Hello
My two cents...
On such download problems, we never have answer to this:
- does the downloaded file have the correct checksum ?
This is not easy to check for an ordinary user, but Elizabeth Morgan should be
able to do it.
If the checksum is incorrect, then it is indeed a problem.
Since Roberto knows the suspect mirrors, he could verify if these mirrors do
indeed store compromised files, by testing their checksum.
I would not be surprised if the mirror files were found correct.
My idea is that Chrome flags a file as suspect, not because of the file content,
but as a result of statistical data about similar file names retrieved from
SourceForge or other sites. We know that SourceForge advertising contents
sometimes provide (or provided) malicious files pretending to be OpenOffice.
Bernard
Message de Louis Suárez-Potts date 2014-12-09 23:50 :
On 09 Dec2014, at 17:41, Roberto Galoppini <roberto.galopp...@gmail.com> wrote:
2014-12-09 21:23 GMT+01:00 Rory O'Farrell <ofarr...@iol.ie>:
On Tue, 9 Dec 2014 15:14:24 -0500
Louis Suárez-Potts <lui...@gmail.com> wrote:
Hi
On 09 Dec2014, at 15:11, Rory O'Farrell <ofarr...@iol.ie> wrote:
On Tue, 09 Dec 2014 13:48:44 -0600
Elizabeth Morgan <elizabethallynmor...@gmail.com> wrote:
UPDATE:
It's my entire development team that's encountering the issue at the
moment -- we're having to refit a good number of computers, and all of
them are detecting it as malicious after downloading from Sourceforge
via official link from openoffice.org
Remember that you can check the download for integrity by the methods described
in
http://www.openoffice.org/download/checksums.html
Your team only need one download for each O/S. They can move it about on USB
key or DVD or network.
I think Elizabeth’s point is that there is something amiss with the linkage
from OpenOffice to SF to users. The problem, reading her post, could lie with
SF. But my guess is that Elizabeth is more than competent to file an issue
describing more precisely the problem so that we can resolve it.
I can certainly confirm, from many reports on the Forum, that Chrome is
identifying SourceForge OO files on the automatic download as malicious. The
same reports suggest that the direct download link gives the same files without
triggering any malicious file warning from Chrome.
We are trying to talk to Google to better understand what's going on, in the
meantime we excluded all the blacklisted OpenOffice mirror URLs from the
selection used when users download. When downloading OO now, you should get the
file without any warning.
This is only a short-term solution but should help for the time being. We hope
to learn soon more about the actual google chrome policies and why those are
tagging as malicious few open source projects out there.
Roberto
Thanks, Roberto, for the explanation. Perhaps an issue that reflects the ongoing
discussion would help with Elizabeth’s situation and also others? (And the parallel
discussion on signing downloads is probably not entirely irrelevant?) (BTW, I use
Google Chrome & Canary on OS X 10.2—a dev. editions, for both—and every now and
then there are misreadings of a code’s legitimacy. Happens.)
louis
louis
On 12/9/2014 1:37 PM, Marcus wrote:
Am 12/09/2014 04:29 PM, schrieb Elizabeth Morgan:
Not technically "broken" per say in the notion of "won't actually
connect to the .exe file," but Chrome keeps registering all of the Open
Office downloads as malicious. Even past versions.
please make sure that you download only from the official source:
http://www.openoffice.org/download/
which will offer you the binaries from Sourceforge.net. They are
hosting the installation files for us.
Currently we haven't heard from other users about this problem. So, I
think for the moment that it's a reason that doesn't lay within the
Apache OpenOffice project.
E.g., does Chrome search in a public place for malicious domains? If
yes, maybe this place is not up-to-date or not working or something else.
Marcus
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org
