openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <>
Subject Re: Call for Comments: Apache OpenOffice Distributor Best Practices
Date Wed, 22 Jan 2014 16:22:36 GMT
On Wed, Jan 22, 2014 at 11:05 AM, Donald Whytock <> wrote:
> On Mon, Jan 20, 2014 at 2:14 PM, Rob Weir <> wrote:
>> On Thu, Dec 5, 2013 at 9:47 AM, Rob Weir <> wrote:
>> > Details are here:
>> >
>> >
>> >
>> It has been over a month since we put out this call for comments.  You
>> can see some of them in this thread, as well as with the blog post:
>> The response was generally positive.  However, the volume of responses
>> was rather low.  So I do wonder whether there is a large unmet need
>> for this.  For example, we have not (to my knowledge) received
>> requests for a CD on the mailing list in months now.
>> Another data point:  the webpage that is #1 in Google search results
>> for the query "openoffice cd" is:
>> It receives around 7 visits per day.  Any proposal we came up with
>> would be findable to user mainly through that same mechanism --
>> searching Google.   Is it worth setting something up for 7 users per
>> day?
>> Note:  if we removed our web pages that discuss OpenOffice CD's, the
>> top link would be a vendor on selling an OpenOffice CD.  So
>> in a sense, if we just "get out of the way", it would tend to work.
>> The risk would be if we see vendors starting to scam users.
>> Next steps?  If anyone really wants to have a CD distributor listing,
>> I can help.  But it is not sufficiently high on my priority list to
>> carry this by myself.  Someone else would need to take the lead.
>> Regards,
>> -Rob
> If you want to take a "get out of the way" approach, would you nevertheless
> want to put up signature files for official releases, such that anything
> one does buy can at least be verified before it's installed?

I think getting our installers digitally signed is important for many
reasons.  At the very least it reduces user confusion during the
download and install process.

However it won't prevent the most common kinds of abuses.  We're not
really seeing people modify the AOO installer and putting malware into
the AOO installer.  What we see is someone creating a new "installer"
or "downloader" and advertising that for the users to download.  This
program installs the malware and then as the last step it downloads
and installs the original, unmodified AOO installer.

So even if we are digitally signed, it doesn't help in this case.  The
damage is already done before the real AOO installer is even launched.

One idea, and maybe this would cause users to panic more than we want
to, would be this:

As the first screen of the install program have a screen that says:

"Important:  If you did not download this program from a known safe
website then you may be at risk from viruses, etc.  Apache OpenOffice
is free for all users.  You should not need to pay for it.  If
immediately before this screen you were asked to install other
software applications, or asked to authorize payment for OpenOffice,
then you may have been scammed.  Read here for more information..."

Of course, we have nothing officially against selling OpenOffice, etc.
 So we would want to make it easier for a real programmer to disable
this screen in the installer.  But it might have some value.   But it
is coming one step too late to really prevent the problem.



> Might be too late at that point to get one's money back, but it could save
> the buyer some grief with his machine.  And give the buyer grounds to out a
> fraudulent purveyor.
> Don

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message