Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Marcus]

Am 08/19/2016 01:09 AM, schrieb Dennis E. Hamilton:



-Original Message-
From: Keith N. McKenna [mailto:keith.mcke...@comcast.net]
Sent: Thursday, August 18, 2016 14:46
To: q...@openoffice.apache.org; dev@openoffice.apache.org
Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows


[ ... ]

[knmc]
As we move forward to a general distribution here  is an odt revision of
the readme that can be used to generate an html, pdf, or text versions.
All versions are attached but may not come through to the list. They can
all be accessed from the following link.
<https://1drv.ms/f/s!AMMYmStvrJNJgQQ>
All feedback is both welcomed and encouraged.

[orcmid]

The .odt and the .txt file come through as attachments.

Do you have specific recommendations about what should be done with these?

I notice that there are problems with the .txt file layout not having hard line 
breaks.  The name changes and dates in 0.2.0 are not reflected.  The .odt also 
needs layout work.  There's too much white space and I have not looked closely 
enough to figure out why.

I know we differ on formatting and some document organization matters.  I am 
not going to address them at this point.

I am going to 1.0.0 now, essentially with the 0.2.0 except for the change of 
version number and removal of the limitation to testing use.  I did the other 
repair you suggested.  I think Marcus is ready on the other binaries, so 
something will happen tomorrow (Friday).

I'm not certain what the final inch is just yet, but it looks like everything 
is ready enough.


I haven't read the updates from Keith yet. But when they have no real 
news and are just formulation and layout updates, then I suggest to let 
us go live with text and binaries we have now.


We can think about to update them after that with no hurry anymore. The 
announcement about the source patch was ~1 month ago. We shouldn't wait 
any longer with the binary patches.


Sorry Keith. ;-)

Marcus


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Dennis E. Hamilton]

> -Original Message-
> From: Keith N. McKenna [mailto:keith.mcke...@comcast.net]
> Sent: Thursday, August 18, 2016 14:46
> To: q...@openoffice.apache.org; dev@openoffice.apache.org
> Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> 
[ ... ]
> [knmc]
> As we move forward to a general distribution here  is an odt revision of
> the readme that can be used to generate an html, pdf, or text versions.
> All versions are attached but may not come through to the list. They can
> all be accessed from the following link.
> <https://1drv.ms/f/s!AMMYmStvrJNJgQQ>
> All feedback is both welcomed and encouraged.
[orcmid] 

The .odt and the .txt file come through as attachments.

Do you have specific recommendations about what should be done with these?  

I notice that there are problems with the .txt file layout not having hard line 
breaks.  The name changes and dates in 0.2.0 are not reflected.  The .odt also 
needs layout work.  There's too much white space and I have not looked closely 
enough to figure out why.

I know we differ on formatting and some document organization matters.  I am 
not going to address them at this point.

I am going to 1.0.0 now, essentially with the 0.2.0 except for the change of 
version number and removal of the limitation to testing use.  I did the other 
repair you suggested.  I think Marcus is ready on the other binaries, so 
something will happen tomorrow (Friday).  

I'm not certain what the final inch is just yet, but it looks like everything 
is ready enough.

 - Dennis
> 
> regards
> Keith
> >
> >
> > -
> > To unsubscribe, e-mail: qa-unsubscr...@openoffice.apache.org
> > For additional commands, e-mail: qa-h...@openoffice.apache.org
> >



-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Keith N. McKenna]

Dennis E. Hamilton wrote:
>
>> -Original Message-
>> From: Keith N. McKenna [mailto:keith.mcke...@comcast.net]
>> Sent: Monday, August 15, 2016 21:05
>> To: q...@openoffice.apache.org; dev@openoffice.apache.org
>> Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
>>
>>
>>
>> Dennis E. Hamilton wrote:
>>> BETA 0.2.0 IS NOW AVAILABLE
>>>
>>> This is a cleanup version.  It is hoped that this will be the last
>> change before bumping the version to 1.0.0 and making general
>> availability.
>>> One important change:
>>>
>>> The names of the files have been changed.
>>>
>>> The README is now named README-4.1.2-patch1-Windows.txt.
>>>
>>> The zip and the related .asc, .md5, .sha1, and .sha256 files all
>> have the base name
>>> apache-openoffice-4.1.2-patch1-Win_x86.zip
>>>
>>> The two scripts also have simpler names:
>>>
>>> APPLY-4.1.2-patch1.bat
>>> REVERT-4.1.2-patch1.bat
>>>
>>> The files are still available at
>>>
>>> <https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-
>> patch1/Windows>
>> [knmc]
>> the link should read
>> <
> [orcmid] 
> https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/binaries/Windows/>
> [orcmid] 
>
> Right you are.  Thanks for the quick check.
>> Regards
>> Keith
>>> Now it is worth testing enough to know there is no regression and that
>> APPLY and REVERT operate properly as before.
>>>  - Dennis
>>>
> [ ... ]
[knmc]
As we move forward to a general distribution here  is an odt revision of
the readme that can be used to generate an html, pdf, or text versions.
All versions are attached but may not come through to the list. They can
all be accessed from the following link.
<https://1drv.ms/f/s!AMMYmStvrJNJgQQ>
All feedback is both welcomed and encouraged.

regards
Keith
>
>
> -
> To unsubscribe, e-mail: qa-unsubscr...@openoffice.apache.org
> For additional commands, e-mail: qa-h...@openoffice.apache.org
>



New_Readmeforpatch.odt
Description: application/vnd.oasis.opendocument.text
Title: Readme




APPLYING
HOTFIX FOR APACHE OPENOFFICE ON WINDOWS

README-4.1.2-patch1-apply-Windows.txt	1.0.0	2016-08-07

	
		
		Table of
		Contents
	
	Notice	1
	Purpose	1
	Intended
	Audience	1
	Prerequisites	2
	Preliminary
	Instructions	2
	Apply Patch
	Automatically	3
	Removing the Patch	3
	Appendicies	4
	Manually
	Apply Patch	4
	Troubleshooting	4




Notice
Licensed to the Apache Software
Foundation (ASF) under one or more contributor license agreements.
The ASF licenses this file to you under the Apache License, Version
2.0 (the "License"). You may obtain a copy of the License
at http://www.apache.org/licenses/LICENSE-2.0
Purpose
The purpose of this document is to
describe how to apply the hotfix to eliminate a security
vulnerability identified as CVE-2016-1513. The latest details about
that vulnerability and its mitigation can be found on the web at
<http://www.openoffice.org/security/cves/CVE-2016-1513.html>.
The hotfix is provided as a zip
file at the following
location:<https://dist.apache.org/repos/dist/release/openoffice/4.1.2-patch1/>

Intended Audience
This document is primarily
intended for use by non-technical individuals but presumes
familiarity with the following;

	Your account has
	administrator privileges or you have access to an adminstrator
	password
	NOTE: If your Operating System
	is Windows XP you must be logged into an account with administrator
	privileges.
	Use of a web browser to
	download files from the internet
	Use of the file manager to
	locate files and folders
	Use of the file manager to
	select files

Prerequisites

	Apache OpenOffice Version
	4.1.2 
	
	Quickstarter must be off

Preliminary
Instructions

	Verify installed version is
	4.1.2
	
		Open Apache OpenOffice 
		
	
	Download the zip file from
	<https://dist.apache.org/repos/dist/release/openoffice/4.1.2-patch1/>
	
		Use of the download folder
		for this procedure is fine
	
	Navigate to the above folder
	with the file manager
	Select the downloaded zip
	file
	Right click the zip file
	Select Extract All... from
	the context menu
	
		This will create a folder in
		the same folder you downloaded the archive with the contents of the
		archive un-packed in it
	
	Open the new folder from step
	5 it should contain the following files
	
		README-4.1.2-patch1-apply-Windows.txt
		
			This procedure
		
		LICENSE.txt
		
			The Apache License Version
			2.0 under which the .

Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Marcus]

Am 08/16/2016 05:26 AM, schrieb Dennis E. Hamilton:

BETA 0.2.0 IS NOW AVAILABLE

This is a cleanup version.  It is hoped that this will be the last change 
before bumping the version to 1.0.0 and making general availability.

One important change:

 The names of the files have been changed.

 The README is now named README-4.1.2-patch1-Windows.txt.

 The zip and the related .asc, .md5, .sha1, and .sha256 files all have the 
base name
 apache-openoffice-4.1.2-patch1-Win_x86.zip

The two scripts also have simpler names:

 APPLY-4.1.2-patch1.bat
 REVERT-4.1.2-patch1.bat

The files are still available at

 <https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/Windows>

Now it is worth testing enough to know there is no regression and that APPLY 
and REVERT operate properly as before.


I've downloaded the new ZIP and tested again:

- Download new ZIP file OK
- Unzipping OK
- ASC signature OK
- MD5   OK
- SHA1  OK
- SHA256OK
- "tl.dll.new" ASC signature  OK
- "tl.dll.old" ASC signature  OK

The both .bat files differ from the past ones. I've not run the new ones 
again but looked closely to the diff output. There are no functional 
changes but only for file name and version.


If I should run them again, just tell me.

Otherwise I think also this ZIP is ready to do its work.

Marcus




-Original Message-
From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
Sent: Thursday, August 11, 2016 21:08
To: dev@openoffice.apache.org
Cc: q...@openoffice.apache.org
Subject: RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

BETA 0.1.0 WITH AUTOMATED SCRIPTS IS NOW AVAILABLE

The scripts make life much easier, since users don't have to go hunting
for anything and digging around in operating-system locations.

You should be able to go through the procedure that uses the automated
steps pretty easily.

It is very important to know the difficulties that arise or whether
there were none.

The material is available at
<http://dist.apache.org/repos/dist/dev/openoffice/4.1.2-
patch1/binaries/Windows>.

  - Dennis




-Original Message-
From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
Sent: Wednesday, August 10, 2016 18:01
To: dev@openoffice.apache.org
Cc: q...@openoffice.apache.org
Subject: RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

Beta version 0.1.0 is now nearing completion.

It will include two scripts, one for applying the patch, the other for
reverting the patch.

The .zip will also have a copy of the original 4.1.2 tl.dll as well as
the new one.  These are used in the procedures to verify the files

that

are present in the OpenOffice configuration in order to apply the

patch

and also to remove it.

Next steps:
  * Additional path testing of the two scripts and verification that
operation on Windows XP and on Windows 10 work as expected.

[orcmid]

Done

It is also much easier to work through the patch checks using the
scripts.


  * Updating of the README to reflect the availability of the batch-

file

scripts as well as the manual procedure if ever needed.

[orcmid]

Done



  * Although the Zips already carry executable code (i.e., DLLs) there
may be some Antivirus push-back where the policy is to not allow .zip
files with scripts in them.  The README will also have to address that
possibility.

[orcmid]

I forgot that at the last minute.  I will put that into the next
version.  Meanwhile, those who check these procedures should report any
AV objections they ran into.




  - Dennis


-Original Message-
From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
Sent: Monday, August 8, 2016 09:58
To: dev@openoffice.apache.org
Cc: q...@openoffice.apache.org
Subject: RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

Alpha version 0.0.1 of README-4.1.2-patch1-apply-Windows.txt has

been

introduced into the files (and the .zip) at
<https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-
patch1/binaries/Windows>.

This version reflects suggestions by Marcus Lange, Pedro Lino, and

Keith

McKenna.  Suggestions that are not (yet) implemented will be

discussed

in replies to their messages and on the bugzilla issue at
<https://bz.apache.org/ooo/show_bug.cgi?id=127065>.


By its nature, this material is intended for users operating on

Windows.

In some cases, incompatible forms are used on the Subversion server
where the above files are situated.  Version 0.0.1 attempts to
accommodate for this incompatibility.  In continuing to verify the
procedure, please indicate whether there are (now) difficulties

using

the text files, especially on Windows.

