-- Replying to below -- From: Rob Weir [mailto:r...@robweir.com] Sent: Monday, December 15, 2014 06:26 To: dev@openoffice.apache.org; Dennis Hamilton Subject: Re: Deflecting the Attack of the Clones
[ ... ] My impression is that Firefox does something similar. I think I read someplace that their source code distribution lacks the Firefox branding. It is more of a "white label" product, functionally the same as Firefox, but without the branding. But still, I don't think that really solves the problems that we face. Correct be if I'm wrong, but we're not really seeing someone doing their own compile of AOO from source code and using that to spread malware, right? We're seeing people take our binaries directly and bundle that with installers that spread the malware, or put up websites that charge and then point to AOO's binaries directly. In the end, the real harm here is done to the users. So I wonder whether the best we can do is make it easy for them to raise complaints with those who can take action, e.g, payment processors associated with credit cards or telephone networks, or even consumer authorities. <orcnote> I agree that this does nothing about folks charging for a link to the AOO download or the more-tolerable convenience CD. Certainly cultivating consumer awareness is the most important action we can take, along with finding some way to deal with the fact that SEO is not our friend, particularly on SourceForge (and apparently amazon if they are still providing downloads). However, there are now apparent forks of AOO, such as AndrOpen Office (boldly dubbed "AOO" and which seems to confuse some folks even though it is described as a fork and as not associated with the project). So, establishing careful provenance (which signing will help) and encouraging users to be aware of it and of responsible sources go together. I also agree that assisting users in obtaining redress or at least Registering complaints is valuable. It is just more externality that the perpetrators are subjecting the project to, though. The advantage of a white box source release is that any counterfeit is clearly willful, as opposed to plausibly accidental/careless. I imagine that is not much deterrent to the determined. For some sort of stronger arrangement, it is probably necessary to get into various controlled "app" stores. Linux distributions apparently do their own builds for inclusion in their supported package libraries, so that might be in the "plus" column. </orcnote> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
