Re: Budapest and thereafter.
On 08/12/14 20:15, jan i wrote: On 8 December 2014 at 19:50, Rory O'Farrell ofarr...@iol.ie wrote: On Mon, 08 Dec 2014 19:37:41 +0100 Marcus marcus.m...@wtnet.de wrote: Am 12/08/2014 06:31 PM, schrieb Rory O'Farrell: On Mon, 8 Dec 2014 09:19:17 -0800 Kay Schenkkay.sch...@gmail.com wrote: And, I didn't review the infra ticket on Cent OS carefully. Until we make a decision that we do not want to provide Linux-32 binaries, we need a 32-bit Cent OS 5 buildbot. I'' create a new ticket today. Possibly because most OO developers have 64 bit computers, we tend to overlook the need for 32 bit versions of OO. We should not lose sight of the need for such versions - it as a way of introducing people using older machines. Most of the older people I know (mostly 65+, retired) are using 32 bit machines, often handed down from their children. right, but do you really mean - or have heard/read - that they get Linux machines from their children? I think it will be still Windows - and here 32 or 64 bit doesn't matter. But anyway, yes we still need 32-bit binaries for Linux. Marcus When I am asked I guide them to 32 bit linux to help older computers work well. If we drop 32 bit for linux, we effectively abandon that area to LibO; we have enough of an uphill fight regaining users from the inbuilt installation of LibO on the distros as it is. We shouldn't abandon that area. I dont follow the notion of abandon that area, we have never had a 32bit centOS buildbot or for that matter a 64bit, so we are not abandoning anything, we are instead expanding. I dont know if we made releases available on centOS earlier, but for sure we did not do it with ASF buildbot. sure all our past releases were built on Centos machines (32 and 64 bit). This was discussed very often and the reason is that we need a certain baseline that our binaries run on as much as possible distros. You know we are not in the comfortable situation that the distros built AOO specific for their baseline and include it by default. The ASF build bots are running on Linux systems that are simply to new. Another option would be to increase the baseline and drop 32 bit Linux completely. This would reduce the effort enormous but I am not sure it is what we want. This baseline discussion might be difficult to understand for ASF infra people who are building everything from scratch. But the OpenOffice users are different and expecting simply a binary that they can install and use. Juergen rgds jan i -- Rory O'Farrell ofarr...@iol.ie - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Signing AOO 4.1.1 (was RE: Budapest and thereafter)
Jürgen Schmidt wrote: We had a signing mechanism in place for a long time and the reason why we have currently no digital signing is the lack of a certificate where we as project (PMC) or as representative the release manager have enough control. I do have a certificate and access key to the signing service. Details in my OpenOffice and Infra report http://markmail.org/message/6ymi35tajswcfsps item 4. Of course, I'm more than happy if someone else is willing to help with this; maybe Jan's work of months ago can now be reused and we can sign with minimal effort. Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Signing AOO 4.1.1 (was RE: Budapest and thereafter)
On 09/12/14 09:17, Andrea Pescetti wrote: Jürgen Schmidt wrote: We had a signing mechanism in place for a long time and the reason why we have currently no digital signing is the lack of a certificate where we as project (PMC) or as representative the release manager have enough control. I do have a certificate and access key to the signing service. Details in my OpenOffice and Infra report http://markmail.org/message/6ymi35tajswcfsps item 4. Of course, I'm more than happy if someone else is willing to help with this; maybe Jan's work of months ago can now be reused and we can sign with minimal effort. I don't have time to do it but I would start with analyzing which parts have to be signed. The former process signed all binary artifacts (dll, jars, .NET assemblies, ...). I am not sure if this is all necessary or if it was just signed for simplification. The new mechanism requires a more or less rework of the signing process. And it will result probably in a multiphase signing and packaging process. First round is to sign exe, dlls, assemblies etc. figured out in the initial analysis. Second step is to package the msi and the setup.exe. And finally package the downloadable exe and sign this as well. Juergen - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Signing AOO 4.1.1 (was RE: Budapest and thereafter)
On Tuesday, December 9, 2014, Jürgen Schmidt jogischm...@gmail.com wrote: On 09/12/14 09:17, Andrea Pescetti wrote: Jürgen Schmidt wrote: We had a signing mechanism in place for a long time and the reason why we have currently no digital signing is the lack of a certificate where we as project (PMC) or as representative the release manager have enough control. I do have a certificate and access key to the signing service. Details in my OpenOffice and Infra report http://markmail.org/message/6ymi35tajswcfsps item 4. Of course, I'm more than happy if someone else is willing to help with this; maybe Jan's work of months ago can now be reused and we can sign with minimal effort. I don't have time to do it but I would start with analyzing which parts have to be signed. The former process signed all binary artifacts (dll, jars, .NET assemblies, ...). I am not sure if this is all necessary or if it was just signed for simplification. The new mechanism requires a more or less rework of the signing process. And it will result probably in a multiphase signing and packaging process. First round is to sign exe, dlls, assemblies etc. figured out in the initial analysis. Second step is to package the msi and the setup.exe. And finally package the downloadable exe and sign this as well. Of course anybody can do the investigation again, but the rule is quite clear. Windows loadable components must be signed, in our case jar, dll and exe. I did not change a bit in the build system for my test, but had simple one-liner scrips to help. First script runs through all release languages, run configure and make. then renames the output dir with dll etc. (it also renamed the dll,jar to xyz.lang.dll) Second step was manual, upload to symantic gui and sign, download the signed artifacts Second script runs through all release languages, renames the output dir back, runs configure and then make postprocess. Finally it renames the install set. Last step was manual, upload all instlallers to symantic, sign and download. we (infra) spent quite sometime discussing a local solution, but it turned out to be vey costly (both in terms of real money and man hours). We then say that symantic actually provide at least 80% of the solution we looked at, so the choice was simple. rgds jan i Juergen - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org javascript:; For additional commands, e-mail: dev-h...@openoffice.apache.org javascript:; -- Sent from My iPad, sorry for any misspellings.
Re: Budapest and thereafter.