Users of Linux systems may have difficulties with some utilities for
which the Windows versions of the same tool (e.g., md5sum) do not
produce Linux-acceptable line endings.  It is useful to know if th

RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Dennis E. Hamilton]

> -Original Message-
> From: Keith N. McKenna [mailto:keith.mcke...@comcast.net]
> Sent: Monday, August 15, 2016 21:05
> To: q...@openoffice.apache.org; dev@openoffice.apache.org
> Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> 
> 
> 
> Dennis E. Hamilton wrote:
> > BETA 0.2.0 IS NOW AVAILABLE
> >
> > This is a cleanup version.  It is hoped that this will be the last
> change before bumping the version to 1.0.0 and making general
> availability.
> >
> > One important change:
> >
> > The names of the files have been changed.
> >
> > The README is now named README-4.1.2-patch1-Windows.txt.
> >
> > The zip and the related .asc, .md5, .sha1, and .sha256 files all
> have the base name
> > apache-openoffice-4.1.2-patch1-Win_x86.zip
> >
> > The two scripts also have simpler names:
> >
> > APPLY-4.1.2-patch1.bat
> > REVERT-4.1.2-patch1.bat
> >
> > The files are still available at
> >
> > <https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-
> patch1/Windows>
> [knmc]
> the link should read
> <
[orcmid] 
https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/binaries/Windows/>
[orcmid] 

Right you are.  Thanks for the quick check.
> 
> Regards
> Keith
> >
> > Now it is worth testing enough to know there is no regression and that
> APPLY and REVERT operate properly as before.
> >
> >  - Dennis
> >
[ ... ]



-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Keith N. McKenna]

Dennis E. Hamilton wrote:
> BETA 0.2.0 IS NOW AVAILABLE
>
> This is a cleanup version.  It is hoped that this will be the last change 
> before bumping the version to 1.0.0 and making general availability.
>
> One important change:
>
> The names of the files have been changed.  
>
> The README is now named README-4.1.2-patch1-Windows.txt.
>
> The zip and the related .asc, .md5, .sha1, and .sha256 files all have the 
> base name
> apache-openoffice-4.1.2-patch1-Win_x86.zip
>
> The two scripts also have simpler names:
>
> APPLY-4.1.2-patch1.bat
> REVERT-4.1.2-patch1.bat
>
> The files are still available at
>
> <https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/Windows>
[knmc]
the link should read
<https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/binaries/Windows/>

Regards
Keith
>
> Now it is worth testing enough to know there is no regression and that APPLY 
> and REVERT operate properly as before.
>
>  - Dennis
>
>> -Original Message-
>> From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
>> Sent: Thursday, August 11, 2016 21:08
>> To: dev@openoffice.apache.org
>> Cc: q...@openoffice.apache.org
>> Subject: RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
>>
>> BETA 0.1.0 WITH AUTOMATED SCRIPTS IS NOW AVAILABLE
>>
>> The scripts make life much easier, since users don't have to go hunting
>> for anything and digging around in operating-system locations.
>>
>> You should be able to go through the procedure that uses the automated
>> steps pretty easily.
>>
>> It is very important to know the difficulties that arise or whether
>> there were none.
>>
>> The material is available at
>> <http://dist.apache.org/repos/dist/dev/openoffice/4.1.2-
>> patch1/binaries/Windows>.
>>
>>  - Dennis
>>
>>
>>
>>> -----Original Message-
>>> From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
>>> Sent: Wednesday, August 10, 2016 18:01
>>> To: dev@openoffice.apache.org
>>> Cc: q...@openoffice.apache.org
>>> Subject: RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
>>>
>>> Beta version 0.1.0 is now nearing completion.
>>>
>>> It will include two scripts, one for applying the patch, the other for
>>> reverting the patch.
>>>
>>> The .zip will also have a copy of the original 4.1.2 tl.dll as well as
>>> the new one.  These are used in the procedures to verify the files
>> that
>>> are present in the OpenOffice configuration in order to apply the
>> patch
>>> and also to remove it.
>>>
>>> Next steps:
>>>  * Additional path testing of the two scripts and verification that
>>> operation on Windows XP and on Windows 10 work as expected.
>> [orcmid]
>>
>> Done
>>
>> It is also much easier to work through the patch checks using the
>> scripts.
>>>  * Updating of the README to reflect the availability of the batch-
>> file
>>> scripts as well as the manual procedure if ever needed.
>> [orcmid]
>>
>> Done
>>
>>>  * Although the Zips already carry executable code (i.e., DLLs) there
>>> may be some Antivirus push-back where the policy is to not allow .zip
>>> files with scripts in them.  The README will also have to address that
>>> possibility.
>> [orcmid]
>>
>> I forgot that at the last minute.  I will put that into the next
>> version.  Meanwhile, those who check these procedures should report any
>> AV objections they ran into.
>>
>>
>>>  - Dennis
>>>
>>>> -Original Message-
>>>> From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
>>>> Sent: Monday, August 8, 2016 09:58
>>>> To: dev@openoffice.apache.org
>>>> Cc: q...@openoffice.apache.org
>>>> Subject: RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
>>>>
>>>> Alpha version 0.0.1 of README-4.1.2-patch1-apply-Windows.txt has
>> been
>>>> introduced into the files (and the .zip) at
>>>> <https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-
>>>> patch1/binaries/Windows>.
>>>>
>>>> This version reflects suggestions by Marcus Lange, Pedro Lino, and
>>> Keith
>>>> McKenna.  Suggestions that are not (yet) implemented will be
>> discussed
>>>> in replies to their messages and on the bugzilla issue at
>>>> <https://bz.apache.o

RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Dennis E. Hamilton]

BETA 0.2.0 IS NOW AVAILABLE

This is a cleanup version.  It is hoped that this will be the last change 
before bumping the version to 1.0.0 and making general availability.

One important change:

The names of the files have been changed.  

The README is now named README-4.1.2-patch1-Windows.txt.

The zip and the related .asc, .md5, .sha1, and .sha256 files all have the 
base name
apache-openoffice-4.1.2-patch1-Win_x86.zip

The two scripts also have simpler names:

APPLY-4.1.2-patch1.bat
REVERT-4.1.2-patch1.bat

The files are still available at

<https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/Windows>

Now it is worth testing enough to know there is no regression and that APPLY 
and REVERT operate properly as before.

 - Dennis

> -Original Message-
> From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
> Sent: Thursday, August 11, 2016 21:08
> To: dev@openoffice.apache.org
> Cc: q...@openoffice.apache.org
> Subject: RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> 
> BETA 0.1.0 WITH AUTOMATED SCRIPTS IS NOW AVAILABLE
> 
> The scripts make life much easier, since users don't have to go hunting
> for anything and digging around in operating-system locations.
> 
> You should be able to go through the procedure that uses the automated
> steps pretty easily.
> 
> It is very important to know the difficulties that arise or whether
> there were none.
> 
> The material is available at
> <http://dist.apache.org/repos/dist/dev/openoffice/4.1.2-
> patch1/binaries/Windows>.
> 
>  - Dennis
> 
> 
> 
> > -Original Message-
> > From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
> > Sent: Wednesday, August 10, 2016 18:01
> > To: dev@openoffice.apache.org
> > Cc: q...@openoffice.apache.org
> > Subject: RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> >
> > Beta version 0.1.0 is now nearing completion.
> >
> > It will include two scripts, one for applying the patch, the other for
> > reverting the patch.
> >
> > The .zip will also have a copy of the original 4.1.2 tl.dll as well as
> > the new one.  These are used in the procedures to verify the files
> that
> > are present in the OpenOffice configuration in order to apply the
> patch
> > and also to remove it.
> >
> > Next steps:
> >  * Additional path testing of the two scripts and verification that
> > operation on Windows XP and on Windows 10 work as expected.
> [orcmid]
> 
> Done
> 
> It is also much easier to work through the patch checks using the
> scripts.
> >
> >  * Updating of the README to reflect the availability of the batch-
> file
> > scripts as well as the manual procedure if ever needed.
> [orcmid]
> 
> Done
> 
> >
> >  * Although the Zips already carry executable code (i.e., DLLs) there
> > may be some Antivirus push-back where the policy is to not allow .zip
> > files with scripts in them.  The README will also have to address that
> > possibility.
> [orcmid]
> 
> I forgot that at the last minute.  I will put that into the next
> version.  Meanwhile, those who check these procedures should report any
> AV objections they ran into.
> 
> 
> >
> >  - Dennis
> >
> > > -Original Message-
> > > From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
> > > Sent: Monday, August 8, 2016 09:58
> > > To: dev@openoffice.apache.org
> > > Cc: q...@openoffice.apache.org
> > > Subject: RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> > >
> > > Alpha version 0.0.1 of README-4.1.2-patch1-apply-Windows.txt has
> been
> > > introduced into the files (and the .zip) at
> > > <https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-
> > > patch1/binaries/Windows>.
> > >
> > > This version reflects suggestions by Marcus Lange, Pedro Lino, and
> > Keith
> > > McKenna.  Suggestions that are not (yet) implemented will be
> discussed
> > > in replies to their messages and on the bugzilla issue at
> > > <https://bz.apache.org/ooo/show_bug.cgi?id=127065>.
> > >
> > >
> > > By its nature, this material is intended for users operating on
> > Windows.
> > > In some cases, incompatible forms are used on the Subversion server
> > > where the above files are situated.  Version 0.0.1 attempts to
> > > accommodate for this incompatibility.  In continuing to verify the
> > > procedure, please indicate whether there are (now) difficulties
> using
> > > the text files, especially on Windows.
> >

RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Dennis E. Hamilton]

> -Original Message-
> From: Keith N. McKenna [mailto:keith.mcke...@comcast.net]
> Sent: Saturday, August 13, 2016 21:24
> To: q...@openoffice.apache.org
> Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> 
> Dennis;
> Attached is an odt file with mark-ups and comments for a couple of
> changes for the readme. For the general public release I have been
> working on a draft of a more formal format that can be used as a
> template for future situations such as this.
> 
> Keith
[orcmid] 

Thanks Keith.  The markup was simple enough to reflect in the 0.2.0 BETA that 
is going up shortly.

 - Dennis
> 
> Dennis E. Hamilton wrote:
> >
> >> -Original Message-
> >> From: Keith N. McKenna [mailto:keith.mcke...@comcast.net]
> >> Sent: Friday, August 12, 2016 13:49
> >> To: q...@openoffice.apache.org; dev@openoffice.apache.org
> >> Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> >>
> >> Attached is a text file with the tests that I ran and the results of
> >> each. The only problem encountered was in verifying tl.dll.new with
> the
> >> .asc signature file. This was due to the web of trust issue discussed
> >> earlier in this thread.Patricia's signature had not been certified by
> >> anyone. One I elevated the Owner Trust level and certified it the
> >> verification passed.
> >>
> >> I will finish reviewing the latest documentation and send any
> comments
> >> or suggested changes under separate cover.
> >>
> >> Regards
> >> Keith
[ ... ]



-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Marcus]

Am 08/14/2016 07:10 PM, schrieb Dennis E. Hamilton:



-Original Message-
From: Marcus [mailto:marcus.m...@wtnet.de]
Sent: Saturday, August 13, 2016 13:20
To: dev@openoffice.apache.org
Cc: q...@openoffice.apache.org
Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows


[ ... ]

PS:
However, I've a point that could be improved.

The name of the script files are very long. Same for the Readme. Inside
the zip'ed file there is no need to repeat the complete patch name
structure. IMHO they're better recognizable when it's just an
"Apply.bat", "Revert.bat" and "Readme_Win.txt".



[orcmid]

I looked into the naming.  These changes will help:

  1. There is no longer any need for -apply in the names now that there is a 
single distribution that provides a script and provides manual instructions as 
an alternative.

  2. There is no reason to mention -Windows in the name of a .bat file, since 
that is where those run these days.

  3. I still want to be specific to 4.1.2-patch1 so that it is always clear what 
these are about, wherever the materials happen to be found on an user's PC.  That 
should be evident without examining the .bat file or even knowing how to do that 
without causing it to be executed [;<).  (It's a bit like the reasoning to have 
the README available to download directly so it can be read without downloading 
the full .zip.)

I'll do all of this in a 0.2.0 beta that I'll build today, Sunday.  There are 
some other suggestions that I will look into, after those are in the dev SVN, 
that may improve the text more.  At this point, I am concerned about 
introducing regressions.


I don't see this too negative. The good thing is: The regression cannot 
hide itself in an ASCII text. ;-)


Marcus




Thanks a lot for providing the script files. This will be a great help
for the normal users.

If you need more details or tests just tell me.

