> -----Original Message----- > From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org] > Sent: Tuesday, September 20, 2016 15:18 > To: dev@openoffice.apache.org > Subject: RE: Tools for building and checking a release candidate > > > > > -----Original Message----- > > From: Andrea Pescetti [mailto:pesce...@apache.org] > > Sent: Tuesday, September 20, 2016 14:37 > > To: dev@openoffice.apache.org > > Subject: Re: Tools for building and checking a release candidate > > [ ... ] > > We are signing. We always did. Just, we do it in a way that Windows > > doesn't like. The "signed installers" discussion comes from this > > incompatibility. > [orcmid] > > A little touch-up on the situation. > > It is not about Windows not liking the PGP signatures. It never sees > them. > What Windows sees are Windows-specified signatures embedded in the > downloaded software itself (and also on the DLLs and such that are > installed. > > These are part of the file properties. Those properties that can be > inspected by users and, even better, operating system software. That is > what we don't do (although other producers of OpenOffice-lineage > software do). > > To favorably compare a procedure that requires expert users to perform > manually seems odd to me. [orcmid]
PS. What the embedded signature provides to not-so-expert users is an easy way to check that a download from any site is signed by an authentic source. It also may pacify anti-virus and browser download tools. Those message requesting administrator permission to perform an install will also be more re-assuring. Although not so foolproof *after* a download has been installed, with a little more expertise users can also verify whether soffice.exe, etc., are also authentic. That could be true even though an installer delivered adware/malware on the side. > > > But, security-wise, we are already providing a detached > > GPG (or PGP) signature for all files. See > > https://www.apache.org/dev/release-signing#sign-release > > > > Regards, > > Andrea. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > > For additional commands, e-mail: dev-h...@openoffice.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org