On Tuesday, December 9, 2014, Jürgen Schmidt jogischm...@gmail.com wrote: On 08/12/14 20:15, jan i wrote: On 8 December 2014 at 19:50, Rory O'Farrell ofarr...@iol.ie javascript:; wrote: On Mon, 08 Dec 2014 19:37:41 +0100 Marcus marcus.m...@wtnet.de javascript:; wrote: Am 12/08/2014 06:31 PM, schrieb Rory O'Farrell: On Mon, 8 Dec 2014 09:19:17 -0800 Kay Schenkkay.sch...@gmail.com javascript:; wrote: And, I didn't review the infra ticket on Cent OS carefully. Until we make a decision that we do not want to provide Linux-32 binaries, we need a 32-bit Cent OS 5 buildbot. I'' create a new ticket today. Possibly because most OO developers have 64 bit computers, we tend to overlook the need for 32 bit versions of OO. We should not lose sight of the need for such versions - it as a way of introducing people using older machines. Most of the older people I know (mostly 65+, retired) are using 32 bit machines, often handed down from their children. right, but do you really mean - or have heard/read - that they get Linux machines from their children? I think it will be still Windows - and here 32 or 64 bit doesn't matter. But anyway, yes we still need 32-bit binaries for Linux. Marcus When I am asked I guide them to 32 bit linux to help older computers work well. If we drop 32 bit for linux, we effectively abandon that area to LibO; we have enough of an uphill fight regaining users from the inbuilt installation of LibO on the distros as it is. We shouldn't abandon that area. I dont follow the notion of abandon that area, we have never had a 32bit centOS buildbot or for that matter a 64bit, so we are not abandoning anything, we are instead expanding. I dont know if we made releases available on centOS earlier, but for sure we did not do it with ASF buildbot. sure all our past releases were built on Centos machines (32 and 64 bit). This was discussed very often and the reason is that we need a certain baseline that our binaries run on as much as possible distros. You know we are not in the comfortable situation that the distros built AOO specific for their baseline and include it by default. The ASF build bots are running on Linux systems that are simply to new. Another option would be to increase the baseline and drop 32 bit Linux completely. This would reduce the effort enormous but I am not sure it is what we want. This baseline discussion might be difficult to understand for ASF infra people who are building everything from scratch. But the OpenOffice users are different and expecting simply a binary that they can install and use. No its nof difficult to understand, but expecting those things to happen without requesting it will not work. E.g. the mac buildbot is solely for aoo so we could easy add 1-2 vm and thereby have the different mac versions covered. The idea with tethys (a physical machine) was the same, have e.g. ubuntu in the bottom and then specific vms for all intel based builds (that is my personal setup and works brilliantly). So the problem does not really boil down to infra not understanding. but a lot more that nobody in aoo (or at least so it seems) are willing to do the job (or if willing does not get shot down). just my pow, being one with a leg in both projects. rgds jan i Juergen rgds jan i -- Rory O'Farrell ofarr...@iol.ie javascript:; - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org javascript:; For additional commands, e-mail: dev-h...@openoffice.apache.org javascript:; - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org javascript:; For additional commands, e-mail: dev-h...@openoffice.apache.org javascript:; -- Sent from My iPad, sorry for any misspellings.
OO, Windows and Printers
A common complaint on the Forum is that OO does not see, or if it sees, does not print to, an existing printer. There are numerous examples of this and I can extract a list of threads if necessary. Might the interface between a 32 bit OO and a 64 bit Windows OS require some reconsideration for a future release? I should say that not all instances of this problem involve a 64 bit Windows. There have been instances of an installed and working network printer not working with OO. -- Rory O'Farrell ofarr...@iol.ie - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: OO, Windows and Printers
On Tue, 9 Dec 2014 10:15:58 + Rory O'Farrell ofarr...@iol.ie wrote: A common complaint on the Forum is that OO does not see, or if it sees, does not print to, an existing printer. There are numerous examples of this and I can extract a list of threads if necessary. Might the interface between a 32 bit OO and a 64 bit Windows OS require some reconsideration for a future release? I should say that not all instances of this problem involve a 64 bit Windows. There have been instances of an installed and working network printer not working with OO. -- Rory O'Farrell ofarr...@iol.ie I should expand the above slightly: from memory most such complaints involve Windows. We are dealing largely with unsophisticated users, who do not understand why an existing printer, working for all other applications, is either not seen, or if seen, is not printed to. Sometimes reinstallation of the printer cures the problem, but unfortunately we do not have access to pre/post problem code dumps. The problem seems to occur most often (but not exclusively) with 64 bit Windows. I mention the problem here so that it is at the back of developers' minds - perhaps in some review of the relevant code knowledge of the problem will trigger a warning bell in a developer's mind, leading to a fix. -- Rory O'Farrell ofarr...@iol.ie - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
recipe for target 'dmake.exe' failed in window 8 system
Hello Sir/Miss, I'm really want to build openoffice, and program it in win 8.1 system metro.But I encountered a problem is : /tmp/aoo-4.1.1/main/solenv/wntmsci12.pro/misc/build/dmake-4.12/path.c:321:对‘cygwin_conv_to_posix_path’未定义的引用 /tmp/aoo-4.1.1/main/solenv/wntmsci12.pro/misc/build/dmake-4.12/path.c:321:(.text+0x6ec): relocation truncated to fit: R_X86_64_PC32 against undefined symbol `cygwin_conv_to_posix_path' sysintf.o:在函数‘Prolog’中: /tmp/aoo-4.1.1/main/solenv/wntmsci12.pro/misc/build/dmake-4.12/sysintf.c:541:对‘cygwin_conv_to_posix_path’未定义的引用 /tmp/aoo-4.1.1/main/solenv/wntmsci12.pro/misc/build/dmake-4.12/sysintf.c:541:(.text+0x6d7): relocation truncated to fit: R_X86_64_PC32 against undefined symbol `cygwin_conv_to_posix_path' sysintf.o:在函数‘cygdospath’中: /tmp/aoo-4.1.1/main/solenv/wntmsci12.pro/misc/build/dmake-4.12/sysintf.c:1147:对‘cygwin_conv_to_win32_path’未定义的引用 /tmp/aoo-4.1.1/main/solenv/wntmsci12.pro/misc/build/dmake-4.12/sysintf.c:1147:(.text+0x123b): relocation truncated to fit: R_X86_64_PC32 against undefined symbol `cygwin_conv_to_win32_path' collect2: 错误:ld 返回 1 Makefile:406: recipe for target 'dmake.exe' failed make[2]: *** [dmake.exe] Error 1 make[2]: Leaving directory '/tmp/aoo-4.1.1/main/solenv/wntmsci12.pro/misc/build/dmake-4.12' Makefile:488: recipe for target 'all-recursive' failed make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory '/tmp/aoo-4.1.1/main/solenv/wntmsci12.pro/misc/build/dmake-4.12' Makefile:268: recipe for target 'all' failed make: *** [all] Error 2 It seems like cygwin_conv_to_win32_path and cygwin_conv_to_posix_path are undefined symbol, and everthing I have couldnt fix it. xiangxiang.
