> -----Original Message----- > From: Marcus [mailto:marcus.m...@wtnet.de] > Sent: Friday, January 27, 2017 09:55 > To: dev@openoffice.apache.org > Subject: Re: [lazy consensus] FreeBSD as a new supported platform? > > Am 27.01.2017 um 18:50 schrieb Dennis E. Hamilton: > > > > > >> -----Original Message----- > >> From: Rory O'Farrell [mailto:ofarr...@iol.ie] > >> Sent: Friday, January 27, 2017 07:59 > >> To: dev@openoffice.apache.org > >> Subject: Re: [lazy consensus] FreeBSD as a new supported platform? > >> > >> On Fri, 27 Jan 2017 07:49:51 -0800 > >> "Dennis E. Hamilton" <orc...@apache.org> wrote: > >> > >>> In thinking about this, I suggest that supported means (1) > >> dist.apache.org authenticated binary distributions (as mirrored) are > >> provided from source releases and (2) bugzilla provides for the > platform > >> as a named OS [type]. > >>> > >>> I note that OS/2 and FreeBSD (and Solaris) qualify under (2) but not > >> under (1). I've seen other open-source projects link to sources of > >> other builds without including them under their umbrella of official > >> releases. Not certain where bugs are supposed to be reported in > those > >> cases. > >>> > >>> - Dennis > >>> > >>> PS: Whether or not there is a link to support.openoffice.org in a > >> distributed binary is no help because counterfeit distributions do > that > >> too. > >> > >> But surely the distributed binary would have links to valid checksum > >> files on the AOO distribution site, which counterfeit distributions > >> would not have? > > [orcmid] > > > > It depends how the counterfeit is distributed. Most of them are with > download pages and installers that do not provide any kind of links to > hash values or digital signature files. These target casual users and > they give no evidence of hashes and signatures that users would check, > even if they knew what to do with such links. > > > > The check-for-updates in the binary is also not always altered. > > > > Note that the binary does not have those links. It is the download > page that provides them. > > ... where it IMHO belongs. When you have installed the software an it's > running, then nobody cares about the question "Is the install package > broken or not?". When you are afraid of getting maybe maleware then you > (search for and) verify the checksums *before* you start any > installation. [orcmid]
Yes, of course. And it is crucial that the hashes and signature files *not* be mirrored. Having them only available at dist.apache.org is the secure way to detect that the mirror-downloaded binary is authentic and unaltered. > > Marcus > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
