openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: Tools for building and checking a release candidate
Date Tue, 20 Sep 2016 23:08:24 GMT


> -----Original Message-----
> From: Dennis E. Hamilton [mailto:dennis.hamilton@acm.org]
> Sent: Tuesday, September 20, 2016 15:18
> To: dev@openoffice.apache.org
> Subject: RE: Tools for building and checking a release candidate
> 
> 
> 
> > -----Original Message-----
> > From: Andrea Pescetti [mailto:pescetti@apache.org]
> > Sent: Tuesday, September 20, 2016 14:37
> > To: dev@openoffice.apache.org
> > Subject: Re: Tools for building and checking a release candidate
> >
[ ... ]
> > We are signing. We always did. Just, we do it in a way that Windows
> > doesn't like. The "signed installers" discussion comes from this
> > incompatibility.
> [orcmid]
> 
> A little touch-up on the situation.
> 
> It is not about Windows not liking the PGP signatures.  It never sees
> them.
> What Windows sees are Windows-specified signatures embedded in the
> downloaded software itself (and also on the DLLs and such that are
> installed.
> 
> These are part of the file properties.  Those properties that can be
> inspected by users and, even better, operating system software.  That is
> what we don't do (although other producers of OpenOffice-lineage
> software do).
> 
> To favorably compare a procedure that requires expert users to perform
> manually seems odd to me.
[orcmid] 

PS. What the embedded signature provides to not-so-expert users is an easy way to check that
a download from any site is signed by an authentic source.  It also may pacify anti-virus
and browser download tools. Those message requesting administrator permission to perform an
install will also be more re-assuring.

Although not so foolproof *after* a download has been installed, with a little more expertise
users can also verify whether soffice.exe, etc., are also authentic.   That could be true
even though an installer delivered adware/malware on the side.

> 
> > But, security-wise, we are already providing a detached
> > GPG (or PGP) signature for all files. See
> > https://www.apache.org/dev/release-signing#sign-release
> >
> > Regards,
> >    Andrea.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> > For additional commands, e-mail: dev-help@openoffice.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: dev-help@openoffice.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org


Mime
View raw message