Marcus


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Dennis E. Hamilton]

Yes,

Thanks to Joost and also Marcus for having more advice on the download page 
under preparation.

For future situations like this, and general trouble-shooting for Windows 
users, I think we need some good web pages (perhaps on one of the Wikis or the 
site itself) that demonstrate how to accomplish the various prerequisites.  
Then a README could link to them.  There are a variety of tips and FAQ that 
would make working with AOO on Windows more reliable as well as give users more 
confidence in maintaining AOO on Windows.  

I have set that as a project for myself when I end my term as Chair and can 
have different kinds of fun thereafter [;<).

Joost, did not the explanation at step (10) on using the automated procedure 
deal with Administrative Privilege on an useful as-needed basis?  There clearly 
needs to be more information on what those messages look like and how to take 
action.  With the spread of differences from Windows XP to Windows 10 (and now, 
with the Anniversary Edition update), there is little more that can be done in 
a README.  

 - Dennis



> -Original Message-
> From: Marcus [mailto:marcus.m...@wtnet.de]
> Sent: Sunday, August 14, 2016 09:15
> To: dev@openoffice.apache.org
> Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> 
> Am 08/14/2016 05:26 PM, schrieb Joost Andrae:
> > Hi,
> >
> > I've installed the patch from
> >
> >>>>>>
> >>>>>> The material is available at
> >>>>>> <http://dist.apache.org/repos/dist/dev/openoffice/4.1.2-
> >>>>> patch1/binaries/Windows>.
> >>>>>
> >
> > into my Win7Pro AOO 4.1.2 installation. Before applying the patch I've
> > checked the md5sum and it was correct.
> >
> > I'm not sure that all users will understand what administrative
> > installation means. I did. Probably a better documentation about how
> to
> > do this will help and it'll be useful to document how to check against
> 
> I think this is described in the Readme. Of course not what an admin
> permission can do in all details. That shouldn't be the point here.
> 
> > the checksum file. The application is working as expected.
> 
> Absolutely. On the download webpage there will be a link to another page
> where this is described.
> 
> Thanks for testing the patch process.
> 
> Marcus
> 
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
> For additional commands, e-mail: dev-h...@openoffice.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Dennis E. Hamilton]

> -Original Message-
> From: Marcus [mailto:marcus.m...@wtnet.de]
> Sent: Saturday, August 13, 2016 13:20
> To: dev@openoffice.apache.org
> Cc: q...@openoffice.apache.org
> Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> 
[ ... ]
> PS:
> However, I've a point that could be improved.
> 
> The name of the script files are very long. Same for the Readme. Inside
> the zip'ed file there is no need to repeat the complete patch name
> structure. IMHO they're better recognizable when it's just an
> "Apply.bat", "Revert.bat" and "Readme_Win.txt".
> 
> 
[orcmid] 

I looked into the naming.  These changes will help:

 1. There is no longer any need for -apply in the names now that there is a 
single distribution that provides a script and provides manual instructions as 
an alternative.

 2. There is no reason to mention -Windows in the name of a .bat file, since 
that is where those run these days.

 3. I still want to be specific to 4.1.2-patch1 so that it is always clear what 
these are about, wherever the materials happen to be found on an user's PC.  
That should be evident without examining the .bat file or even knowing how to 
do that without causing it to be executed [;<).  (It's a bit like the reasoning 
to have the README available to download directly so it can be read without 
downloading the full .zip.)

I'll do all of this in a 0.2.0 beta that I'll build today, Sunday.  There are 
some other suggestions that I will look into, after those are in the dev SVN, 
that may improve the text more.  At this point, I am concerned about 
introducing regressions.

 - Dennis
> 
> Thanks a lot for providing the script files. This will be a great help
> for the normal users.
> 
> If you need more details or tests just tell me.
> 
> Marcus
> 
> 
> 
[ ... ]


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Marcus]

Am 08/14/2016 05:26 PM, schrieb Joost Andrae:

Hi,

I've installed the patch from



The material is available at
.



into my Win7Pro AOO 4.1.2 installation. Before applying the patch I've
checked the md5sum and it was correct.

I'm not sure that all users will understand what administrative
installation means. I did. Probably a better documentation about how to
do this will help and it'll be useful to document how to check against


I think this is described in the Readme. Of course not what an admin 
permission can do in all details. That shouldn't be the point here.



the checksum file. The application is working as expected.


Absolutely. On the download webpage there will be a link to another page 
where this is described.


Thanks for testing the patch process.

Marcus


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Joost Andrae]

Hi,

I've installed the patch from



The material is available at
.



into my Win7Pro AOO 4.1.2 installation. Before applying the patch I've 
checked the md5sum and it was correct.


I'm not sure that all users will understand what administrative 
installation means. I did. Probably a better documentation about how to 
do this will help and it'll be useful to document how to check against 
the checksum file. The application is working as expected.


Kind regards, Joost


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Marcus]

Am 08/14/2016 10:17 AM, schrieb Marcus:

Am 08/14/2016 01:07 AM, schrieb Dennis E. Hamilton:

Thanks for the checking, Marcus.


-Original Message-
From: Marcus [mailto:marcus.m...@wtnet.de]
Sent: Saturday, August 13, 2016 13:20
To: dev@openoffice.apache.org
Cc: q...@openoffice.apache.org
Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

Am 08/12/2016 06:07 AM, schrieb Dennis E. Hamilton:

BETA 0.1.0 WITH AUTOMATED SCRIPTS IS NOW AVAILABLE

The scripts make life much easier, since users don't have to go

hunting for anything and digging around in operating-system locations.


You should be able to go through the procedure that uses the automated

steps pretty easily.


It is very important to know the difficulties that arise or whether

there were none.


The material is available at
<http://dist.apache.org/repos/dist/dev/openoffice/4.1.2-

patch1/binaries/Windows>.

great to have now a script-based installation. Here is my test procedure
on Windows 10 Home:

APPLY script:

- When starting the script I get a "... Windows SmartScreen has
prevented the start of a not recognized app. To run this App,
Administrator permission is needed ..." message. Doing so, it started
but showed a message [1] that Administrator permission is needed. I've
verified that nothing was done or changed.

- When starting with right-clicked "Run as Administrator" the script
showed some useful information [1], renamed the old file and copied the
new file.

REVERT script:

- When starting the script I get a "... Windows SmartScreen has
prevented the start of a not recognized app. To run this App,
Administrator permission is needed ..." message. Doing so, it started
but showed a message [1] that Administrator permission is needed. I've
verified that nothing was done or changed.

- When starting with right-clicked "Run as Administrator" the script
showed some useful information [1], deleted the new file and renamed the
old file back to the old name.

At the end both scripts are working successfully.

[1] The command line window where the output information is shown uses a
*very little* font size (looked like 4pt or similar) and is therefore
nearyl unreadable. I had to increase the font size in the properties of
the window (click on the icon in the top left corner).

[orcmid]

The font size is not under control of the script. I have no idea what
has it be so small in your case. Changing it should be persistent now.


yes, it must come from Windows. Actual it was a 10pt fonsize but with a
resolution of ? x ? even this looks like much too small.


I've pressed too fast the [Send] button. It's a 1920 x 1080 resolution.

Marcus


PS:
However, I've a point that could be improved.

The name of the script files are very long. Same for the Readme. Inside
the zip'ed file there is no need to repeat the complete patch name
structure. IMHO they're better recognizable when it's just an
"Apply.bat", "Revert.bat" and "Readme_Win.txt".

[orcmid]

Well, yes, especially the Readme. At this late point, I'd like to get
to 1.0.0 without risking any regression in the text. I don't like
these things becoming mysteries if separated from the packages.

I will give it serious consideration.


You can put a descriptive text into the script as comment lines. So,
then it's clear what it is and where it comes from. OK, if you don't
want to change it for this patch then next time. ;-)

Marcus




Thanks a lot for providing the script files. This will be a great help
for the normal users.

If you need more details or tests just tell me.

Marcus




-Original Message-
From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
Sent: Wednesday, August 10, 2016 18:01
To: dev@openoffice.apache.org
Cc: q...@openoffice.apache.org
Subject: RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

Beta version 0.1.0 is now nearing completion.

It will include two scripts, one for applying the patch, the other

for

reverting the patch.

The .zip will also have a copy of the original 4.1.2 tl.dll as well

as

the new one. These are used in the procedures to verify the files

that

are present in the OpenOffice configuration in order to apply the

patch

and also to remove it.

Next steps:
* Additional path testing of the two scripts and verification that
operation on Windows XP and on Windows 10 work as expected.

[orcmid]

Done

It is also much easier to work through the patch checks using the

scripts.


* Updating of the README to reflect the availability of the batch-

file

scripts as well as the manual procedure if ever needed.

[orcmid]

Done



* Although the Zips already carry executable code (i.e., DLLs)

there

may be some Antivirus push-back where the policy is to not allow .zip
files with scripts in them. The README will also have to address

that

possibility.

[orcmid]

I forgot that at the last minute. I will put that into the next

version. Meanwhil

Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Marcus]

Am 08/14/2016 01:07 AM, schrieb Dennis E. Hamilton:

Thanks for the checking, Marcus.


-Original Message-
From: Marcus [mailto:marcus.m...@wtnet.de]
Sent: Saturday, August 13, 2016 13:20
To: dev@openoffice.apache.org
Cc: q...@openoffice.apache.org
Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

Am 08/12/2016 06:07 AM, schrieb Dennis E. Hamilton:

BETA 0.1.0 WITH AUTOMATED SCRIPTS IS NOW AVAILABLE

The scripts make life much easier, since users don't have to go

hunting for anything and digging around in operating-system locations.


You should be able to go through the procedure that uses the automated

steps pretty easily.


It is very important to know the difficulties that arise or whether

there were none.


The material is available at
<http://dist.apache.org/repos/dist/dev/openoffice/4.1.2-

patch1/binaries/Windows>.

great to have now a script-based installation. Here is my test procedure
on Windows 10 Home:

APPLY script:

- When starting the script I get a "... Windows SmartScreen has
prevented the start of a not recognized app. To run this App,
Administrator permission is needed ..." message. Doing so, it started
but showed a message [1] that Administrator permission is needed. I've
verified that nothing was done or changed.

- When starting with right-clicked "Run as Administrator" the script
showed some useful information [1], renamed the old file and copied the
new file.

REVERT script:

- When starting the script I get a "... Windows SmartScreen has
prevented the start of a not recognized app. To run this App,
Administrator permission is needed ..." message. Doing so, it started
but showed a message [1] that Administrator permission is needed. I've
verified that nothing was done or changed.

- When starting with right-clicked "Run as Administrator" the script
showed some useful information [1], deleted the new file and renamed the
old file back to the old name.

At the end both scripts are working successfully.

[1] The command line window where the output information is shown uses a
*very little* font size (looked like 4pt or similar) and is therefore
nearyl unreadable. I had to increase the font size in the properties of
the window (click on the icon in the top left corner).

[orcmid]

The font size is not under control of the script.  I have no idea what has it 
be so small in your case.  Changing it should be persistent now.


yes, it must come from Windows. Actual it was a 10pt fonsize but with a 
resolution of ? x ? even this looks like much too small.



PS:
However, I've a point that could be improved.

The name of the script files are very long. Same for the Readme. Inside
the zip'ed file there is no need to repeat the complete patch name
structure. IMHO they're better recognizable when it's just an
"Apply.bat", "Revert.bat" and "Readme_Win.txt".

[orcmid]

Well, yes, especially the Readme.  At this late point, I'd like to get to 1.0.0 
without risking any regression in the text.  I don't like these things becoming 
mysteries if separated from the packages.

I will give it serious consideration.


You can put a descriptive text into the script as comment lines. So, 
then it's clear what it is and where it comes from. OK, if you don't 
want to change it for this patch then next time. ;-)


Marcus




Thanks a lot for providing the script files. This will be a great help
for the normal users.

If you need more details or tests just tell me.

Marcus




-Original Message-
From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
Sent: Wednesday, August 10, 2016 18:01
To: dev@openoffice.apache.org
Cc: q...@openoffice.apache.org
Subject: RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

Beta version 0.1.0 is now nearing completion.

It will include two scripts, one for applying the patch, the other

for

reverting the patch.

The .zip will also have a copy of the original 4.1.2 tl.dll as well

as

the new one.  These are used in the procedures to verify the files

that

are present in the OpenOffice configuration in order to apply the

patch

and also to remove it.