Re: SourceForge and commercial ads - continued
See today: http://hpics.li/5e52083 This ad go to h**p://maribiz.net - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
RE: Signing AOO 4.1.1 (was RE: Budapest and thereafter)
Andrea, Although I consider this very important, I am so far back the learning curve on working with the actual bits that I don't think I can provide anything competent in a short time. If you think there is an useful way for me to move along the curve in time to be useful, I am open to it. One question, also for Jürgen and Jan. Is it possible to enter the signing process for just the last step -- using the 4.1.1 setup files, which are easily available, and making an installer file with appropriate file properties and a signature? (Or even sign the existing installer file, if it is in the proper format for inserting the information and signature.) That is, the .cab, .msi, and setup.exe would be completely unchanged. It is not the whole job, but it would make for an easy 4.1.1 slip-stream update and start solving one of the problems of being able to identify the origin of courtesy binaries that the project is willing to support. (There are loud reminders on other lists that courtesy binaries are not Apache capital-R Releases, only the sources are, so this would technically not involve a new AOO Project Release at all. There should be absolutely no difference other than the installer is authenticated and makes Windows happier in itself, without worrying about Windows certification at this stage.) It would still have to be project-managed in the sense that all of the measures to preserve binary authenticity and provide accompanying binary release management internal to AOO should be followed. Still thinking out loud, wanting to be helpful. - Dennis PS: Corinthia has to learn to do this anyhow, but that incubator has the advantage of not being under any time pressure and can provide signed binaries from the beginning, so teething and preserving the knowledge may be easier. -Original Message- From: Andrea Pescetti [mailto:pesce...@apache.org] Sent: Tuesday, December 9, 2014 00:17 To: dev@openoffice.apache.org Subject: Re: Signing AOO 4.1.1 (was RE: Budapest and thereafter) Jürgen Schmidt wrote: We had a signing mechanism in place for a long time and the reason why we have currently no digital signing is the lack of a certificate where we as project (PMC) or as representative the release manager have enough control. I do have a certificate and access key to the signing service. Details in my OpenOffice and Infra report http://markmail.org/message/6ymi35tajswcfsps item 4. Of course, I'm more than happy if someone else is willing to help with this; maybe Jan's work of months ago can now be reused and we can sign with minimal effort. Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Reporting broken download link
Not technically broken per say in the notion of won't actually connect to the .exe file, but Chrome keeps registering all of the Open Office downloads as malicious. Even past versions. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Signing AOO 4.1.1 (was RE: Budapest and thereafter)
On 9 December 2014 at 16:26, Dennis E. Hamilton dennis.hamil...@acm.org wrote: Andrea, Although I consider this very important, I am so far back the learning curve on working with the actual bits that I don't think I can provide anything competent in a short time. If you think there is an useful way for me to move along the curve in time to be useful, I am open to it. One question, also for Jürgen and Jan. Is it possible to enter the signing process for just the last step -- using the 4.1.1 setup files, which are easily available, and making an installer file with appropriate file properties and a signature? (Or even sign the existing installer file, if it is in the proper format for inserting the information and signature.) That is, the .cab, .msi, and setup.exe would be completely unchanged. No we need to rebuild (and for every language), because the last step in the build process needs to be repeated, we cannot just patch the files. If we could move away from 1 install set pr language, the job would be about 30 times faster :-) It is not the whole job, but it would make for an easy 4.1.1 slip-stream update and start solving one of the problems of being able to identify the origin of courtesy binaries that the project is willing to support. (There are loud reminders on other lists that courtesy binaries are not Apache capital-R Releases, only the sources are, so this would technically not involve a new AOO Project Release at all. There should be absolutely no difference other than the installer is authenticated and makes Windows happier in itself, without worrying about Windows certification at this stage.) AOO is special compared to most other projects, in that the majority of our users use the binary package. As a consequence, I recommend a PMC vote, even if its not strictly needed. rgds jan i. It would still have to be project-managed in the sense that all of the measures to preserve binary authenticity and provide accompanying binary release management internal to AOO should be followed. Still thinking out loud, wanting to be helpful. - Dennis PS: Corinthia has to learn to do this anyhow, but that incubator has the advantage of not being under any time pressure and can provide signed binaries from the beginning, so teething and preserving the knowledge may be easier. -Original Message- From: Andrea Pescetti [mailto:pesce...@apache.org] Sent: Tuesday, December 9, 2014 00:17 To: dev@openoffice.apache.org Subject: Re: Signing AOO 4.1.1 (was RE: Budapest and thereafter) Jürgen Schmidt wrote: We had a signing mechanism in place for a long time and the reason why we have currently no digital signing is the lack of a certificate where we as project (PMC) or as representative the release manager have enough control. I do have a certificate and access key to the signing service. Details in my OpenOffice and Infra report http://markmail.org/message/6ymi35tajswcfsps item 4. Of course, I'm more than happy if someone else is willing to help with this; maybe Jan's work of months ago can now be reused and we can sign with minimal effort. Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
CentOS build box.
Hi FYI, in case you have not noticed. INFRA-8768 (centOS buildbot for AOO) took a huge jump today, and are very near completion. This was done by the infra Contractors. Time to find somebody, that will install the AOO specific buildbot parts. rgds jan i.
Re: Signing AOO 4.1.1 (was RE: Budapest and thereafter)
On Mon, Dec 8, 2014 at 9:29 PM, Dennis E. Hamilton dennis.hamil...@acm.org wrote: I don't know if this is helpful or not. I'm not in a position to check. Thinking out loud: There are two cases of signatures. 1. Digital signing of installable components, such as DLLs and such. This is also important but a second-order problem. 2. Digital signing of the installer binary (the .EXE). That or shipping a signed .MSI. This is more important. It has to do with raising the confidence in downloads and installs and is of immediate benefit. It *may* be the case that the installer binary .EXE already has room in the file for a signature and it is simply not being used. The properties on the binary .EXE are also not filled in for AOO 4.1.1 en-US. Those are the ones that show a File description, File version, Product name, Product version, Copyright, Language, etc. It might be worthwhile to see if the properties and signature can be injected in the .EXE already. And if not, it may be possible to rebuild the .EXE, since the bits are still around. They are what are extracted into a folder which is then used for running setup. If feasible, this strikes me as a perfectly worthwhile exercise for slip-streaming a signed binary of AOO 4.1.1 for Windows. As Andrea remarks, It would also be a right-sized teething exercise for our learning how to work through the signing process. I'm rather pessimistic. Here's what I see as the main user annoyances related the integrity of AOO downloads: 1) Scams that ask for payment and then redirect to genuine versions of AOO. So the user has lost before they even download a single byte of our package. Signing will not help them, 2) Scams that wrap AOO's installer with an installer or similar app that takes the user through a complicated set of screens to accept various offers that result in adware/malware/badware being installed. Only then does it chain to the genuine AOO install. Again, signing doesn't help the user. 3) Download pages that offer genuine AOO downloads, but the page is filled with other advertisements that lure the user into clicking them, some which even claim they are the AOO download. Signing doesn't help the user much here. Note that in all of these cases, the bad code, the installer/wrapper code could have a digital signature as well. So user education -- don't run unsigned code -- doesn't really solve the problem here as well. 4) Annoyance of users who download genuine AOO from our website and need to deal with extra mouse clicks to dismiss warning dialogs from the browser, OS, antivirus, etc. This is the main thing signing fixes. This is worth doing, I think, for benefit #4. But by itself it doesn't really drain the swamp. Note in particular that I have not seen someone actually modify the AOO code or installer to make malware. Signing would help with that, if it happened. But today there are far easier scams. Regards, -Rob I'm all for starting with the least that could possibly work, even though I have no expertise on this. - Dennis -Original Message- From: Andrea Pescetti [mailto:pesce...@apache.org] Sent: Monday, December 8, 2014 15:08 To: dev@openoffice.apache.org Subject: Re: Budapest and thereafter. Marcus wrote: Am 12/08/2014 02:32 PM, schrieb Andrea Pescetti: We could actually do both, if you believe it makes sense: - signed 4.1.1 (next Windows binaries only) by end of December - 4.1.2 in January IMHO this doesn't make sense and would be just a waste of resources, when doing 2 releases in such a short time frame. But I would tend to do only the bigger release (4.1.2) - let's say in January/February. When ... Honestly, Infra would like (and they are right) that after asking for years for digital signing, we actually use it. We can't put many obstacles in front of it. So a long list of things that we must have ready before that won't work. Signing Windows binaries will have to happen, and users will benefit from it in terms of trust in OpenOffice. Assuming that more or less we can master the technology, distributing the 4.1.1 signed binaries is not a huge feat for us (it would need production of the new binaries and their upload to a new directory like windows-signed and defaulting to windows-signed in the JavaScript in the download page). It is far less than a release and at least it could show that on this (new for OpenOffice) topic we are ready. In case I wasn't clear (and this is my fault for not summarizing the Budapest talks correctly) signed binaries have high priority. One way is to make a 4.1.2 release and sign it, and this requires going through the whole process (no, it can't be a Windows-only release). Another way is to ship a signed version of the existing 4.1.1 binaries as a warm up for the moment when this will be integral part of the release process. Regards, Andrea.
