Aardwolf MUSHclient Package Trust FAQ

What code is running inside the Aardwolf MUSHclient Package?
All parts of the Aardwolf MUSHclient Package are free/open-source software, which means that you or someone you know and trust can freely read and modify the underlying source code. The installer itself is generated automatically using NSIS scripts available at https://github.com/fiendish/aardwolfclientpackage-installer and also uploaded to GitHub using a continuous integration service called AppVeyor according to the instructions found in the project's appveyor.yml configuration file at https://github.com/fiendish/aardwolfclientpackage/blob/MUSHclient/appveyor.yml. The download site at https://fiendish.github.io/aardwolfclientpackage is also automatically updated with new download links at the same time using the HTML template files at https://github.com/fiendish/aardwolfclientpackage/tree/gh-pages. MUSHclient.exe is compiled directly from source code also using AppVeyor. You can find the MUSHclient source code repository at https://github.com/nickgammon/mushclient and its appveyor.yml configuration file specifically at https://github.com/nickgammon/mushclient/blob/master/appveyor.yml. The Aardwolf MUSHclient Package also includes directly-from-source-code builds of LuaJIT, Lua-openssl, and Lua-llthreads2, each of which can also be found on GitHub at https://github.com/LuaJIT/LuaJIT, https://github.com/zhaozg/lua-openssl, and https://github.com/moteus/lua-llthreads2 respectively and which are all built at the same time as part of generating the installer with AppVeyor. In short, from the moment a set of changes enters the main MUSHclient code branch at https://github.com/fiendish/aardwolfclientpackage, the installer is automatically bundled in a clean virtual environment and then immediately uploaded without any interaction from me or my computer.
How can I trust you?
How can you trust anyone? My character name in Aardwolf is Fiendish. I've been playing there since before Aardwolf started recording character birth dates in 2001, so a long time, and, if you're reading this, I'm either still there or dead. Many players know me, or they at least know of me. If you want, you can connect to Aardwolf without using this software and talk to people. Or you can talk to me personally. I always respond to personal notes, tells, and emails (finger fiendish in-game). Emails are fastest if I'm not online at the time. But reputation is really the only way that trust ever works, so, if you don't currently trust me or my software, think about what it would take to earn your trust and act on that.
Ok, I looked at everything and asked about you, and I trust you now.
Excellent! I appreciate it.
How can I trust that AppVeyor isn't secretly injecting viruses into the compiled package?
The answer for this is the same as the answer for how you can trust me. Trust is earned only by reputation. I trust AppVeyor's reputation. If you don't, you can visit https://www.appveyor.com to learn more about them.
Microsoft/Symantec/AVG/McAfee/etc says that your installer is suspicious because you didn't sign it.
If you don't know what Code Signing is, you may want to read https://blogs.msdn.microsoft.com/ieinternals/2011/03/22/everything-you-need-to-know-about-authenticode-code-signing. Code signing certificates aren't free. In fact, they're very expensive for a project that I make no money doing. Code signing certificates are a great idea if you're a company who gets to charge hundreds of dollars per year for the right to say that I am who I say I am. Code signing doesn't seem so great from my perspective, because I don't want to have to pay hundreds of dollars per year to a cartel engaging in a protection racket. Unsigned code warnings are nothing more than them saying to me, "Gosh, it sure would be a shame if we scared away potential users (wink wink)." If the certificates were based on inspection of the actual source code and building the installer inside their special trusted environment, that would be one thing, but that isn't how they get assigned. Certificates are assigned based on whether or not I want to give the trust cartel a lot of money. If anyone feels like they want to donate the money for paying off the cartel for a few years, then I'll graciously start signing the software.
Microsoft/Symantec/AVG/McAfee/etc says that your installer is or contains a virus.
I'm 99.99% sure that they're lying to you. Every single time this has come up in the past it has been because the antivirus companies use overly aggressive detection heuristics that scoop up a lot of innocent false positives. Please let me know when it happens so that I can berate them directly. If they present a method for sending the package to them for further inspection, please use it. You can also send the downloaded files and URL to https://www.virustotal.com to see how other antivirus software treats it.