On Wed, Dec 28, 2011 at 3:34 PM, Dave Fisher <[email protected]> wrote: > > On Dec 28, 2011, at 12:18 PM, Dennis E. Hamilton wrote: > >> I see a number of factors related to the bug report, below: >> >> 1. The high search-result placement for a pay-for-download site >> 2. The prospect that the download is not authentic >> 3. The collection of a payment for the download >> >> It is unclear what appropriate actions are available. >> >> - Dennis >> >> INFORMAL THOUGHTS: >> >> 3. Technically, there is not much to be done about (3) beyond education and >> also anything about the absence of any support in exchange for the payment. >> (If the download is unmodified or has a thin façade with all of the support >> links intact, it becomes a problem in many ways for the project and >> peer-supporting users.) This is what makes folks indignant, but it is the >> least preventable so long as there is no misrepresentation. And even then >> ... . >> >> 2. That is a more-worrisome concern to me. This impacts packaging of >> distributions, how they are authenticated, and what they incorporate that >> directs users to authentic sources of support and also future versions. It >> would seem that there are measures to be taken here, along with branding. I >> don't quite know how that might impact downstream developers of co-branded, >> re-branded binary distributions (e.g., for a specific platform, with >> particular bundling, etc.) Apache branding requirements and ensuring that >> it is easy to honor them in a non-Apache binary release is going to take >> some head-scratching. > > I believe the Foundation is working on digital signatures with certificates. > The projects releases will be signed and verifiable. Someone will need to > discuss this with infrastructure. >
And legacy OOo releases all came with MD5 hashes. So in theory any user who wanted to verify the authenticity of a package could. In practice, this is beyond the skill level of typical users. And remember, anyone who has the incentive to sell fake versions of OpenOffice has the incentive to create a fake certificate as well. -Rob > Regards, > Dave > >> 1. Gaming SEO is something that it should be possible to combat and >> mitigate. Having the site in our hands can help there. It is important to >> work it for NL pages as well as the main get-your-free-downloads-here pages. >> >> >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] >> Sent: Wednesday, December 28, 2011 11:42 >> To: [email protected] >> Subject: DO NOT REPLY [Bug 118700] New: fake openoffice site >> >> https://issues.apache.org/ooo/show_bug.cgi?id=118700 >> >> Bug #: 118700 >> Issue Type: DEFECT >> Summary: fake openoffice site >> Classification: Infrastructure >> Product: www >> Version: current >> Platform: All >> OS/Version: All >> Status: UNCONFIRMED >> Severity: major >> Priority: P5 >> Component: openoffice.org website general issues >> AssignedTo: [email protected] >> ReportedBy: *redacted* >> CC: [email protected] >> >> >> Hello there, >> I'm writting from Spain. >> I was trying to download OpenOffice. A search engine(Bing)gave me this >> address >> http://office.version-es.com/ >> I found out it's not an official node, it charges 14€ to activate the >> download, >> throug two Sms,charges 7.08€ each. >> Don't know if you can do anything to prevent other people to be fooled or >> whether there are more webs for other languages. It's very sad some people >> dishonour your proyect and name through such bussines. >> Thank you for attend my complain. >> Snorquel >> PS.- i'm unsure about who to this "issue".In case you are not involve in >> solving this problems, I beg you help my message to reach someone who can do >> something. >> >