Java 32
If we are working towards a new release, could the Java not found message from Windows be extended to be more informative? It could be amended to say something like OpenOffice needs a 32 bit Java, which has not been found on this machine. Many Windows users know they have Java installed and are baffled when OO doesn't find it. -- Rory O'Farrell ofarr...@iol.ie - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: OO, Windows and Printers
Hi, is that OO does not see, or if it sees, does not print to, an existing printer. please see my issue 99074: changing windows default printer not reflected in open document https://issues.apache.org/ooo/show_bug.cgi?id=99074 Regards Oliver - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: OO, Windows and Printers
On Tue, 09 Dec 2014 19:16:54 +0100 Oliver Brinzing oliver.brinz...@gmx.de wrote: Hi, is that OO does not see, or if it sees, does not print to, an existing printer. please see my issue 99074: changing windows default printer not reflected in open document https://issues.apache.org/ooo/show_bug.cgi?id=99074 Regards Oliver This may be another aspect of the same problem. Many of the Forum reports are of inability of OpenOffice to print to an existing printer on Windows, even from a new file, not necessarily from an existing file. I know that on Ubuntu OO only detects the printer and its settings on OO startup - if one changes printer settings (using CUPS) while OO is open, OO doesn't see the new settings - one gets used to that in one's method of work. But to fail to detect a single installed printer, or to detect it and refuse to print to it, as can happen using Windows, is more serious. -- Rory O'Farrell ofarr...@iol.ie - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Java 32
Am 12/09/2014 06:23 PM, schrieb Rory O'Farrell: If we are working towards a new release, could the Java not found message from Windows be extended to be more informative? It could be amended to say something like OpenOffice needs a 32 bit Java, which has not been found on this machine. Many Windows users know they have Java installed and are baffled when OO doesn't find it. right, this could help indeed. Especially when the Win 64-bit users have installed a 64-bit Java and now doesn't understand why AOO doesn't find it - when actually a 32-bit Java needs to be found. Of course this little addition in the sentence needs to be translated, too. Do you (or someone else) know where to find the sentence in teh code to extend it? Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Reporting broken download link
Am 12/09/2014 04:29 PM, schrieb Elizabeth Morgan: Not technically broken per say in the notion of won't actually connect to the .exe file, but Chrome keeps registering all of the Open Office downloads as malicious. Even past versions. please make sure that you download only from the official source: http://www.openoffice.org/download/ which will offer you the binaries from Sourceforge.net. They are hosting the installation files for us. Currently we haven't heard from other users about this problem. So, I think for the moment that it's a reason that doesn't lay within the Apache OpenOffice project. E.g., does Chrome search in a public place for malicious domains? If yes, maybe this place is not up-to-date or not working or something else. Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Reporting broken download link
The downloads ARE the ones from sourceforge. That's specifically why I'm reporting it. Steps to problem: go to openoffice.org/download select download get redirect to Sourceforge get file to download Once file downloaded, chrome deemed it malicious On 12/9/2014 1:37 PM, Marcus wrote: Am 12/09/2014 04:29 PM, schrieb Elizabeth Morgan: Not technically broken per say in the notion of won't actually connect to the .exe file, but Chrome keeps registering all of the Open Office downloads as malicious. Even past versions. please make sure that you download only from the official source: http://www.openoffice.org/download/ which will offer you the binaries from Sourceforge.net. They are hosting the installation files for us. Currently we haven't heard from other users about this problem. So, I think for the moment that it's a reason that doesn't lay within the Apache OpenOffice project. E.g., does Chrome search in a public place for malicious domains? If yes, maybe this place is not up-to-date or not working or something else. Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Reporting broken download link
UPDATE: It's my entire development team that's encountering the issue at the moment -- we're having to refit a good number of computers, and all of them are detecting it as malicious after downloading from Sourceforge via official link from openoffice.org On 12/9/2014 1:37 PM, Marcus wrote: Am 12/09/2014 04:29 PM, schrieb Elizabeth Morgan: Not technically broken per say in the notion of won't actually connect to the .exe file, but Chrome keeps registering all of the Open Office downloads as malicious. Even past versions. please make sure that you download only from the official source: http://www.openoffice.org/download/ which will offer you the binaries from Sourceforge.net. They are hosting the installation files for us. Currently we haven't heard from other users about this problem. So, I think for the moment that it's a reason that doesn't lay within the Apache OpenOffice project. E.g., does Chrome search in a public place for malicious domains? If yes, maybe this place is not up-to-date or not working or something else. Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Reporting broken download link
Elizabeth, Have you filed an issue on this matter? louis On 09 Dec2014, at 14:48, Elizabeth Morgan elizabethallynmor...@gmail.com wrote: UPDATE: It's my entire development team that's encountering the issue at the moment -- we're having to refit a good number of computers, and all of them are detecting it as malicious after downloading from Sourceforge via official link from openoffice.org On 12/9/2014 1:37 PM, Marcus wrote: Am 12/09/2014 04:29 PM, schrieb Elizabeth Morgan: Not technically broken per say in the notion of won't actually connect to the .exe file, but Chrome keeps registering all of the Open Office downloads as malicious. Even past versions. please make sure that you download only from the official source: http://www.openoffice.org/download/ which will offer you the binaries from Sourceforge.net. They are hosting the installation files for us. Currently we haven't heard from other users about this problem. So, I think for the moment that it's a reason that doesn't lay within the Apache OpenOffice project. E.g., does Chrome search in a public place for malicious domains? If yes, maybe this place is not up-to-date or not working or something else. Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Reporting broken download link
On Tue, 09 Dec 2014 13:48:44 -0600 Elizabeth Morgan elizabethallynmor...@gmail.com wrote: UPDATE: It's my entire development team that's encountering the issue at the moment -- we're having to refit a good number of computers, and all of them are detecting it as malicious after downloading from Sourceforge via official link from openoffice.org Remember that you can check the download for integrity by the methods described in http://www.openoffice.org/download/checksums.html Your team only need one download for each O/S. They can move it about on USB key or DVD or network. On 12/9/2014 1:37 PM, Marcus wrote: Am 12/09/2014 04:29 PM, schrieb Elizabeth Morgan: Not technically broken per say in the notion of won't actually connect to the .exe file, but Chrome keeps registering all of the Open Office downloads as malicious. Even past versions. please make sure that you download only from the official source: http://www.openoffice.org/download/ which will offer you the binaries from Sourceforge.net. They are hosting the installation files for us. Currently we haven't heard from other users about this problem. So, I think for the moment that it's a reason that doesn't lay within the Apache OpenOffice project. E.g., does Chrome search in a public place for malicious domains? If yes, maybe this place is not up-to-date or not working or something else. Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org -- Rory O'Farrell ofarr...@iol.ie - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Reporting broken download link