Next steps:
   * Additional path testing of the two scripts and verification that
operation on Windows XP and on Windows 10 work as expected.

[orcmid]

Done

It is also much easier to work through the patch checks using the

scripts.


   * Updating of the README to reflect the availability of the batch-

file

scripts as well as the manual procedure if ever needed.

[orcmid]

Done



   * Although the Zips already carry executable code (i.e., DLLs)

there

may be some Antivirus push-back where the policy is to not allow .zip
files with scripts in them.  The README will also have to address

that

possibility.

[orcmid]

I forgot that at the last minute.  I will put that into the next

version.  Meanwhile, those who check these procedures should report any
AV objections they ran into.





   - Denni

RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Dennis E. Hamilton]

Thanks for the checking, Marcus.

> -Original Message-
> From: Marcus [mailto:marcus.m...@wtnet.de]
> Sent: Saturday, August 13, 2016 13:20
> To: dev@openoffice.apache.org
> Cc: q...@openoffice.apache.org
> Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> 
> Am 08/12/2016 06:07 AM, schrieb Dennis E. Hamilton:
> > BETA 0.1.0 WITH AUTOMATED SCRIPTS IS NOW AVAILABLE
> >
> > The scripts make life much easier, since users don't have to go
> hunting for anything and digging around in operating-system locations.
> >
> > You should be able to go through the procedure that uses the automated
> steps pretty easily.
> >
> > It is very important to know the difficulties that arise or whether
> there were none.
> >
> > The material is available at
> > <http://dist.apache.org/repos/dist/dev/openoffice/4.1.2-
> patch1/binaries/Windows>.
> 
> great to have now a script-based installation. Here is my test procedure
> on Windows 10 Home:
> 
> APPLY script:
> 
> - When starting the script I get a "... Windows SmartScreen has
> prevented the start of a not recognized app. To run this App,
> Administrator permission is needed ..." message. Doing so, it started
> but showed a message [1] that Administrator permission is needed. I've
> verified that nothing was done or changed.
> 
> - When starting with right-clicked "Run as Administrator" the script
> showed some useful information [1], renamed the old file and copied the
> new file.
> 
> REVERT script:
> 
> - When starting the script I get a "... Windows SmartScreen has
> prevented the start of a not recognized app. To run this App,
> Administrator permission is needed ..." message. Doing so, it started
> but showed a message [1] that Administrator permission is needed. I've
> verified that nothing was done or changed.
> 
> - When starting with right-clicked "Run as Administrator" the script
> showed some useful information [1], deleted the new file and renamed the
> old file back to the old name.
> 
> At the end both scripts are working successfully.
> 
> [1] The command line window where the output information is shown uses a
> *very little* font size (looked like 4pt or similar) and is therefore
> nearyl unreadable. I had to increase the font size in the properties of
> the window (click on the icon in the top left corner).
[orcmid] 

The font size is not under control of the script.  I have no idea what has it 
be so small in your case.  Changing it should be persistent now.
> 
> PS:
> However, I've a point that could be improved.
> 
> The name of the script files are very long. Same for the Readme. Inside
> the zip'ed file there is no need to repeat the complete patch name
> structure. IMHO they're better recognizable when it's just an
> "Apply.bat", "Revert.bat" and "Readme_Win.txt".
[orcmid] 

Well, yes, especially the Readme.  At this late point, I'd like to get to 1.0.0 
without risking any regression in the text.  I don't like these things becoming 
mysteries if separated from the packages.

I will give it serious consideration.

> 
> 
> 
> Thanks a lot for providing the script files. This will be a great help
> for the normal users.
> 
> If you need more details or tests just tell me.
> 
> Marcus
> 
> 
> 
> >> -Original Message-
> >> From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
> >> Sent: Wednesday, August 10, 2016 18:01
> >> To: dev@openoffice.apache.org
> >> Cc: q...@openoffice.apache.org
> >> Subject: RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> >>
> >> Beta version 0.1.0 is now nearing completion.
> >>
> >> It will include two scripts, one for applying the patch, the other
> for
> >> reverting the patch.
> >>
> >> The .zip will also have a copy of the original 4.1.2 tl.dll as well
> as
> >> the new one.  These are used in the procedures to verify the files
> that
> >> are present in the OpenOffice configuration in order to apply the
> patch
> >> and also to remove it.
> >>
> >> Next steps:
> >>   * Additional path testing of the two scripts and verification that
> >> operation on Windows XP and on Windows 10 work as expected.
> > [orcmid]
> >
> > Done
> >
> > It is also much easier to work through the patch checks using the
> scripts.
> >>
> >>   * Updating of the README to reflect the availability of the batch-
> file
> >> scripts as well as the manual procedure if ever needed.
> > [orcmid]
> >
> &

Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows)

[Marcus]

Am 08/13/2016 10:39 PM, schrieb Kay Schenk:


On 08/13/2016 09:46 AM, Marcus wrote:

Am 08/13/2016 06:24 PM, schrieb Kay Schenk:


On 08/13/2016 07:00 AM, Marcus wrote:

Here are my tests:

Linux 32-bit:

- ZIP file is OK and can be uncompressed
- MD5, SHA1 are OK [1]
- ZIP ASC is OK (signature from Kay Schenk)
- Library ASC is OK (signature from Ariel Constenla-Haile)

Linux 64-bit:

- ZIP file is OK and can be uncompressed
- MD5, SHA1 are OK [1]
- ZIP ASC is OK (signature from Kay Schenk)
- Library ASC is OK (signature from Ariel Constenla-Haile)

Mac OSX:

- ZIP file is OK and can be uncompressed
- MD5, SHA1 are OK [1]
- ZIP ASC is OK (signature from Kay Schenk)
- Library ASC is OK (signature from Ariel Constenla-Haile)

However, after rewriting the files (of course without to modify the hash
values itself) the comparsion was OK.

@Kay:
I've uploaded the sha256 hash files as suggested.


YAY! Good job!

   Do you mind when I

overwrite the other hash files with the ones I've created? Then all have
the same format.


No, go right ahead. With the openssl with digest options, this is how
they got formatted.


OK, done


Furthermore, I've read the Readme's for Linux [2] and Mac. As I didn't
wanted to simply overwrite your work, I've attached the modified
versions. So, you can review them first or I can overwrite them if you
don't mind.


I assumed this part --

"Download the hotfix ZIP file to a location on your PC where it can be
used and its content extracted.

Example:
User Jane downloaded and extracted the hotfix ZIP file from her browser
window and saved it in a folder called "Downloads". The full path is:

/home/jane/Downloads"

would be on the hotfix page itself so not needed as part of the actual
instructions. The rest of the changes look fine.


OK, but when we keep the Readme's also outside of the ZIP files it could
make sense to keep this text part.

Otherwise I can delete the part and just upload the Readme's.

Marcus




OK, upload this new version of README to be outside the zip. Otherwise,
we need to redo the zips, recompute checksums etc.

Thanks again for re-doing the checksums.


I know it's some effort. But having 2 different Readme files for the 
same platform is not optimal. I've added some more details, so it's 
easier to follow the instructions.


I've uploaded the 3 Readme files.

Marcus




[1] The files are not well formatted for the "md5sum" and "sha1sum"
commands. They need the following format:



[2] The Readmes for Linux 32-bit and 64-bit are the same. I've just
attached the one for 32-bit.

Marcus



Am 08/12/2016 06:21 PM, schrieb Kay Schenk:

On Thu, Aug 11, 2016 at 3:27 PM, Marcus<marcus.m...@wtnet.de>wrote:


Am 08/11/2016 09:50 PM, schrieb Kay sch...@apache.org:



On 08/09/2016 02:12 PM, Kay Schenk wrote:


[top posting]
I'm in the process of trying to "sync" instructions for Linux32,
Linux64, and MacOSX at the moment. As far as instructions on the
actual
HOTFIX page, we need to have just a "general" instruction for ALL
zips
that simply says -- "Unzip this package to some folder of your
choosing
and read the README that's included." Everything else should be
in the
various READMEs for each platform.

I should be done with all edits by this evening for a final review
before zipping and signing.



Ok, I've now moved on to creating zip files, etc for Linux32, Linux64
and Mac.

My openssl version on does NOT supply digest sha256. Is it OK to use
sha1? MD5 already computed for each of these.



I like to have it consistent for all platforms. Therefore I'll
check the
ZIPs and deliver the sha256 hash files.

Marcus



​Thanks a bunch Marcus!
​







On 08/05/2016 09:28 AM, Dennis E. Hamilton wrote:



Branching off the part that is not about the Windows 4.1.2-patch1
[TESTING].

-Original Message-

From: Marcus [mailto:marcus.m...@wtnet.de]
Sent: Thursday, August 4, 2016 15:52
To: dev@openoffice.apache.org
Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for
Windows

Am 08/05/2016 12:26 AM, schrieb Kay Schenk:


[ ... ]




hmmm...well no zips for Mac, Linux32, or Linux 64 -- yet.

Should we get started on these?



it depends what we want that they should contain. The ZIP file for
Windows contains a LICENSE and NOTICE file as well as an ASC file
for
the DLL. As it is only a patch IMHO we don't need to provide
another
LICENSE and NOTICE file which is already available in the
OpenOffice
installation. Also the ASC is not necessary as we provide it
already
(together with MD5 and SHA256) for the whole ZIP file.


[orcmid]

I think there is a misunderstanding.  Two matters:

 1. The use of LICENSE is required by the ALv2 itself, and
the ASF
practice is to include NOTICE as well on binary distributions.
The patch
qualifies, especially when it is moved to general distribution.
It is also
easy and harmless to provide.

 2. The reason for preserving the .asc on the sh

Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows)

[Kay Schenk]

On 08/13/2016 09:46 AM, Marcus wrote:
> Am 08/13/2016 06:24 PM, schrieb Kay Schenk:
>>
>> On 08/13/2016 07:00 AM, Marcus wrote:
>>> Here are my tests:
>>>
>>> Linux 32-bit:
>>>
>>> - ZIP file is OK and can be uncompressed
>>> - MD5, SHA1 are OK [1]
>>> - ZIP ASC is OK (signature from Kay Schenk)
>>> - Library ASC is OK (signature from Ariel Constenla-Haile)
>>>
>>> Linux 64-bit:
>>>
>>> - ZIP file is OK and can be uncompressed
>>> - MD5, SHA1 are OK [1]
>>> - ZIP ASC is OK (signature from Kay Schenk)
>>> - Library ASC is OK (signature from Ariel Constenla-Haile)
>>>
>>> Mac OSX:
>>>
>>> - ZIP file is OK and can be uncompressed
>>> - MD5, SHA1 are OK [1]
>>> - ZIP ASC is OK (signature from Kay Schenk)
>>> - Library ASC is OK (signature from Ariel Constenla-Haile)
>>>
>>> However, after rewriting the files (of course without to modify the hash
>>> values itself) the comparsion was OK.
>>>
>>> @Kay:
>>> I've uploaded the sha256 hash files as suggested.
>>
>> YAY! Good job!
>>
>>   Do you mind when I
>>> overwrite the other hash files with the ones I've created? Then all have
>>> the same format.
>>
>> No, go right ahead. With the openssl with digest options, this is how
>> they got formatted.
> 
> OK, done
> 
>>> Furthermore, I've read the Readme's for Linux [2] and Mac. As I didn't
>>> wanted to simply overwrite your work, I've attached the modified
>>> versions. So, you can review them first or I can overwrite them if you
>>> don't mind.
>>
>> I assumed this part --
>>
>> "Download the hotfix ZIP file to a location on your PC where it can be
>> used and its content extracted.
>>
>> Example:
>> User Jane downloaded and extracted the hotfix ZIP file from her browser
>> window and saved it in a folder called "Downloads". The full path is:
>>
>> /home/jane/Downloads"
>>
>> would be on the hotfix page itself so not needed as part of the actual
>> instructions. The rest of the changes look fine.
> 
> OK, but when we keep the Readme's also outside of the ZIP files it could
> make sense to keep this text part.
> 
> Otherwise I can delete the part and just upload the Readme's.
> 
> Marcus
> 
> 

OK, upload this new version of README to be outside the zip. Otherwise,
we need to redo the zips, recompute checksums etc.

