Bertrand, Thank you for your feedback. In the spirit of your remarks I have added a paragraph "Note: ..." to the installer download page [1]. I also added language similar to that note to the disclaimer page [2]. In version 1.1 we plan to address this in the application itself, but for now, this should suffice. The issue is recorded in FLEX-33208.
Also, I agree the language in the README should be corrected, but I don't see the current remark as a showstopper. We will also address this in version 1.1. The issue is recorded in FLEX-33209. EdB 1: http://incubator.apache.org/flex/installer.html 2: http://incubator.apache.org/flex/about-binaries.html On Mon, Sep 24, 2012 at 5:57 PM, Bertrand Delacretaz <bdelacre...@apache.org> wrote: > Hi, > > On Monday, September 17, 2012, Om wrote: > >> ...The source distributions for Windows and Mac are available here: >> http://people.apache.org/~bigosmallm/installapacheflex_RC5/ ... > > The release archive looks good to me, but I have one issue about the > installer use case - sorry that I didn't notice that earlier (and if I'm > correct I'm surprised that nobody brought that up). > > IIUC the installer downloads a number of files (listed > in installer/src/sdk-installer-config.xml) and installs them on the user's > system. > > Does it make the user aware that that's happening? IMO there should be a > confirmation somewhere, where the user is given the option of either > > a) Reviewing the list of files that are going to be downloaded, and > accepting or rejecting the whole thing > > b) Say "I don't care, go ahead". > > My concern is that in terms of quality and security, we don't want Apache > software to mess with people's systems without letting them know beforehand. > > Another thing in the README: "This hash is compared with the hash from the > Apache Flex SDK release site - If they match, we verify that the > downloaded binary file is a valid Apache release...". Binaries are not > Apache releases, so you shouldn't say that. I'd change it to something like > "the md5 digest of the downloaded file is compared with one obtained from > the apache.org website, and the installer aborts if they don't match". > > -Bertrand -- Ix Multimedia Software Jan Luykenstraat 27 3521 VB Utrecht T. 06-51952295 I. www.ixsoftware.nl
