openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcus <>
Subject Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows)
Date Thu, 11 Aug 2016 22:27:58 GMT
Am 08/11/2016 09:50 PM, schrieb Kay
> On 08/09/2016 02:12 PM, Kay Schenk wrote:
>> [top posting]
>> I'm in the process of trying to "sync" instructions for Linux32,
>> Linux64, and MacOSX at the moment. As far as instructions on the actual
>> HOTFIX page, we need to have just a "general" instruction for ALL zips
>> that simply says -- "Unzip this package to some folder of your choosing
>> and read the README that's included." Everything else should be in the
>> various READMEs for each platform.
>> I should be done with all edits by this evening for a final review
>> before zipping and signing.
> Ok, I've now moved on to creating zip files, etc for Linux32, Linux64
> and Mac.
> My openssl version on does NOT supply digest sha256. Is it OK to use
> sha1? MD5 already computed for each of these.

I like to have it consistent for all platforms. Therefore I'll check the 
ZIPs and deliver the sha256 hash files.


>> On 08/05/2016 09:28 AM, Dennis E. Hamilton wrote:
>>> Branching off the part that is not about the Windows 4.1.2-patch1 [TESTING].
>>>> -----Original Message-----
>>>> From: Marcus []
>>>> Sent: Thursday, August 4, 2016 15:52
>>>> To:
>>>> Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
>>>> Am 08/05/2016 12:26 AM, schrieb Kay Schenk:
>>> [ ... ]
>>>>> hmmm...well no zips for Mac, Linux32, or Linux 64 -- yet.
>>>>> Should we get started on these?
>>>> it depends what we want that they should contain. The ZIP file for
>>>> Windows contains a LICENSE and NOTICE file as well as an ASC file for
>>>> the DLL. As it is only a patch IMHO we don't need to provide another
>>>> LICENSE and NOTICE file which is already available in the OpenOffice
>>>> installation. Also the ASC is not necessary as we provide it already
>>>> (together with MD5 and SHA256) for the whole ZIP file.
>>> [orcmid]
>>> I think there is a misunderstanding.  Two matters:
>>>   1. The use of LICENSE is required by the ALv2 itself, and the ASF practice
is to include NOTICE as well on binary distributions.  The patch qualifies, especially when
it is moved to general distribution.  It is also easy and harmless to provide.
>>>   2. The reason for preserving the .asc on the shared-library binary is because
it authenticates with respect to who produced it and establishes that it has not been modified
as supplied in the package (or as the result of some glitch in creation of the Zip).  It provides
a level of accountability and, also, auditability.
>>> Even though few people will check all of these, they remain possible to be checked.
 Since this is a matter of security vulnerabilities and involves elevation of privilege to
perform, I believe it is important to demonstrate diligence and care, so that users have confidence
in this procedure to the extent they are comfortable.  Also, if it becomes necessary to troubleshoot
a problem with these patch applications, we have the means to authenticate what they are using
to ensure there are no counterfeits being offered to users.
>>>> That means that only the README and library file remains.
>>>> When the README for Windows keep its length then I don't want to copy
>>>> this on the dowload webpage. ;-)
>>>> So, when we put the README for all platforms in their ZIP files then we
>>>> can just put a pointer to it on the download webpage and thats it.
>>> [orcmid]
>>> Yes, that seems like a fine idea.  The README can be linked the same way the
.md5, .sha256, and .asc are linked.
>>> Also, the README may become simpler if we can link to some of the information
and not have so much detail in the README text itself.  It might even be useful to have an
.html README for that matter.  But that is all extra.  Right now I think we want to get into
the testing and see how to smooth what we have.
>>> PS: A friend of mine is looking into the MacOSX situation.  He points out that
one can use the Finder to do the job without users having to use Terminal sessions.  I don't
have further information at this time.
>>> PPS: The inclusion of scripts that do the job is also worthy of consideration,
perhaps making it unnecessary to build executables.  I will be looking at finding a .bat file
that works safely for the Windows case.  That can make the instructions much shorter :).
>>>> To cut a long story short:
>>>> I would say yes for a ZIP file for every platform.
>>> [ ... ]

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message