Hi On 09 Dec2014, at 15:11, Rory O'Farrell ofarr...@iol.ie wrote: On Tue, 09 Dec 2014 13:48:44 -0600 Elizabeth Morgan elizabethallynmor...@gmail.com wrote: UPDATE: It's my entire development team that's encountering the issue at the moment -- we're having to refit a good number of computers, and all of them are detecting it as malicious after downloading from Sourceforge via official link from openoffice.org Remember that you can check the download for integrity by the methods described in http://www.openoffice.org/download/checksums.html Your team only need one download for each O/S. They can move it about on USB key or DVD or network. I think Elizabeth’s point is that there is something amiss with the linkage from OpenOffice to SF to users. The problem, reading her post, could lie with SF. But my guess is that Elizabeth is more than competent to file an issue describing more precisely the problem so that we can resolve it. louis On 12/9/2014 1:37 PM, Marcus wrote: Am 12/09/2014 04:29 PM, schrieb Elizabeth Morgan: Not technically broken per say in the notion of won't actually connect to the .exe file, but Chrome keeps registering all of the Open Office downloads as malicious. Even past versions. please make sure that you download only from the official source: http://www.openoffice.org/download/ which will offer you the binaries from Sourceforge.net. They are hosting the installation files for us. Currently we haven't heard from other users about this problem. So, I think for the moment that it's a reason that doesn't lay within the Apache OpenOffice project. E.g., does Chrome search in a public place for malicious domains? If yes, maybe this place is not up-to-date or not working or something else. Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org -- Rory O'Farrell ofarr...@iol.ie - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Signing AOO 4.1.1 (was RE: Budapest and thereafter)
On Tuesday, December 9, 2014, Rob Weir r...@robweir.com wrote: On Mon, Dec 8, 2014 at 9:29 PM, Dennis E. Hamilton dennis.hamil...@acm.org javascript:; wrote: I don't know if this is helpful or not. I'm not in a position to check. Thinking out loud: There are two cases of signatures. 1. Digital signing of installable components, such as DLLs and such. This is also important but a second-order problem. 2. Digital signing of the installer binary (the .EXE). That or shipping a signed .MSI. This is more important. It has to do with raising the confidence in downloads and installs and is of immediate benefit. It *may* be the case that the installer binary .EXE already has room in the file for a signature and it is simply not being used. The properties on the binary .EXE are also not filled in for AOO 4.1.1 en-US. Those are the ones that show a File description, File version, Product name, Product version, Copyright, Language, etc. It might be worthwhile to see if the properties and signature can be injected in the .EXE already. And if not, it may be possible to rebuild the .EXE, since the bits are still around. They are what are extracted into a folder which is then used for running setup. If feasible, this strikes me as a perfectly worthwhile exercise for slip-streaming a signed binary of AOO 4.1.1 for Windows. As Andrea remarks, It would also be a right-sized teething exercise for our learning how to work through the signing process. I'm rather pessimistic. Here's what I see as the main user annoyances related the integrity of AOO downloads: 1) Scams that ask for payment and then redirect to genuine versions of AOO. So the user has lost before they even download a single byte of our package. Signing will not help them, 2) Scams that wrap AOO's installer with an installer or similar app that takes the user through a complicated set of screens to accept various offers that result in adware/malware/badware being installed. Only then does it chain to the genuine AOO install. Again, signing doesn't help the user. as long as we don't have a signed installer nobody can tell the difference, but with a signed installer we would have a harder argument (agreed if people listen) ? 3) Download pages that offer genuine AOO downloads, but the page is filled with other advertisements that lure the user into clicking them, some which even claim they are the AOO download. Signing doesn't help the user much here. Note that in all of these cases, the bad code, the installer/wrapper code could have a digital signature as well. So user education -- don't run unsigned code -- doesn't really solve the problem here as well. 4) Annoyance of users who download genuine AOO from our website and need to deal with extra mouse clicks to dismiss warning dialogs from the browser, OS, antivirus, etc. This is the main thing signing fixes. This is worth doing, I think, for benefit #4. But by itself it doesn't really drain the swamp. Note in particular that I have not seen someone actually modify the AOO code or installer to make malware. Signing would help with that, if it happened. But today there are far easier scams. I agree with what you write, but I think you bypass a important point. Everybody tells now more than ever that we are dead...which is by far not true, and making a real volunteer release would show that clearly. (I appreciate what the paid developer do, so please don't be offended). To me digital signing is a nice way to show our community and users that AOO is still a major factor in this part of the world. Regards, -Rob I'm all for starting with the least that could possibly work, even though I have no expertise on this. - Dennis -Original Message- From: Andrea Pescetti [mailto:pesce...@apache.org javascript:;] Sent: Monday, December 8, 2014 15:08 To: dev@openoffice.apache.org javascript:; Subject: Re: Budapest and thereafter. Marcus wrote: Am 12/08/2014 02:32 PM, schrieb Andrea Pescetti: We could actually do both, if you believe it makes sense: - signed 4.1.1 (next Windows binaries only) by end of December - 4.1.2 in January IMHO this doesn't make sense and would be just a waste of resources, when doing 2 releases in such a short time frame. But I would tend to do only the bigger release (4.1.2) - let's say in January/February. When ... Honestly, Infra would like (and they are right) that after asking for years for digital signing, we actually use it. We can't put many obstacles in front of it. So a long list of things that we must have ready before that won't work. Signing Windows binaries will have to happen, and users will benefit from it in terms of trust in OpenOffice. Assuming that more or less we can master the technology, distributing the 4.1.1 signed binaries is not a huge feat for us (it would need production of the
Re: Reporting broken download link
On Tue, 9 Dec 2014 15:14:24 -0500 Louis Suárez-Potts lui...@gmail.com wrote: Hi On 09 Dec2014, at 15:11, Rory O'Farrell ofarr...@iol.ie wrote: On Tue, 09 Dec 2014 13:48:44 -0600 Elizabeth Morgan elizabethallynmor...@gmail.com wrote: UPDATE: It's my entire development team that's encountering the issue at the moment -- we're having to refit a good number of computers, and all of them are detecting it as malicious after downloading from Sourceforge via official link from openoffice.org Remember that you can check the download for integrity by the methods described in http://www.openoffice.org/download/checksums.html Your team only need one download for each O/S. They can move it about on USB key or DVD or network. I think Elizabeth’s point is that there is something amiss with the linkage from OpenOffice to SF to users. The problem, reading her post, could lie with SF. But my guess is that Elizabeth is more than competent to file an issue describing more precisely the problem so that we can resolve it. I can certainly confirm, from many reports on the Forum, that Chrome is identifying SourceForge OO files on the automatic download as malicious. The same reports suggest that the direct download link gives the same files without triggering any malicious file warning from Chrome. louis On 12/9/2014 1:37 PM, Marcus wrote: Am 12/09/2014 04:29 PM, schrieb Elizabeth Morgan: Not technically broken per say in the notion of won't actually connect to the .exe file, but Chrome keeps registering all of the Open Office downloads as malicious. Even past versions. please make sure that you download only from the official source: http://www.openoffice.org/download/ which will offer you the binaries from Sourceforge.net. They are hosting the installation files for us. Currently we haven't heard from other users about this problem. So, I think for the moment that it's a reason that doesn't lay within the Apache OpenOffice project. E.g., does Chrome search in a public place for malicious domains? If yes, maybe this place is not up-to-date or not working or something else. Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org -- Rory O'Farrell ofarr...@iol.ie - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org -- Rory O'Farrell ofarr...@iol.ie - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Signing AOO 4.1.1 (was RE: Budapest and thereafter)
