qBittorrent official forums

My running 4.1.6 client notified me that there is a 4.1.7 version out, so I downloaded it from https://www.fosshub.com/qBittorrent.html. I then went to look at the main site, and the ribbon still says 4.1.6, no mention in the News, and the Download page still has 4.1.6.

Is this new version legitimate? Did FH jump the gun?

SF has it as well, same SHA256 checksum for the 64 bit version:
8f336c26866cfc6322c5ad7b0a557fb896b31f93246dca7a187d8764f0b02fd1

LOL I came here with the same question. Sucks that you have to suspect everything these days.

Also, the reCraptcha settings are turned up to a rage-inducing high level, so thanks for that.

Hi to everyone, my fellow human beings   

I registered an account just to express my concern as well.  Chrome warned me about this file could be dangerous, I do not recall past updates getting the same warning (I'm qBT user since less than or about a year now).


This is what I got. qbittorrent_4.1.7_x64_setup.exe
MD5 fff8a412bc6378d9d473eb662a50c767
SHA-1 a4bcffe3226685a29a42f4b5274b26d101597bbd
SHA-256 8f336c26866cfc6322c5ad7b0a557fb896b31f93246dca7a187d8764f0b02fd1

VirusTotal link

https://www.virustotal.com/gui/file/8f3 ... /detection


I think we can reduce it to 3 possibilities.

- We got hijacked somehow (dns redirect, proxy, etc).
- Something was compromised from the developer side.
- It is a "legit" update and either, like peterd mentioned, someone jumped the gun releasing it or someone is late updating the site (changelogs, forum post, etc).

Given the current times we are living, I'll wait it out and I humbly advise anyone reading this to do the same.


Goodbye my fellow human beings.

I think you can safely eliminate your hijacking option, xta, as we're talking multiple users and multiple sites. Compromise is a possibility, but hacking the credentials for both SF and FH would also be pretty unlikely.

What is more likely (and I should have mentioned this in my first post) is that the developers are dealing with the chicken/egg problem of making sure that new versions are available for download before they are announced.

That said, and while I'm always skeptical of virus warnings for torrent clients; the one you posted is interesting, and I hope the devs take a look at it.

Also suspicious about this. Windows SmartScreen flagged it.

But I did find the 4.1.7 Milestone and 4.1.7 Release on GitHub.

I think maybe it is safe.

According to this - https://github.com/qbittorrent/qBittorr ... /Changelog - this release seems to be legit after all.

Yes it seems official release from sledgehammer.

Im wondering why the main page and the forum isn't updated yet.

Switched over to Linux and the PPA has been updated as well. No problems there with 4.1.7 so far.

Its a release.
It seems to have fixed the notorious crash on startup bug on 4.1.6 x64 (see https://github.com/qbittorrent/qBittorrent/issues/10581)

could be some people are on vacation or such. not sure if sledgehammer is the one running the site but if there's another volunteer it could be answer.

i'll post the changelog here so more people that searched google like me find it.