Thanks again for re-doing the checksums.

> 
>>> [1] The files are not well formatted for the "md5sum" and "sha1sum"
>>> commands. They need the following format:
>>>
>>> 
>>>
>>> [2] The Readmes for Linux 32-bit and 64-bit are the same. I've just
>>> attached the one for 32-bit.
>>>
>>> Marcus
>>>
>>>
>>>
>>> Am 08/12/2016 06:21 PM, schrieb Kay Schenk:
>>>> On Thu, Aug 11, 2016 at 3:27 PM, Marcus<marcus.m...@wtnet.de>   wrote:
>>>>
>>>>> Am 08/11/2016 09:50 PM, schrieb Kay sch...@apache.org:
>>>>>
>>>>>>
>>>>>> On 08/09/2016 02:12 PM, Kay Schenk wrote:
>>>>>>
>>>>>>> [top posting]
>>>>>>> I'm in the process of trying to "sync" instructions for Linux32,
>>>>>>> Linux64, and MacOSX at the moment. As far as instructions on the
>>>>>>> actual
>>>>>>> HOTFIX page, we need to have just a "general" instruction for ALL
>>>>>>> zips
>>>>>>> that simply says -- "Unzip this package to some folder of your
>>>>>>> choosing
>>>>>>> and read the README that's included." Everything else should be
>>>>>>> in the
>>>>>>> various READMEs for each platform.
>>>>>>>
>>>>>>> I should be done with all edits by this evening for a final review
>>>>>>> before zipping and signing.
>>>>>>>
>>>>>>
>>>>>> Ok, I've now moved on to creating zip files, etc for Linux32, Linux64
>>>>>> and Mac.
>>>>>>
>>>>>> My openssl version on does NOT supply digest sha256. Is it OK to use
>>>>>> sha1? MD5 already computed for each of these.
>>>>>>
>>>>>
>>>>> I like to have it consistent for all platforms. Th

Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Marcus]

Am 08/12/2016 06:07 AM, schrieb Dennis E. Hamilton:

BETA 0.1.0 WITH AUTOMATED SCRIPTS IS NOW AVAILABLE

The scripts make life much easier, since users don't have to go hunting for 
anything and digging around in operating-system locations.

You should be able to go through the procedure that uses the automated steps 
pretty easily.

It is very important to know the difficulties that arise or whether there were 
none.

The material is available at
<http://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/binaries/Windows>.


great to have now a script-based installation. Here is my test procedure 
on Windows 10 Home:


APPLY script:

- When starting the script I get a "... Windows SmartScreen has 
prevented the start of a not recognized app. To run this App, 
Administrator permission is needed ..." message. Doing so, it started 
but showed a message [1] that Administrator permission is needed. I've 
verified that nothing was done or changed.


- When starting with right-clicked "Run as Administrator" the script 
showed some useful information [1], renamed the old file and copied the 
new file.


REVERT script:

- When starting the script I get a "... Windows SmartScreen has 
prevented the start of a not recognized app. To run this App, 
Administrator permission is needed ..." message. Doing so, it started 
but showed a message [1] that Administrator permission is needed. I've 
verified that nothing was done or changed.


- When starting with right-clicked "Run as Administrator" the script 
showed some useful information [1], deleted the new file and renamed the 
old file back to the old name.


At the end both scripts are working successfully.

[1] The command line window where the output information is shown uses a 
*very little* font size (looked like 4pt or similar) and is therefore 
nearyl unreadable. I had to increase the font size in the properties of 
the window (click on the icon in the top left corner).


PS:
However, I've a point that could be improved.

The name of the script files are very long. Same for the Readme. Inside 
the zip'ed file there is no need to repeat the complete patch name 
structure. IMHO they're better recognizable when it's just an 
"Apply.bat", "Revert.bat" and "Readme_Win.txt".




Thanks a lot for providing the script files. This will be a great help 
for the normal users.


If you need more details or tests just tell me.

Marcus




-Original Message-
From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
Sent: Wednesday, August 10, 2016 18:01
To: dev@openoffice.apache.org
Cc: q...@openoffice.apache.org
Subject: RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

Beta version 0.1.0 is now nearing completion.

It will include two scripts, one for applying the patch, the other for
reverting the patch.

The .zip will also have a copy of the original 4.1.2 tl.dll as well as
the new one.  These are used in the procedures to verify the files that
are present in the OpenOffice configuration in order to apply the patch
and also to remove it.

Next steps:
  * Additional path testing of the two scripts and verification that
operation on Windows XP and on Windows 10 work as expected.

[orcmid]

Done

It is also much easier to work through the patch checks using the scripts.


  * Updating of the README to reflect the availability of the batch-file
scripts as well as the manual procedure if ever needed.

[orcmid]

Done



  * Although the Zips already carry executable code (i.e., DLLs) there
may be some Antivirus push-back where the policy is to not allow .zip
files with scripts in them.  The README will also have to address that
possibility.

[orcmid]

I forgot that at the last minute.  I will put that into the next version.  
Meanwhile, those who check these procedures should report any AV objections 
they ran into.




  - Dennis


-Original Message-
From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
Sent: Monday, August 8, 2016 09:58
To: dev@openoffice.apache.org
Cc: q...@openoffice.apache.org
Subject: RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

Alpha version 0.0.1 of README-4.1.2-patch1-apply-Windows.txt has been
introduced into the files (and the .zip) at
<https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-
patch1/binaries/Windows>.

This version reflects suggestions by Marcus Lange, Pedro Lino, and

Keith

McKenna.  Suggestions that are not (yet) implemented will be discussed
in replies to their messages and on the bugzilla issue at
<https://bz.apache.org/ooo/show_bug.cgi?id=127065>.


By its nature, this material is intended for users operating on

Windows.

In some cases, incompatible forms are used on the Subversion server
where the above files are situated.  Version 0.0.1 attempts to
accommodate for this incompatibility.  In continuing to verify the
procedure, please indicate whether there are (now) difficulties using
the te

Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows)

[Marcus]

Am 08/13/2016 06:24 PM, schrieb Kay Schenk:


On 08/13/2016 07:00 AM, Marcus wrote:

Here are my tests:

Linux 32-bit:

- ZIP file is OK and can be uncompressed
- MD5, SHA1 are OK [1]
- ZIP ASC is OK (signature from Kay Schenk)
- Library ASC is OK (signature from Ariel Constenla-Haile)

Linux 64-bit:

- ZIP file is OK and can be uncompressed
- MD5, SHA1 are OK [1]
- ZIP ASC is OK (signature from Kay Schenk)
- Library ASC is OK (signature from Ariel Constenla-Haile)

Mac OSX:

- ZIP file is OK and can be uncompressed
- MD5, SHA1 are OK [1]
- ZIP ASC is OK (signature from Kay Schenk)
- Library ASC is OK (signature from Ariel Constenla-Haile)

However, after rewriting the files (of course without to modify the hash
values itself) the comparsion was OK.

@Kay:
I've uploaded the sha256 hash files as suggested.


YAY! Good job!

  Do you mind when I

overwrite the other hash files with the ones I've created? Then all have
the same format.


No, go right ahead. With the openssl with digest options, this is how
they got formatted.


OK, done


Furthermore, I've read the Readme's for Linux [2] and Mac. As I didn't
wanted to simply overwrite your work, I've attached the modified
versions. So, you can review them first or I can overwrite them if you
don't mind.


I assumed this part --

"Download the hotfix ZIP file to a location on your PC where it can be
used and its content extracted.

Example:
User Jane downloaded and extracted the hotfix ZIP file from her browser
window and saved it in a folder called "Downloads". The full path is:

/home/jane/Downloads"

would be on the hotfix page itself so not needed as part of the actual
instructions. The rest of the changes look fine.


OK, but when we keep the Readme's also outside of the ZIP files it could 
make sense to keep this text part.


Otherwise I can delete the part and just upload the Readme's.

Marcus




[1] The files are not well formatted for the "md5sum" and "sha1sum"
commands. They need the following format:



[2] The Readmes for Linux 32-bit and 64-bit are the same. I've just
attached the one for 32-bit.

Marcus



Am 08/12/2016 06:21 PM, schrieb Kay Schenk:

On Thu, Aug 11, 2016 at 3:27 PM, Marcus<marcus.m...@wtnet.de>   wrote:


Am 08/11/2016 09:50 PM, schrieb Kay sch...@apache.org:



On 08/09/2016 02:12 PM, Kay Schenk wrote:


[top posting]
I'm in the process of trying to "sync" instructions for Linux32,
Linux64, and MacOSX at the moment. As far as instructions on the
actual
HOTFIX page, we need to have just a "general" instruction for ALL zips
that simply says -- "Unzip this package to some folder of your
choosing
and read the README that's included." Everything else should be in the
various READMEs for each platform.

I should be done with all edits by this evening for a final review
before zipping and signing.



Ok, I've now moved on to creating zip files, etc for Linux32, Linux64
and Mac.

My openssl version on does NOT supply digest sha256. Is it OK to use
sha1? MD5 already computed for each of these.



I like to have it consistent for all platforms. Therefore I'll check the
ZIPs and deliver the sha256 hash files.

Marcus



​Thanks a bunch Marcus!
​







On 08/05/2016 09:28 AM, Dennis E. Hamilton wrote:



Branching off the part that is not about the Windows 4.1.2-patch1
[TESTING].

-Original Message-

From: Marcus [mailto:marcus.m...@wtnet.de]
Sent: Thursday, August 4, 2016 15:52
To: dev@openoffice.apache.org
Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

Am 08/05/2016 12:26 AM, schrieb Kay Schenk:


[ ... ]




hmmm...well no zips for Mac, Linux32, or Linux 64 -- yet.

Should we get started on these?



it depends what we want that they should contain. The ZIP file for
Windows contains a LICENSE and NOTICE file as well as an ASC file
for
the DLL. As it is only a patch IMHO we don't need to provide another
LICENSE and NOTICE file which is already available in the OpenOffice
installation. Also the ASC is not necessary as we provide it already
(together with MD5 and SHA256) for the whole ZIP file.


[orcmid]

I think there is a misunderstanding.  Two matters:

1. The use of LICENSE is required by the ALv2 itself, and the ASF
practice is to include NOTICE as well on binary distributions.
The patch
qualifies, especially when it is moved to general distribution.
It is also
easy and harmless to provide.

2. The reason for preserving the .asc on the shared-library
binary is
because it authenticates with respect to who produced it and
establishes
that it has not been modified as supplied in the package (or as
the result
of some glitch in creation of the Zip).  It provides a level of
accountability and, also, auditability.

Even though few people will check all of these, they remain
possible to
be checked.  Since this is a matter of security vulnerabilities and
involves elevation of privilege to perform, I believe it i

Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows)

[Kay Schenk]

On 08/13/2016 07:00 AM, Marcus wrote:
> Here are my tests:
> 
> Linux 32-bit:
> 
> - ZIP file is OK and can be uncompressed
> - MD5, SHA1 are OK [1]
> - ZIP ASC is OK (signature from Kay Schenk)
> - Library ASC is OK (signature from Ariel Constenla-Haile)
> 
> Linux 64-bit:
> 
> - ZIP file is OK and can be uncompressed
> - MD5, SHA1 are OK [1]
> - ZIP ASC is OK (signature from Kay Schenk)
> - Library ASC is OK (signature from Ariel Constenla-Haile)
> 
> Mac OSX:
> 
> - ZIP file is OK and can be uncompressed
> - MD5, SHA1 are OK [1]
> - ZIP ASC is OK (signature from Kay Schenk)
> - Library ASC is OK (signature from Ariel Constenla-Haile)
> 
> However, after rewriting the files (of course without to modify the hash
> values itself) the comparsion was OK.
> 
> @Kay:
> I've uploaded the sha256 hash files as suggested.

YAY! Good job!

 Do you mind when I
> overwrite the other hash files with the ones I've created? Then all have
> the same format.

No, go right ahead. With the openssl with digest options, this is how
they got formatted.

> 
> Furthermore, I've read the Readme's for Linux [2] and Mac. As I didn't
> wanted to simply overwrite your work, I've attached the modified
> versions. So, you can review them first or I can overwrite them if you
> don't mind.

