I hope the question is interpreted correctly and can be seen as an opportunity to provide transparency and strengthen the use of Prepomax.
As any user of free software with little programming knowledge I have some concerns about the security risks of using this kind of software.
I would like to ask if Prepomax has some kind of “Safe” certificate from an external certification entity?
In case not, do you think it would be worth to get one?
On your Gitlab website it states that "The program records all user actions in order to be able to repeat them later ".
Does Prepomax include some kind of Keylogger or method of recording user activity and to what extent?
I’m also not a software engineer but, apart from maybe signing the binary for new releases so that it never displays as unknown on Windows (not an issue for me, even FreeCAD sometimes has it), I don’t see the need for certifications. Since it’s open-source, you can see everything what the software does internally and you don’t have to worry about malicious code. I would be way more worried about what Windows does with our data.
Also, PrePoMax doesn’t even connect with the internet and the only interaction with the web is when you use Help —> Home Page. Then it just opens a page in your default browser and that’s it.
Actions (operations in GUI, not individual key presses) are indeed recorded (for backup, of course) and only stored locally in a file that can be even opened in GUI in the newest version. They aren’t sent to cloud or anything. So, unless your Windows is hacked and someone has access to all your files anyway, it’s totally safe.
P.S. Back to FreeCAD as it’s a very mature and large open-source code of a similar kind. The only concerns about security/certification they had (from what I recall and from what I’ve found) were regarding tools using web connection and stuff like publishing this software in Apple/Microsoft Store.
P.S.2. CalculiX, Gmsh and other open-source dependencies of PrePoMax don’t need certifications either.
I didn’t know you were also involved in the coding process.
Who is the owner of the project? I mean, is there someone who knows all the details of the coding that could comment on that?.
I’m not involved in coding (not yet but I’d like to help with that as well at least a little bit - hopefully soon enough). What I said is based on my knowledge about PrePoMax as its long-time user/supporter. I’m almost sure it works like this but I may not be 100% right. Matej is the only person who knows absolutely everything about this tool and the way it’s coded so I hope that he will confirm or clarify/correct what I said.
I have no idea of how to get one. And how to proceed for getting one for each released version.
I can confirm that.
What is actually recorded are not mouse clicks and key presses but actions performed in the GUI. When a user creates a surface with some selection clicks and keypresses, only the created surface with its properties and its selection point/s are saved.
I wrote 99.9 % of the code without the external libraries. There is no information going from the user to the internet. However, there is some information written in the .pmx files in the recorded history (part of the .pmx file), like imported file paths and file names, which are shared when the .pmx file is shared. This data can be seen in the recently added history editor.
One more security issue. Even if the code is open-source and there is no security issue, you cannot determine if the executable (binary) code provided by other people is the same.
Yeah, but it’s easy to avoid - download binaries only from the official website or just build yourself. That’s the FOSS advantage here, the last option gives 100% transparency and security to the most concerned users.