Sun Aug 04 2019 - sledgehammer999 <[email protected]> - v4.1.7
    - FEATURE: Add 12 hour and 24 hour speed graphs (dzmat)
    - FEATURE: Change "Add new torrent" dialog to horizontal layout (Evgeny Lensky)
    - BUGFIX: Fix messed up symbols in log (Chocobo1)
    - BUGFIX: Fix incomplete file extension not applied for new torrents (Chocobo1)
    - BUGFIX: Save updated resume data for completed torrents (Vladimir Golovnev (Glassez))
    - BUGFIX: Fix requested torrent resume data handling (Vladimir Golovnev (Glassez))
    - BUGFIX: Prevent command injection via "Run external program" function (Chocobo1)
    - BUGFIX: Avoid race conditions when adding torrent (Vladimir Golovnev (Glassez))
    - BUGFIX: Fix torrent checking issues (Vladimir Golovnev (Glassez))
    - BUGFIX: Use proper log message when there are no error (Chocobo1)
    - BUGFIX: Fix torrent properties not saved for paused torrents (Chocobo1)
    - BUGFIX: Some improvements on qtsingleapplication code (Chocobo1)
    - BUGFIX: Remove limits of "Disk cache expiry interval" setting (Chocobo1)
    - BUGFIX: Remove upper limit of "Disk cache" setting (Chocobo1)
    - BUGFIX: Fix crash when removing phantom tags (Chocobo1)
    - BUGFIX: Improve handleFileErrorAlert error message (Chocobo1)
    - BUGFIX: Fix updated save path not saved for paused torrents (Chocobo1)
    - BUGFIX: Log save_resume_data_failed_alert (Chocobo1)
    - BUGFIX: Don't remove parent directories (Chocobo1)
    - BUGFIX: Properly remove empty leftover folders after rename (Chocobo1)
    - BUGFIX: Focus behavior row in Options dialog (silverqx)
    - BUGFIX: Fix unable to rename folder on Windows when same is used in different case(Chocobo1)
    - BUGFIX: Fix unable to control add torrent dialogs when opened simultaneously (Chocobo1)
    - BUGFIX: Disable "Upload mode" when start preloaded torrent (Vladimir Golovnev (Glassez))
    - BUGFIX: Fix wrong comparison result when sorting items(Chocobo1)
    - BUGFIX: Fix sequential downloading when redirected (Vladimir Golovnev (Glassez))
    - BUGFIX: Fix typos (Chocobo1)
    - BUGFIX: Fix assertion fail (Chocobo1)
    - BUGFIX: Change number of time axis divisions from 5 to 6 for convenience (dzmat)
    - BUGFIX: Don't turn window blank when closed to system tray (Ekin Dursun)
    - WEBUI: Fix WebUI encoding of special characters (Thomas Piccirello)
    - WEBUI: Change the speed unit from Bytes/s to KiB/s for the rate limiter(jerrymakesjelly)
    - WEBUI: Fix '+' char not decoded to space correctly (Chocobo1)
    - RSS: Ignore RSS articles with non-unique identifiers (Vladimir Golovnev (Glassez))
    - RSS: Perform more RSS parsing in working thread (Vladimir Golovnev (Glassez))
    - RSS: Download RSS enclosure element if no proper MIME type is found (Matan Bareket)

[quote="gspbeetle"]
Its a release.
It seems to have fixed the notorious crash on startup bug on 4.1.6 x64 (see https://github.com/qbittorrent/qBittorrent/issues/10581)
[/quote]

Thanks, that's the info I was looking for. I'm still shocked they left the broken 4.1.6 online for... months? as if everything was okay. That was a first time for this project.

This time I'll test/check 4.1.7 first, before deleting the 4.1.5 installer - just in case. I'm already weirded out that the release notes for 4.1.7 don't seem to mention the massive problems in 4.1.6. You'd expect that to be front and center.

Main page has been updated as well the downloads page.

Hey,

A little late but noticed your concern. I want to make a few comments.

1. I've seen this practice for other projects too. Release a new version and the main website and other channels not being updated on time.
2. You compared the file signatures from FossHub, SourceForge, GitHub - that's a smart thing to do as you would assume an attacker managed to obtain the credentials for all services. If that would ever happen, it won't work on FossHub.
3. Apart from 2FA, strong passwords, encryption, etc. there are several security filters that the new team running FossHub implemented. These are decentralized pieces of security, which means that once you failed things won't go any further. We took all security measures to prevent an infection
4. Keep it, simple guys. Just check the file and PGP signatures (these are listed on our page) to see they match everywhere and upload *any* file you download to VirusTotal. FossHub uses Jotti's Malware Scan but for your peace of mind, upload it there too.

Source: https://blog.fosshub.com/how-safe-is-fosshub/

When in doubt feel free to contact FossHub via our contact form. Security and similar reports have priority.

Thank you!
FossHub Team

Thanks for the info FossHub.

The official release topic has been changed also: https://qbforums.shiki.hu/index.php/top ... l#msg31784