I assumed this part --

"Download the hotfix ZIP file to a location on your PC where it can be
used and its content extracted.

Example:
User Jane downloaded and extracted the hotfix ZIP file from her browser
window and saved it in a folder called "Downloads". The full path is:

/home/jane/Downloads"

would be on the hotfix page itself so not needed as part of the actual
instructions. The rest of the changes look fine.




> 
> [1] The files are not well formatted for the "md5sum" and "sha1sum"
> commands. They need the following format:
> 
> 
> 
> [2] The Readmes for Linux 32-bit and 64-bit are the same. I've just
> attached the one for 32-bit.
> 
> Marcus
> 
> 
> 
> Am 08/12/2016 06:21 PM, schrieb Kay Schenk:
>> On Thu, Aug 11, 2016 at 3:27 PM, Marcus<marcus.m...@wtnet.de>  wrote:
>>
>>> Am 08/11/2016 09:50 PM, schrieb Kay sch...@apache.org:
>>>
>>>>
>>>> On 08/09/2016 02:12 PM, Kay Schenk wrote:
>>>>
>>>>> [top posting]
>>>>> I'm in the process of trying to "sync" instructions for Linux32,
>>>>> Linux64, and MacOSX at the moment. As far as instructions on the
>>>>> actual
>>>>> HOTFIX page, we need to have just a "general" instruction for ALL zips
>>>>> that simply says -- "Unzip this package to some folder of your
>>>>> choosing
>>>>> and read the README that's included." Everything else should be in the
>>>>> various READMEs for each platform.
>>>>>
>>>>> I should be done with all edits by this evening for a final review
>>>>> before zipping and signing.
>>>>>
>>>>
>>>> Ok, I've now moved on to creating zip files, etc for Linux32, Linux64
>>>> and Mac.
>>>>
>>>> My openssl version on does NOT supply digest sha256. Is it OK to use
>>>> sha1? MD5 already computed for each of these.
>>>>
>>>
>>> I like to have it consistent for all platforms. Therefore I'll check the
>>> ZIPs and deliver the sha256 hash files.
>>>
>>> Marcus
>>
>>
>> ​Thanks a bunch Marcus!
>> ​
>>
>>
>>>
>>>
>>>
>>>
>>> On 08/05/2016 09:28 AM, Dennis E. Hamilton wrote:
>>>>>
>>>>>> Branching off the part that is not about the Windows 4.1.2-patch1
>>>>>> [TESTING].
>>>>>>
>>>>>> -Original Message-
>>>>>>> From: Marcus [mailto:marcus.m...@wtnet.de]
>>>>>>> Sent: Thursday, August 4, 2016 15:52
>>>>>>> To: dev@openoffice.apache.org
>>>>>>> Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
>>>>>>>
>>>>>>> Am 08/05/2016 12:26 AM, schrieb Kay Schenk:
>>>>>>>
>>>>>> [ ... ]
>>>>>>
>>>>>>>
>>>>>>>> hmmm...well no zips for Mac, Linux32, or Linux 64 -- yet.
>>>>>>>>
>>>>>>>> Should we get started on these?
>>>>>>>>
>>>>>>>
>>>>>>> it depends what we want t

RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Dennis E. Hamilton]

> -Original Message-
> From: Keith N. McKenna [mailto:keith.mcke...@comcast.net]
> Sent: Friday, August 12, 2016 13:49
> To: q...@openoffice.apache.org; dev@openoffice.apache.org
> Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> 
> Attached is a text file with the tests that I ran and the results of
> each. The only problem encountered was in verifying tl.dll.new with the
> .asc signature file. This was due to the web of trust issue discussed
> earlier in this thread.Patricia's signature had not been certified by
> anyone. One I elevated the Owner Trust level and certified it the
> verification passed.
> 
> I will finish reviewing the latest documentation and send any comments
> or suggested changes under separate cover.
> 
> Regards
> Keith
[orcmid] 

Thanks Keith.  The copy-paste error in the APPLY :FAIL3 message will be fixed.  
Thanks for being so attentive and meticulous.  Your test log is wonderful.

 I'm gratified that the Administrator Permissions pain has been alleviated on 
both admin and standard Windows 7 accounts.

I look forward to anything else you come up with.  I anticipate that we can go 
to 1.0.0 for the next round and make general availability next week.

 - Dennis
> 
> 
> Dennis E. Hamilton wrote:
> 
> 
>   BETA 0.1.0 WITH AUTOMATED SCRIPTS IS NOW AVAILABLE
> 
>   The scripts make life much easier, since users don't have to go
> hunting for anything and digging around in operating-system locations.
> 
>   You should be able to go through the procedure that uses the
> automated steps pretty easily.
> 
>   It is very important to know the difficulties that arise or whether
> there were none.
> 
>   The material is available at
>   <http://dist.apache.org/repos/dist/dev/openoffice/4.1.2-
> patch1/binaries/Windows>
> <http://dist.apache.org/repos/dist/dev/openoffice/4.1.2-
> patch1/binaries/Windows> .
> 
>- Dennis
[ ... ]



-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows)

[Don Lewis]

On 12 Aug, Dennis E. Hamilton wrote:
> 
> 
>> -Original Message-
>> From: Don Lewis [mailto:truck...@apache.org]
>> Sent: Thursday, August 11, 2016 14:41
>> To: dev@openoffice.apache.org; ksch...@apache.org
>> Subject: Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING]
>> Applying openoffice-4.1.2-patch1 for Windows)
>> 
>> On 11 Aug, Kay sch...@apache.org wrote:
>> >
>> >
>> > On 08/11/2016 12:50 PM, Kay sch...@apache.org wrote:
>> >>
>> >>
>> >> On 08/09/2016 02:12 PM, Kay Schenk wrote:
>> >>> [top posting]
>> >>> I'm in the process of trying to "sync" instructions for Linux32,
>> >>> Linux64, and MacOSX at the moment. As far as instructions on the
>> >>> actual HOTFIX page, we need to have just a "general" instruction
>> >>> for ALL zips that simply says -- "Unzip this package to some
>> >>> folder of your choosing and read the README that's included."
>> >>> Everything else should be in the various READMEs for each
>> >>> platform.
>> >>>
>> >>> I should be done with all edits by this evening for a final
>> >>> review before zipping and signing.
>> >>
>> >> Ok, I've now moved on to creating zip files, etc for Linux32,
>> >> Linux64 and Mac.
>> >>
>> >> My openssl version on does NOT supply digest sha256. Is it OK to
>> >> use sha1? MD5 already computed for each of these.
>> >
>> > sha1 is referenced on the ASF code signing page so I decided it was
>> OK. :)
>> 
>> I'm really surprised that ASF requires MD5 since it was broken long
>> ago. Even SHA1 is now regarded as a weak hash.
> [orcmid] 
> 
> I think it depends on shrinking the attack surface and also what the
> MD5 is being used for.  In the present case, it is extremely difficult
> to construct a Zip that has different usable content and the same
> hash.  It would require adding extra content until the correct hash is
> duplicated despite alteration of the key payload, and that should
> become rather evident.  I think the main reason for keeping it is that
> checking the MD5 is still more widely available to users.  It may not
> be foolproof but it is better than not.
> 
> And yes, collisions are possible and can be manufactured, but having
> one that accomplishes something can be rather tricky.  The
> proofs-of-concept involve alterations that aren't visible and won't be
> noticed.  Somebody will notice and it is not clear that the possible
> benefit is worth the effort to pull it off, especially against the
> risk of discovery.
> 
> Hmm, one thing we could do is add the length of the zip in the README.
>  (It takes a little work, but can be done, even when the (signed)
> README is inside the Zip.  That's another nice reason for having the
> signed README also available for independent download outside of the
> Zip and only downloadable from the ASF archive site, along with the
> different hashes and the package's signature.

Adding the length definitely raises the bar.  When downloading
third-party source tarballs to build FreeBSD packages, both the hash and
file size are checked.  Even so, FreeBSD has switched from md5, to sha1,
and now sha256 for the hash.


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Keith N. McKenna]

  
  
Attached is a text file with the
  tests that I ran and the results of each. The only problem
  encountered was in verifying tl.dll.new with the .asc signature
  file. This was due to the web of trust issue discussed earlier in
  this thread.Patricia's signature had not been certified by anyone.
  One I elevated the Owner Trust level and certified it the
  verification passed.
  
  I will finish reviewing the latest documentation and send any
  comments or suggested changes under separate cover.
  
  Regards
  Keith 

Dennis E. Hamilton wrote:


  BETA 0.1.0 WITH AUTOMATED SCRIPTS IS NOW AVAILABLE

The scripts make life much easier, since users don't have to go hunting for anything and digging around in operating-system locations.

You should be able to go through the procedure that uses the automated steps pretty easily.

It is very important to know the difficulties that arise or whether there were none.

The material is available at 
.

 - Dennis




  
-Original Message-
From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
Sent: Wednesday, August 10, 2016 18:01
To: dev@openoffice.apache.org
Cc: q...@openoffice.apache.org
Subject: RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

Beta version 0.1.0 is now nearing completion.

It will include two scripts, one for applying the patch, the other for
reverting the patch.

The .zip will also have a copy of the original 4.1.2 tl.dll as well as
the new one.  These are used in the procedures to verify the files that
are present in the OpenOffice configuration in order to apply the patch
and also to remove it.

Next steps:
 * Additional path testing of the two scripts and verification that
operation on Windows XP and on Windows 10 work as expected.

  
  [orcmid] 

Done
 
It is also much easier to work through the patch checks using the scripts.

  

 * Updating of the README to reflect the availability of the batch-file
scripts as well as the manual procedure if ever needed.

  
  [orcmid] 

Done


  

 * Although the Zips already carry executable code (i.e., DLLs) there
may be some Antivirus push-back where the policy is to not allow .zip
files with scripts in them.  The README will also have to address that
possibility.

  
  [orcmid] 

I forgot that at the last minute.  I will put that into the next version.  Meanwhile, those who check these procedures should report any AV objections they ran into.



  

 - Dennis



  -Original Message-
From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
Sent: Monday, August 8, 2016 09:58
To: dev@openoffice.apache.org
Cc: q...@openoffice.apache.org
Subject: RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

Alpha version 0.0.1 of README-4.1.2-patch1-apply-Windows.txt has been
introduced into the files (and the .zip) at
.

This version reflects suggestions by Marcus Lange, Pedro Lino, and


Keith


  McKenna.  Suggestions that are not (yet) implemented will be discussed
in replies to their messages and on the bugzilla issue at
.


By its nature, this material is intended for users operating on


Windows.


  In some cases, incompatible forms are used on the Subversion server
where the above files are situated.  Version 0.0.1 attempts to
accommodate for this incompatibility.  In continuing to verify the
procedure, please indicate whether there are (now) difficulties using
the text files, especially on Windows.

Users of Linux systems may have difficulties with some utilities for
which the Windows versions of the same tool (e.g., md5sum) do not
produce Linux-acceptable line endings.  It is useful to know if that


is


  still the case.  The files have been confirmed to be usable using the
utilities built for use on Windows.

For future versions, the use of HTML instead of text will be


considered.


  HTML does not have white-space incompatibility problems across


different


  platforms. The HTML will also be digitally-signed as a means of
verifying its authenticity.

In addition to possibly using HTML as a better form for cross-platform
use of text, attention will now move toward introducing scripts that
automatically apply the change, replacing all of steps 9-18.

Meanwhile, it is valuable to continue testing that the replacement


file


  produces no regression or introduction of any defects not seen using


an


  unmodified Apache OpenOffice 4.1.2.

 - Dennis



  
-Original Message-
From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
Sent: Tuesday, August 2, 2016 20:31
To: dev@openoffice.apache.org
Cc: q...@openoffice.apache.org
Subject: [TESTING

Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows)

[Marcus]

Am 08/12/2016 10:01 PM, schrieb Patricia Shanahan:

On 8/12/2016 12:22 PM, Dennis E. Hamilton wrote:
...

[Anecdotal Side Note: I just discovered that the MD5 hash for the
4.1.2 Windows .exe fails to check on my Windows system because of a
defect in the .md5 file. For reasons unknown, the md5sum tool that I
have requires exactly two spaces between the hash value and the name
of the file the hash is for. Once I fiddled around and added the
second space, it all checks. What is intriguing to me is that this
has not been reported by anyone, which is perhaps of greater concern
than the fact that MD5 is used [;<].


