work because for some reason ujson's DLL was always missing, so the program wouldnt run. I decided to just zip the output of cx_freeze and throw that in the scanner, since the actual code and binaries are mostly there, so the AV should be able to detect most of the things they might dislike. Feel free to try using cx_freeze again and post a more complete result. But i honestly cant recommend using cx_freeze even just from a usability standpoint after this experience.

TLDR: Nuitka seems to be suspicious to 2 AVs that people use, and some more that companies and servers use. Last time i used Nuitka for a windows program and tested it like this, i had a 0/X result, but that was a few years back, so things seem to have changed a bit.

Pyinstaller got a 1/72 for some weird reason. The divide of the test result and the perceived problems with AV's is really big, and i cant really make sense of it.

cx_freeze was a nightmare to use. It doesnt detect the used libraries on its own at all, it somehow broke something to the point of a DLL going missing, it cant do portable exe files, i couldnt make it run at all. So the 0/64 score doesnt really mean anything in my opinion, since the software wouldnt even run in the state that was tested.

ToasterUwU avatar Sep 01 '24 13:09 ToasterUwU