On Mar 2, 2012, at 9:52 AM, Rob Weir wrote: > On Fri, Mar 2, 2012 at 12:25 PM, Dave Fisher <[email protected]> wrote: >> >> On Mar 2, 2012, at 7:00 AM, Rob Weir wrote: >> >>> Several testers have mentioned this anti-virus error when installing >>> the AOO 3.4 dev snapshot build. This is not a virus. >>> "WS.Reputation" errors come from Symantec Antivirus based on their >>> "reputation-based" threat assessments. Essentially, they evaluate >>> software that you are about to install according to a range of >>> factors, including how new the file is, how many other people have >>> installed it, whether the installer is digitally signed, etc. It is >>> not just one factor, but a proprietary mix of weighted factors. >>> >>> We're probably getting penalized based on several of these factors. >>> Note that with the final AOO 3.4 release we'll be in the same >>> position, since that installer will also be new,etc. >>> >>> A few things we should consider doing: >>> >>> 1) Make sure the readme file and install instructions cover this case >>> and explain what the user should do, e.g. "Run anyways" >>> >>> 2) We can make a request to Symantec to "whitelist" our installer. >>> This takes a couple of weeks for them to process. And we can';t start >>> this work in advance since they need the SHA-256 hash of our >>> installer: >>> >>> https://submit.symantec.com/whitelist/isv/ >>> >>> 3) We could digitally sign our Windows installers. Apache already >>> requires a detached signature. But Symantec has no idea about these. >>> We need traditional Windows exe code signing. This will help us with >>> Windows 8 as well. So it is something we probably want to look into >>> at some point. >> >> This is likely to be a release requirement. Remember all artifacts in an >> Apache Release must be signed and installers are artifacts. (This touches >> your discussion on the other thread about what is AOO, what is powered by, >> and what is "White Label") >> > > Right. But all that is required are *detached* signatures. These are > fine for human verification, but they don't help in this case. > >> I believe that signing process is being worked on elsewhere in the >> foundation in a way that can make this an easy part of the release process. >> I've a little experience with signing installers a few years ago, but I >> won't have many cycles for it for a few weeks. I'll look in my ML archives >> and ask the question on the appropriate Incubator ML about our participation >> in these tests. >> > > With current approach, it is based on "web of trust". So Release > Manager, and other PMC members verify and sign. But normal code > signing on Windows is more hierarchical, and based on a trusted root > CA, etc. Is the plan to have each PMC have its own signing cert? In > this case the IPMC?
I'll need to confirm the status with Infrastructure, but I think that an ASF wide certificate was being considered. There was a lot of debate and it is hard to know without followup what happened. I'll ask now. Regards, Dave > > -Rob > >> Regards, >> Dave >> >>> >>> My recommendation: >>> >>> Plan on doing 1. Do 2. as soon as we have a release. Look into 3. for AOO >>> 4.0. >>> >>> Regards, >>> >>> -Rob >>