I may have encountered this problem, but just attributed it to my lack
of familiarity with the tools. I had no problem using md5sum to compute
the hash, and it matched the one in the file.


Just to document this also:
I haven't noticed this problwm because I've taken the hash values from 
the MD5 and SHA246 files and put it into the little program I have 
found. Then it compared it with the computed onces from the tl.dll file.


Marcus


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows)

[Patricia Shanahan]

On 8/12/2016 12:22 PM, Dennis E. Hamilton wrote:
...

[Anecdotal Side Note: I just discovered that the MD5 hash for the
4.1.2 Windows .exe fails to check on my Windows system because of a
defect in the .md5 file.  For reasons unknown, the md5sum tool that I
have requires exactly two spaces between the hash value and the name
of the file the hash is for.  Once I fiddled around and added the
second space, it all checks.  What is intriguing to me is that this
has not been reported by anyone, which is perhaps of greater concern
than the fact that MD5 is used [;<].


I may have encountered this problem, but just attributed it to my lack
of familiarity with the tools. I had no problem using md5sum to compute
the hash, and it matched the one in the file.

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Dennis E. Hamilton]

> -Original Message-
> From: Keith N. McKenna [mailto:keith.mcke...@comcast.net]
> Sent: Wednesday, August 3, 2016 12:47
> To: dev@openoffice.apache.org
> Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> 
> Replies in line
> 
> Dennis E. Hamilton wrote:
> > Testing of an Apache OpenOffice 4.1.2-patch1 procedure is requested.
> >
> > The files to be used in testing are at
> > <https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/binaries/Windows>.
> >
[ ... ]
> [knmc]
> performed the procedure successfully on Windows 7 home premium 64 bit
> using an administrator account.
> Also performed the procedure successfully on the same system using an
> standard user account. This was however tedious as most of the steps to
> apply the patched .dll required entering the administrator password.
> 
> > * [IMPORTANT] Identify any missing, incomplete or confusing
> > information in the README.  Describe what you see as important
> > improvements before making general release of the procedure for use
> > by non-expert users of Apache OpenOffice on Windows.
> >
> [knmc]
> In section 10 of the procedure section the line "Open the folder
> selected in step (7)" should read "Open the folder selected in step (8)"
> 
> On the whole I found the README difficult to follow with information out
> of sequence and extraneous information such as not accepting help from
> unsolicited phone calls. Not bad information, just out of place in a
> process document. Now that I have some available time I will get out my
> "blue pencil" and mark-up the document.
> 
> One improvement for the average user would be to automate the process
> with a .bat file that could find the proper folders and do the copy and
> rename procedures.
[orcmid] 

There are now .bat files for automated application and reversal of the patch.  
It will be valuable to know how well those work better on Windows 7 now, and 
especially on the standard user account.

The editing of the README is also intended to alleviate some of your other 
concerns.

It is valuable to know whether this is now good enough from your experienced 
perspective.

 - Dennis
> 
> > The goal is to provide as much as we can to assist Windows users in
> > applying this fix with confidence and success.  The experience of
> > more-knowledgable users who appreciate the difficulties of
> > non-experts is important in achieving that.
> >
> > Thank you for any effort you invest and the feedback you provide.
> >
> > - Dennis
> >
> >
> >
> >
> >
> >
> > -- Dennis E. Hamilton orc...@apache.org dennis.hamil...@acm.org
> > +1-206-779-9430 https://keybase.io/orcmid  PGP F96E 89FF D456 628A
> > X.509 certs used and requested for signed e-mail
> >
> 
> 
> 



-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Dennis E. Hamilton]

BETA 0.1.0 WITH AUTOMATED SCRIPTS IS NOW AVAILABLE

The scripts make life much easier, since users don't have to go hunting for 
anything and digging around in operating-system locations.

You should be able to go through the procedure that uses the automated steps 
pretty easily.

It is very important to know the difficulties that arise or whether there were 
none.

The material is available at 
<http://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/binaries/Windows>.

 - Dennis



> -Original Message-
> From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
> Sent: Wednesday, August 10, 2016 18:01
> To: dev@openoffice.apache.org
> Cc: q...@openoffice.apache.org
> Subject: RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> 
> Beta version 0.1.0 is now nearing completion.
> 
> It will include two scripts, one for applying the patch, the other for
> reverting the patch.
> 
> The .zip will also have a copy of the original 4.1.2 tl.dll as well as
> the new one.  These are used in the procedures to verify the files that
> are present in the OpenOffice configuration in order to apply the patch
> and also to remove it.
> 
> Next steps:
>  * Additional path testing of the two scripts and verification that
> operation on Windows XP and on Windows 10 work as expected.
[orcmid] 

Done
 
It is also much easier to work through the patch checks using the scripts.
> 
>  * Updating of the README to reflect the availability of the batch-file
> scripts as well as the manual procedure if ever needed.
[orcmid] 

Done

> 
>  * Although the Zips already carry executable code (i.e., DLLs) there
> may be some Antivirus push-back where the policy is to not allow .zip
> files with scripts in them.  The README will also have to address that
> possibility.
[orcmid] 

I forgot that at the last minute.  I will put that into the next version.  
Meanwhile, those who check these procedures should report any AV objections 
they ran into.


> 
>  - Dennis
> 
> > -Original Message-
> > From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
> > Sent: Monday, August 8, 2016 09:58
> > To: dev@openoffice.apache.org
> > Cc: q...@openoffice.apache.org
> > Subject: RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> >
> > Alpha version 0.0.1 of README-4.1.2-patch1-apply-Windows.txt has been
> > introduced into the files (and the .zip) at
> > <https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-
> > patch1/binaries/Windows>.
> >
> > This version reflects suggestions by Marcus Lange, Pedro Lino, and
> Keith
> > McKenna.  Suggestions that are not (yet) implemented will be discussed
> > in replies to their messages and on the bugzilla issue at
> > <https://bz.apache.org/ooo/show_bug.cgi?id=127065>.
> >
> >
> > By its nature, this material is intended for users operating on
> Windows.
> > In some cases, incompatible forms are used on the Subversion server
> > where the above files are situated.  Version 0.0.1 attempts to
> > accommodate for this incompatibility.  In continuing to verify the
> > procedure, please indicate whether there are (now) difficulties using
> > the text files, especially on Windows.
> >
> > Users of Linux systems may have difficulties with some utilities for
> > which the Windows versions of the same tool (e.g., md5sum) do not
> > produce Linux-acceptable line endings.  It is useful to know if that
> is
> > still the case.  The files have been confirmed to be usable using the
> > utilities built for use on Windows.
> >
> > For future versions, the use of HTML instead of text will be
> considered.
> > HTML does not have white-space incompatibility problems across
> different
> > platforms. The HTML will also be digitally-signed as a means of
> > verifying its authenticity.
> >
> > In addition to possibly using HTML as a better form for cross-platform
> > use of text, attention will now move toward introducing scripts that
> > automatically apply the change, replacing all of steps 9-18.
> >
> > Meanwhile, it is valuable to continue testing that the replacement
> file
> > produces no regression or introduction of any defects not seen using
> an
> > unmodified Apache OpenOffice 4.1.2.
> >
> >  - Dennis
> >
> >
> > > -Original Message-
> > > From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
> > > Sent: Tuesday, August 2, 2016 20:31
> > > To: dev@openoffice.apache.org
> > > Cc: q...@openoffice.apache.org
> > > Subject: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> > >
> > 

Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows)

[Marcus]

Am 08/11/2016 09:50 PM, schrieb Kay sch...@apache.org:


On 08/09/2016 02:12 PM, Kay Schenk wrote:

[top posting]
I'm in the process of trying to "sync" instructions for Linux32,
Linux64, and MacOSX at the moment. As far as instructions on the actual
HOTFIX page, we need to have just a "general" instruction for ALL zips
that simply says -- "Unzip this package to some folder of your choosing
and read the README that's included." Everything else should be in the
various READMEs for each platform.

I should be done with all edits by this evening for a final review
before zipping and signing.


Ok, I've now moved on to creating zip files, etc for Linux32, Linux64
and Mac.

My openssl version on does NOT supply digest sha256. Is it OK to use
sha1? MD5 already computed for each of these.


I like to have it consistent for all platforms. Therefore I'll check the 
ZIPs and deliver the sha256 hash files.


Marcus




On 08/05/2016 09:28 AM, Dennis E. Hamilton wrote:

Branching off the part that is not about the Windows 4.1.2-patch1 [TESTING].


-Original Message-
From: Marcus [mailto:marcus.m...@wtnet.de]
Sent: Thursday, August 4, 2016 15:52
To: dev@openoffice.apache.org
Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

Am 08/05/2016 12:26 AM, schrieb Kay Schenk:

[ ... ]


hmmm...well no zips for Mac, Linux32, or Linux 64 -- yet.

Should we get started on these?


it depends what we want that they should contain. The ZIP file for
Windows contains a LICENSE and NOTICE file as well as an ASC file for
the DLL. As it is only a patch IMHO we don't need to provide another
LICENSE and NOTICE file which is already available in the OpenOffice
installation. Also the ASC is not necessary as we provide it already
(together with MD5 and SHA256) for the whole ZIP file.

[orcmid]

I think there is a misunderstanding.  Two matters:

  1. The use of LICENSE is required by the ALv2 itself, and the ASF practice is 
to include NOTICE as well on binary distributions.  The patch qualifies, 
especially when it is moved to general distribution.  It is also easy and 
harmless to provide.

  2. The reason for preserving the .asc on the shared-library binary is because 
it authenticates with respect to who produced it and establishes that it has 
not been modified as supplied in the package (or as the result of some glitch 
in creation of the Zip).  It provides a level of accountability and, also, 
auditability.

Even though few people will check all of these, they remain possible to be 
checked.  Since this is a matter of security vulnerabilities and involves 
elevation of privilege to perform, I believe it is important to demonstrate 
diligence and care, so that users have confidence in this procedure to the 
extent they are comfortable.  Also, if it becomes necessary to troubleshoot a 
problem with these patch applications, we have the means to authenticate what 
they are using to ensure there are no counterfeits being offered to users.


That means that only the README and library file remains.

When the README for Windows keep its length then I don't want to copy
this on the dowload webpage. ;-)

So, when we put the README for all platforms in their ZIP files then we
can just put a pointer to it on the download webpage and thats it.

[orcmid]

Yes, that seems like a fine idea.  The README can be linked the same way the 
.md5, .sha256, and .asc are linked.

Also, the README may become simpler if we can link to some of the information 
and not have so much detail in the README text itself.  It might even be useful 
to have an .html README for that matter.  But that is all extra.  Right now I 
think we want to get into the testing and see how to smooth what we have.

PS: A friend of mine is looking into the MacOSX situation.  He points out that 
one can use the Finder to do the job without users having to use Terminal 
sessions.  I don't have further information at this time.

PPS: The inclusion of scripts that do the job is also worthy of consideration, 
perhaps making it unnecessary to build executables.  I will be looking at 
finding a .bat file that works safely for the Windows case.  That can make the 
instructions much shorter :).



To cut a long story short:
I would say yes for a ZIP file for every platform.

[ ... ]


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows)

[Don Lewis]

On 11 Aug, Kay sch...@apache.org wrote:
> 
> 
> On 08/11/2016 12:50 PM, Kay sch...@apache.org wrote:
>> 
>> 
>> On 08/09/2016 02:12 PM, Kay Schenk wrote:
>>> [top posting]
>>> I'm in the process of trying to "sync" instructions for Linux32,
>>> Linux64, and MacOSX at the moment. As far as instructions on the
>>> actual HOTFIX page, we need to have just a "general" instruction for
>>> ALL zips that simply says -- "Unzip this package to some folder of
>>> your choosing and read the README that's included." Everything else
>>> should be in the various READMEs for each platform.
>>>
>>> I should be done with all edits by this evening for a final review
>>> before zipping and signing.
>> 
>> Ok, I've now moved on to creating zip files, etc for Linux32, Linux64
>> and Mac.
>> 
>> My openssl version on does NOT supply digest sha256. Is it OK to use
>> sha1? MD5 already computed for each of these.
> 
> sha1 is referenced on the ASF code signing page so I decided it was OK. :)

I'm really surprised that ASF requires MD5 since it was broken long ago.
Even SHA1 is now regarded as a weak hash.