On Tue, Dec 9, 2014 at 3:21 PM, jan i j...@apache.org wrote: On Tuesday, December 9, 2014, Rob Weir r...@robweir.com wrote: On Mon, Dec 8, 2014 at 9:29 PM, Dennis E. Hamilton dennis.hamil...@acm.org javascript:; wrote: I don't know if this is helpful or not. I'm not in a position to check. Thinking out loud: There are two cases of signatures. 1. Digital signing of installable components, such as DLLs and such. This is also important but a second-order problem. 2. Digital signing of the installer binary (the .EXE). That or shipping a signed .MSI. This is more important. It has to do with raising the confidence in downloads and installs and is of immediate benefit. It *may* be the case that the installer binary .EXE already has room in the file for a signature and it is simply not being used. The properties on the binary .EXE are also not filled in for AOO 4.1.1 en-US. Those are the ones that show a File description, File version, Product name, Product version, Copyright, Language, etc. It might be worthwhile to see if the properties and signature can be injected in the .EXE already. And if not, it may be possible to rebuild the .EXE, since the bits are still around. They are what are extracted into a folder which is then used for running setup. If feasible, this strikes me as a perfectly worthwhile exercise for slip-streaming a signed binary of AOO 4.1.1 for Windows. As Andrea remarks, It would also be a right-sized teething exercise for our learning how to work through the signing process. I'm rather pessimistic. Here's what I see as the main user annoyances related the integrity of AOO downloads: 1) Scams that ask for payment and then redirect to genuine versions of AOO. So the user has lost before they even download a single byte of our package. Signing will not help them, 2) Scams that wrap AOO's installer with an installer or similar app that takes the user through a complicated set of screens to accept various offers that result in adware/malware/badware being installed. Only then does it chain to the genuine AOO install. Again, signing doesn't help the user. as long as we don't have a signed installer nobody can tell the difference, but with a signed installer we would have a harder argument (agreed if people listen) ? Not really. In the above cases the damage is done*before* the user ever launches our installer. So in these cases whether it is signed or not doesn't matter. 3) Download pages that offer genuine AOO downloads, but the page is filled with other advertisements that lure the user into clicking them, some which even claim they are the AOO download. Signing doesn't help the user much here. Note that in all of these cases, the bad code, the installer/wrapper code could have a digital signature as well. So user education -- don't run unsigned code -- doesn't really solve the problem here as well. 4) Annoyance of users who download genuine AOO from our website and need to deal with extra mouse clicks to dismiss warning dialogs from the browser, OS, antivirus, etc. This is the main thing signing fixes. This is worth doing, I think, for benefit #4. But by itself it doesn't really drain the swamp. Note in particular that I have not seen someone actually modify the AOO code or installer to make malware. Signing would help with that, if it happened. But today there are far easier scams. I agree with what you write, but I think you bypass a important point. Everybody tells now more than ever that we are dead...which is by far not true, and making a real volunteer release would show that clearly. (I appreciate what the paid developer do, so please don't be offended). To me digital signing is a nice way to show our community and users that AOO is still a major factor in this part of the world. I'm not arguing against a release or against signing. I'm just pointing out that the scammers are two steps ahead of us, and even with signing most of the problems still remain. Regards, -Rob Regards, -Rob I'm all for starting with the least that could possibly work, even though I have no expertise on this. - Dennis -Original Message- From: Andrea Pescetti [mailto:pesce...@apache.org javascript:;] Sent: Monday, December 8, 2014 15:08 To: dev@openoffice.apache.org javascript:; Subject: Re: Budapest and thereafter. Marcus wrote: Am 12/08/2014 02:32 PM, schrieb Andrea Pescetti: We could actually do both, if you believe it makes sense: - signed 4.1.1 (next Windows binaries only) by end of December - 4.1.2 in January IMHO this doesn't make sense and would be just a waste of resources, when doing 2 releases in such a short time frame. But I would tend to do only the bigger release (4.1.2) - let's say in January/February. When ... Honestly, Infra would like (and they are right) that after asking for years for
Re: Java 32
Marcus wrote: Am 12/09/2014 06:23 PM, schrieb Rory O'Farrell: If we are working towards a new release, could the Java not found message from Windows be extended to be more informative? It could be amended to say something like OpenOffice needs a 32 bit Java, which has not been found on this machine. ... Do you (or someone else) know where to find the sentence in teh code to extend it? If you have the exact error string, it should be fairly easy to find it here (in English): http://opengrok.adfinis-sygroup.org/source/ If you have a translation, the fastest way (it's in OpenGrok too, but in huge files) is probably to search for it in Pootle: https://translate.apache.org/projects/aoo40/ and find the English original, then do the above. Fixing the message should be quite easy too, but open an issue for it and report the number here if you have doubts. Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
RE: Signing AOO 4.1.1 (was RE: Budapest and thereafter)
+1 (non-binding [;) on PMC approval of any slip-stream. I don't understand why full rebuilds are required. The only crucial file that needs signing is the .exe that is downloaded and extracts the actual setup files. All it does is extract a number of fixed files and then run the extracted setup.exe. If a signed version of that .exe can be created, using the existing setups delivered with the current 4.1.1 .exe files, there is nothing else to do. It has to be done once for each language, but that's it. No full rebuilds, no new dates on files. The extracted setups would be binary identical to each of the current ones for 4.1.1, so it is easy to verify that the signed .exe does not deliver anything but the already reviewed installs. That might be unworkable, but it is definitely worth seeing if it is possible rather than going through a full-up set of build processes. - Dennis PS: Rob's analysis is very useful to keep in mind as we look at other ways to increase confidence in the AOO binaries and the AOO site as preferable for those downloads. I think grabbing the low-hanging fruit and getting something simple through the process is also desirable, especially since we are starting from zero using the signing process. -Original Message- From: jan i [mailto:j...@apache.org] Sent: Tuesday, December 9, 2014 08:29 To: dev; Dennis Hamilton Subject: Re: Signing AOO 4.1.1 (was RE: Budapest and thereafter) On 9 December 2014 at 16:26, Dennis E. Hamilton dennis.hamil...@acm.org wrote: Andrea, [ ... ] (Or even sign the existing installer file, if it is in the proper format for inserting the information and signature.) That is, the .cab, .msi, and setup.exe would be completely unchanged. No we need to rebuild (and for every language), because the last step in the build process needs to be repeated, we cannot just patch the files. If we could move away from 1 install set pr language, the job would be about 30 times faster :-) AOO is special compared to most other projects, in that the majority of our users use the binary package. As a consequence, I recommend a PMC vote, even if its not strictly needed. [ ... ] It would still have to be project-managed in the sense that all of the measures to preserve binary authenticity and provide accompanying binary release management internal to AOO should be followed. [ ... ] - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Java 32
Am 12/09/2014 11:10 PM, schrieb Andrea Pescetti: Marcus wrote: Am 12/09/2014 06:23 PM, schrieb Rory O'Farrell: If we are working towards a new release, could the Java not found message from Windows be extended to be more informative? It could be amended to say something like OpenOffice needs a 32 bit Java, which has not been found on this machine. ... Do you (or someone else) know where to find the sentence in teh code to extend it? If you have the exact error string, it should be fairly easy to find it here (in English): http://opengrok.adfinis-sygroup.org/source/ maybe Rory can help here. It's easier than to search through 1560 hits. ;-) If you have a translation, the fastest way (it's in OpenGrok too, but in huge files) is probably to search for it in Pootle: https://translate.apache.org/projects/aoo40/ and find the English original, then do the above. Fixing the message should be quite easy too, but open an issue for it and report the number here if you have doubts. OK, let's see. Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Reporting broken download link
2014-12-09 21:23 GMT+01:00 Rory O'Farrell ofarr...@iol.ie: On Tue, 9 Dec 2014 15:14:24 -0500 Louis Suárez-Potts lui...@gmail.com wrote: Hi On 09 Dec2014, at 15:11, Rory O'Farrell ofarr...@iol.ie wrote: On Tue, 09 Dec 2014 13:48:44 -0600 Elizabeth Morgan elizabethallynmor...@gmail.com wrote: UPDATE: It's my entire development team that's encountering the issue at the moment -- we're having to refit a good number of computers, and all of them are detecting it as malicious after downloading from Sourceforge via official link from openoffice.org Remember that you can check the download for integrity by the methods described in http://www.openoffice.org/download/checksums.html Your team only need one download for each O/S. They can move it about on USB key or DVD or network. I think Elizabeth’s point is that there is something amiss with the linkage from OpenOffice to SF to users. The problem, reading her post, could lie with SF. But my guess is that Elizabeth is more than competent to file an issue describing more precisely the problem so that we can resolve it. I can certainly confirm, from many reports on the Forum, that Chrome is identifying SourceForge OO files on the automatic download as malicious. The same reports suggest that the direct download link gives the same files without triggering any malicious file warning from Chrome. We are trying to talk to Google to better understand what's going on, in the meantime we excluded all the blacklisted OpenOffice mirror URLs from the selection used when users download. When downloading OO now, you should get the file without any warning. This is only a short-term solution but should help for the time being. We hope to learn soon more about the actual google chrome policies and why those are tagging as malicious few open source projects out there. Roberto louis On 12/9/2014 1:37 PM, Marcus wrote: Am 12/09/2014 04:29 PM, schrieb Elizabeth Morgan: Not technically broken per say in the notion of won't actually connect to the .exe file, but Chrome keeps registering all of the Open Office downloads as malicious. Even past versions. please make sure that you download only from the official source: http://www.openoffice.org/download/ which will offer you the binaries from Sourceforge.net. They are hosting the installation files for us. Currently we haven't heard from other users about this problem. So, I think for the moment that it's a reason that doesn't lay within the Apache OpenOffice project. E.g., does Chrome search in a public place for malicious domains? If yes, maybe this place is not up-to-date or not working or something else. Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org -- Rory O'Farrell ofarr...@iol.ie - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org -- Rory O'Farrell ofarr...@iol.ie - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Reporting broken download link
On 09 Dec2014, at 17:41, Roberto Galoppini roberto.galopp...@gmail.com wrote: 2014-12-09 21:23 GMT+01:00 Rory O'Farrell ofarr...@iol.ie: On Tue, 9 Dec 2014 15:14:24 -0500 Louis Suárez-Potts lui...@gmail.com wrote: Hi On 09 Dec2014, at 15:11, Rory O'Farrell ofarr...@iol.ie wrote: On Tue, 09 Dec 2014 13:48:44 -0600 Elizabeth Morgan elizabethallynmor...@gmail.com wrote: UPDATE: It's my entire development team that's encountering the issue at the moment -- we're having to refit a good number of computers, and all of them are detecting it as malicious after downloading from Sourceforge via official link from openoffice.org Remember that you can check the download for integrity by the methods described in http://www.openoffice.org/download/checksums.html Your team only need one download for each O/S. They can move it about on USB key or DVD or network. I think Elizabeth’s point is that there is something amiss with the linkage from OpenOffice to SF to users. The problem, reading her post, could lie with SF. But my guess is that Elizabeth is more than competent to file an issue describing more precisely the problem so that we can resolve it. I can certainly confirm, from many reports on the Forum, that Chrome is identifying SourceForge OO files on the automatic download as malicious. The same reports suggest that the direct download link gives the same files without triggering any malicious file warning from Chrome. We are trying to talk to Google to better understand what's going on, in the meantime we excluded all the blacklisted OpenOffice mirror URLs from the selection used when users download. When downloading OO now, you should get the file without any warning. This is only a short-term solution but should help for the time being. We hope to learn soon more about the actual google chrome policies and why those are tagging as malicious few open source projects out there. Roberto Thanks, Roberto, for the explanation. Perhaps an issue that reflects the ongoing discussion would help with Elizabeth’s situation and also others? (And the parallel discussion on signing downloads is probably not entirely irrelevant?) (BTW, I use Google Chrome Canary on OS X 10.2—a dev. editions, for both—and every now and then there are misreadings of a code’s legitimacy. Happens.) louis louis On 12/9/2014 1:37 PM, Marcus wrote: Am 12/09/2014 04:29 PM, schrieb Elizabeth Morgan: Not technically broken per say in the notion of won't actually connect to the .exe file, but Chrome keeps registering all of the Open Office downloads as malicious. Even past versions. please make sure that you download only from the official source: http://www.openoffice.org/download/ which will offer you the binaries from Sourceforge.net. They are hosting the installation files for us. Currently we haven't heard from other users about this problem. So, I think for the moment that it's a reason that doesn't lay within the Apache OpenOffice project. E.g., does Chrome search in a public place for malicious domains? If yes, maybe this place is not up-to-date or not working or something else. Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org -- Rory O'Farrell ofarr...@iol.ie - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org -- Rory O'Farrell ofarr...@iol.ie - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Java 32
On 9 December 2014 22:19:41 GMT+00:00, Marcus marcus.m...@wtnet.de wrote: Am 12/09/2014 11:10 PM, schrieb Andrea Pescetti: Marcus wrote: Am 12/09/2014 06:23 PM, schrieb Rory O'Farrell: If we are working towards a new release, could the Java not found message from Windows be extended to be more informative? It could be amended to say something like OpenOffice needs a 32 bit Java, which has not been found on this machine. ... Do you (or someone else) know where to find the sentence in teh code to extend it? If you have the exact error string, it should be fairly easy to find it here (in English): http://opengrok.adfinis-sygroup.org/source/ maybe Rory can help here. It's easier than to search through 1560 hits. ;-) I'll uninstall Java on on unused windows machine tomorrow and catch the error message, but it is likely to be about 15 hours from now as I have meetings tomorrow morning. Going to bed now! If you have a translation, the fastest way (it's in OpenGrok too, but in huge files) is probably to search for it in Pootle: https://translate.apache.org/projects/aoo40/ and find the English original, then do the above. Fixing the message should be quite easy too, but open an issue for it and report the number here if you have doubts. OK, let's see. Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org -- Sent from my Android device with K-9 Mail. Please excuse my brevity. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Signing AOO 4.1.1 (was RE: Budapest and thereafter)
On Tue, Dec 9, 2014 at 5:19 PM, Dennis E. Hamilton dennis.hamil...@acm.org wrote: +1 (non-binding [;) on PMC approval of any slip-stream. I don't understand why full rebuilds are required. The only crucial file that needs signing is the .exe that is downloaded and extracts the actual setup files. All it does is extract a number of fixed files and then run the extracted setup.exe. We found this out when we took AOO through the Windows 8 certification testing tool.They have something new called kernel-mode code signing where they check each exe, dll, sys , etc., for a digital signature at load time. So certification requires we sign any executable code and then do it for the outermost installer as well. Of course, nothing requires that we go for certification. I bet if we just signed the outermost installer it would be satisfy earlier versions of Windows, antivirus apps and browsers that are doing this kind of check.So it might be worth doing just this minimum initially. Regards, -Rob If a signed version of that .exe can be created, using the existing setups delivered with the current 4.1.1 .exe files, there is nothing else to do. It has to be done once for each language, but that's it. No full rebuilds, no new dates on files. The extracted setups would be binary identical to each of the current ones for 4.1.1, so it is easy to verify that the signed .exe does not deliver anything but the already reviewed installs. That might be unworkable, but it is definitely worth seeing if it is possible rather than going through a full-up set of build processes. - Dennis PS: Rob's analysis is very useful to keep in mind as we look at other ways to increase confidence in the AOO binaries and the AOO site as preferable for those downloads. I think grabbing the low-hanging fruit and getting something simple through the process is also desirable, especially since we are starting from zero using the signing process. -Original Message- From: jan i [mailto:j...@apache.org] Sent: Tuesday, December 9, 2014 08:29 To: dev; Dennis Hamilton Subject: Re: Signing AOO 4.1.1 (was RE: Budapest and thereafter) On 9 December 2014 at 16:26, Dennis E. Hamilton dennis.hamil...@acm.org wrote: Andrea, [ ... ] (Or even sign the existing installer file, if it is in the proper format for inserting the information and signature.) That is, the .cab, .msi, and setup.exe would be completely unchanged. No we need to rebuild (and for every language), because the last step in the build process needs to be repeated, we cannot just patch the files. If we could move away from 1 install set pr language, the job would be about 30 times faster :-) AOO is special compared to most other projects, in that the majority of our users use the binary package. As a consequence, I recommend a PMC vote, even if its not strictly needed. [ ... ] It would still have to be project-managed in the sense that all of the measures to preserve binary authenticity and provide accompanying binary release management internal to AOO should be followed. [ ... ] - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Java 32
On Tue, 09 Dec 2014 23:01:01 + Rory O'Farrell ofarr...@iol.ie wrote: On 9 December 2014 22:19:41 GMT+00:00, Marcus marcus.m...@wtnet.de wrote: Am 12/09/2014 11:10 PM, schrieb Andrea Pescetti: Marcus wrote: Am 12/09/2014 06:23 PM, schrieb Rory O'Farrell: If we are working towards a new release, could the Java not found message from Windows be extended to be more informative? It could be amended to say something like OpenOffice needs a 32 bit Java, which has not been found on this machine. ... Do you (or someone else) know where to find the sentence in teh code to extend it? If you have the exact error string, it should be fairly easy to find it here (in English): http://opengrok.adfinis-sygroup.org/source/ maybe Rory can help here. It's easier than to search through 1560 hits. ;-) I'll uninstall Java on on unused windows machine tomorrow and catch the error message, but it is likely to be about 15 hours from now as I have meetings tomorrow morning. Going to bed now! Here is the message as quoted on the en-Forum JRE is Defective No Java installation could be found Please check your installation If you have a translation, the fastest way (it's in OpenGrok too, but in huge files) is probably to search for it in Pootle: https://translate.apache.org/projects/aoo40/ and find the English original, then do the above. Fixing the message should be quite easy too, but open an issue for it and report the number here if you have doubts. OK, let's see. Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org -- Sent from my Android device with K-9 Mail. Please excuse my brevity. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org -- Rory O'Farrell ofarr...@iol.ie - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Fwd: [CLT-News] Adventsbegleiter und Anmeldetermine
Bezug nehmend auf mein Posting vom 19.11.2014 übersende ich beigefügt die Email der Orga der Chemnitzr Linux-Tage mit der Bitte um Beachtung der bekanntgemachten Deadlines. Gruß Michael Original Message Subject: [CLT-News] Adventsbegleiter und Anmeldetermine Date: Tue, 09 Dec 2014 13:22:41 +0100 From: Antje Schreiber an...@linux-tage.de Reply-To: t...@linux-tage.de To: n...@linux-tage.de Das Wichtigste in Kürze: * Deadlines im Januar Einreichung von Vortrags- oder Workshopthemen https://chemnitzer.linux-tage.de/2015/de/programm/anmeldung/beitrag Anmeldungen für Aussteller bis zum 07.01.2015 https://chemnitzer.linux-tage.de/2015/de/programm/anmeldung/live Tagungsbandbeiträge bis 16.01.2015 https://chemnitzer.linux-tage.de/2015/de/programm/tagungsband * Postkarten eingetroffen https://chemnitzer.linux-tage.de/2015/de/presse/mitteilungen/news01 * Überraschungen hinter 24 Türchen https://chemnitzer.linux-tage.de/2015/de/addons/advent --- und ausführlich: Unsere Datenbank füllt sich und wir können jetzt schon verraten, dass auch 2015 den Besuchern die Entscheidung bei der Erstellung des persönlichen Vortragsplans schwer fallen wird. Noch bis zum 7. Januar können Beiträge für die Vortragsslots, Workshops oder der Wunsch nach einem Stand im Foyer angemeldet werden. Wer sich für eine zusätzliche Veröffentlichung im Tagungsband der CLT entscheidet, hat bis zum 16. Januar 2015 Gelegenheit, das Paper einzureichen. Hinweise zur Erstellung sind auf unserer Webseite zu finden. Druckfrisch, noch pünktlich vor Weihnachten sind unsere Postkarten eingetroffen. Die Rückseite bietet viel Platz für herzliche Festtagsgrüße, die sich auf diese Weise prima mit einer Einladung für den März verbinden lassen. Zu finden sind sie ab sofort an verschiedenen Orten in der TU Chemnitz und ab März in diversen Postkartensammlern der Innenstadt. Wer keine Möglichkeit hat, an die Postkarten zu kommen, kann uns einen ausreichend frankierten und adressierten Briefumschlag zusenden und die Karten auf diese Weise erhalten. Einige haben es sicher schon entdeckt: Dieses Jahr hat das Team der Chemnitzer Linux-Tage 24 kleine Adventsgrüße vorbereitet, um die Wartezeit bis zur Veranstaltung zu „versüßen“. Auch ein paar Schätzaufgaben sind darunter, für deren korrekte Beantwortung kleine Preise winken. Auf dem Adventskranz erstrahlt bereits die zweite Kerze und die Festtage sind nicht mehr weit. Wir wünschen unseren Lesern, Besuchern, Helfern und Sponsoren eine besinnliche Weihnachtszeit und ein frohes Fest. Herzlich grüßt das Team der Chemnitzer Linux-Tage ___ CLT-News mailing list clt-n...@linux-tage.de https://mailman.linux-tage.de/listinfo/clt-news signature.asc Description: OpenPGP digital signature