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows)

[Andrea Pescetti]

Kay Schenk wrote:

My openssl version on does NOT supply digest sha256. Is it OK to use
sha1? MD5 already computed for each of these.


Guidelines recommend SHA256. But it should not be difficult for you to 
get a sha256sum binary or a generic shasum binary to run as "shasum 
-a256 FILENAME".


Regards,
  Andrea.

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows)

[Kay sch...@apache.org]

On 08/11/2016 12:50 PM, Kay sch...@apache.org wrote:
> 
> 
> On 08/09/2016 02:12 PM, Kay Schenk wrote:
>> [top posting]
>> I'm in the process of trying to "sync" instructions for Linux32,
>> Linux64, and MacOSX at the moment. As far as instructions on the actual
>> HOTFIX page, we need to have just a "general" instruction for ALL zips
>> that simply says -- "Unzip this package to some folder of your choosing
>> and read the README that's included." Everything else should be in the
>> various READMEs for each platform.
>>
>> I should be done with all edits by this evening for a final review
>> before zipping and signing.
> 
> Ok, I've now moved on to creating zip files, etc for Linux32, Linux64
> and Mac.
> 
> My openssl version on does NOT supply digest sha256. Is it OK to use
> sha1? MD5 already computed for each of these.

sha1 is referenced on the ASF code signing page so I decided it was OK. :)

So I think I'm done with the Linux32, Linux64, and MacOSX zip artifacts.
Please check at:

https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/binaries/

If anything's amiss, it's likely I can't get back to this until Sunday.
Or feel free to fix.

> 
>>
>> On 08/05/2016 09:28 AM, Dennis E. Hamilton wrote:
>>> Branching off the part that is not about the Windows 4.1.2-patch1 [TESTING].
>>>
>>>> -Original Message-
>>>> From: Marcus [mailto:marcus.m...@wtnet.de]
>>>> Sent: Thursday, August 4, 2016 15:52
>>>> To: dev@openoffice.apache.org
>>>> Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
>>>>
>>>> Am 08/05/2016 12:26 AM, schrieb Kay Schenk:
>>> [ ... ]
>>>>>
>>>>> hmmm...well no zips for Mac, Linux32, or Linux 64 -- yet.
>>>>>
>>>>> Should we get started on these?
>>>>
>>>> it depends what we want that they should contain. The ZIP file for
>>>> Windows contains a LICENSE and NOTICE file as well as an ASC file for
>>>> the DLL. As it is only a patch IMHO we don't need to provide another
>>>> LICENSE and NOTICE file which is already available in the OpenOffice
>>>> installation. Also the ASC is not necessary as we provide it already
>>>> (together with MD5 and SHA256) for the whole ZIP file.
>>> [orcmid] 
>>>
>>> I think there is a misunderstanding.  Two matters:
>>>
>>>  1. The use of LICENSE is required by the ALv2 itself, and the ASF practice 
>>> is to include NOTICE as well on binary distributions.  The patch qualifies, 
>>> especially when it is moved to general distribution.  It is also easy and 
>>> harmless to provide.
>>>
>>>  2. The reason for preserving the .asc on the shared-library binary is 
>>> because it authenticates with respect to who produced it and establishes 
>>> that it has not been modified as supplied in the package (or as the result 
>>> of some glitch in creation of the Zip).  It provides a level of 
>>> accountability and, also, auditability.
>>>
>>> Even though few people will check all of these, they remain possible to be 
>>> checked.  Since this is a matter of security vulnerabilities and involves 
>>> elevation of privilege to perform, I believe it is important to demonstrate 
>>> diligence and care, so that users have confidence in this procedure to the 
>>> extent they are comfortable.  Also, if it becomes necessary to troubleshoot 
>>> a problem with these patch applications, we have the means to authenticate 
>>> what they are using to ensure there are no counterfeits being offered to 
>>> users.
>>>>
>>>> That means that only the README and library file remains.
>>>>
>>>> When the README for Windows keep its length then I don't want to copy
>>>> this on the dowload webpage. ;-)
>>>>
>>>> So, when we put the README for all platforms in their ZIP files then we
>>>> can just put a pointer to it on the download webpage and thats it.
>>> [orcmid] 
>>>
>>> Yes, that seems like a fine idea.  The README can be linked the same way 
>>> the .md5, .sha256, and .asc are linked.
>>>
>>> Also, the README may become simpler if we can link to some of the 
>>> information and not have so much detail in the README text itself.  It 
>>> might even be useful to have an .html README for that matter.  But that is 
>>> all extra.  Right now I think we want to get into the testing and see how 
&g

Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows)

[Kay sch...@apache.org]

On 08/09/2016 02:12 PM, Kay Schenk wrote:
> [top posting]
> I'm in the process of trying to "sync" instructions for Linux32,
> Linux64, and MacOSX at the moment. As far as instructions on the actual
> HOTFIX page, we need to have just a "general" instruction for ALL zips
> that simply says -- "Unzip this package to some folder of your choosing
> and read the README that's included." Everything else should be in the
> various READMEs for each platform.
> 
> I should be done with all edits by this evening for a final review
> before zipping and signing.

Ok, I've now moved on to creating zip files, etc for Linux32, Linux64
and Mac.

My openssl version on does NOT supply digest sha256. Is it OK to use
sha1? MD5 already computed for each of these.

> 
> On 08/05/2016 09:28 AM, Dennis E. Hamilton wrote:
>> Branching off the part that is not about the Windows 4.1.2-patch1 [TESTING].
>>
>>> -Original Message-
>>> From: Marcus [mailto:marcus.m...@wtnet.de]
>>> Sent: Thursday, August 4, 2016 15:52
>>> To: dev@openoffice.apache.org
>>> Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
>>>
>>> Am 08/05/2016 12:26 AM, schrieb Kay Schenk:
>> [ ... ]
>>>>
>>>> hmmm...well no zips for Mac, Linux32, or Linux 64 -- yet.
>>>>
>>>> Should we get started on these?
>>>
>>> it depends what we want that they should contain. The ZIP file for
>>> Windows contains a LICENSE and NOTICE file as well as an ASC file for
>>> the DLL. As it is only a patch IMHO we don't need to provide another
>>> LICENSE and NOTICE file which is already available in the OpenOffice
>>> installation. Also the ASC is not necessary as we provide it already
>>> (together with MD5 and SHA256) for the whole ZIP file.
>> [orcmid] 
>>
>> I think there is a misunderstanding.  Two matters:
>>
>>  1. The use of LICENSE is required by the ALv2 itself, and the ASF practice 
>> is to include NOTICE as well on binary distributions.  The patch qualifies, 
>> especially when it is moved to general distribution.  It is also easy and 
>> harmless to provide.
>>
>>  2. The reason for preserving the .asc on the shared-library binary is 
>> because it authenticates with respect to who produced it and establishes 
>> that it has not been modified as supplied in the package (or as the result 
>> of some glitch in creation of the Zip).  It provides a level of 
>> accountability and, also, auditability.
>>
>> Even though few people will check all of these, they remain possible to be 
>> checked.  Since this is a matter of security vulnerabilities and involves 
>> elevation of privilege to perform, I believe it is important to demonstrate 
>> diligence and care, so that users have confidence in this procedure to the 
>> extent they are comfortable.  Also, if it becomes necessary to troubleshoot 
>> a problem with these patch applications, we have the means to authenticate 
>> what they are using to ensure there are no counterfeits being offered to 
>> users.
>>>
>>> That means that only the README and library file remains.
>>>
>>> When the README for Windows keep its length then I don't want to copy
>>> this on the dowload webpage. ;-)
>>>
>>> So, when we put the README for all platforms in their ZIP files then we
>>> can just put a pointer to it on the download webpage and thats it.
>> [orcmid] 
>>
>> Yes, that seems like a fine idea.  The README can be linked the same way the 
>> .md5, .sha256, and .asc are linked.
>>
>> Also, the README may become simpler if we can link to some of the 
>> information and not have so much detail in the README text itself.  It might 
>> even be useful to have an .html README for that matter.  But that is all 
>> extra.  Right now I think we want to get into the testing and see how to 
>> smooth what we have.
>>
>> PS: A friend of mine is looking into the MacOSX situation.  He points out 
>> that one can use the Finder to do the job without users having to use 
>> Terminal sessions.  I don't have further information at this time.
>>
>> PPS: The inclusion of scripts that do the job is also worthy of 
>> consideration, perhaps making it unnecessary to build executables.  I will 
>> be looking at finding a .bat file that works safely for the Windows case.  
>> That can make the instructions much shorter :).
>>
>>>
>>> To cut a long story short:
>>> I would say yes for a ZIP file for every platform.
>> [ ... ]
>>
>>
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
>> For additional commands, e-mail: dev-h...@openoffice.apache.org
>>
> 

-- 
Kay Schenk
Apache OpenOffice


"Things work out best for those who make
 the best of the way things work out."
 -- John Wooden

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows)

[Marcus]

Am 08/10/2016 05:03 AM, schrieb Dennis E. Hamilton:



-Original Message-
From: Marcus [mailto:marcus.m...@wtnet.de]
Sent: Tuesday, August 9, 2016 15:26
To: dev@openoffice.apache.org
Subject: Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING]
Applying openoffice-4.1.2-patch1 for Windows)

Am 08/09/2016 11:12 PM, schrieb Kay Schenk:

[top posting]
I'm in the process of trying to "sync" instructions for Linux32,
Linux64, and MacOSX at the moment. As far as instructions on the

actual

HOTFIX page, we need to have just a "general" instruction for ALL zips
that simply says -- "Unzip this package to some folder of your

choosing

and read the README that's included." Everything else should be in the
various READMEs for each platform.


yes, this shortens the webpage a lot.


I should be done with all edits by this evening for a final review
before zipping and signing.


When the ZIP files are ready, I can do the checks for Linux and Windows.

Marcus

[orcmid]

I have a working Windows batch-file script for installing the patch, but I have 
not updated the documentation yet and I need to do tests on Windows XP to make 
certain that the script works there too.

The next update for Windows will be version 0.1.0 and be beta level.

There might be an 0.2.0 if the README is changed from .txt to .html to get 
around line-ending incompatibilities depending on what platform is used for 
what.

Once those clear, we can look at adjustments for 1.0.0 and general release 
after a little regression checking.

I suspect the general will happen on Thursday or Friday.


that fits perfectly for my weekend. I can do tests on Windows 10 and 
also update the documentation - or at least make some suggestions.


Marcus




On 08/05/2016 09:28 AM, Dennis E. Hamilton wrote:

Branching off the part that is not about the Windows 4.1.2-patch1

[TESTING].



-Original Message-
From: Marcus [mailto:marcus.m...@wtnet.de]
Sent: Thursday, August 4, 2016 15:52
To: dev@openoffice.apache.org
Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

Am 08/05/2016 12:26 AM, schrieb Kay Schenk:

[ ... ]


hmmm...well no zips for Mac, Linux32, or Linux 64 -- yet.

Should we get started on these?


it depends what we want that they should contain. The ZIP file for
Windows contains a LICENSE and NOTICE file as well as an ASC file

for

the DLL. As it is only a patch IMHO we don't need to provide another
LICENSE and NOTICE file which is already available in the OpenOffice
installation. Also the ASC is not necessary as we provide it already
(together with MD5 and SHA256) for the whole ZIP file.

[orcmid]

I think there is a misunderstanding.  Two matters:

   1. The use of LICENSE is required by the ALv2 itself, and the ASF

practice is to include NOTICE as well on binary distributions.  The
patch qualifies, especially when it is moved to general distribution.
It is also easy and harmless to provide.


   2. The reason for preserving the .asc on the shared-library binary

is because it authenticates with respect to who produced it and
establishes that it has not been modified as supplied in the package (or
as the result of some glitch in creation of the Zip).  It provides a
level of accountability and, also, auditability.


Even though few people will check all of these, they remain possible

to be checked.  Since this is a matter of security vulnerabilities and
involves elevation of privilege to perform, I believe it is important to
demonstrate diligence and care, so that users have confidence in this
procedure to the extent they are comfortable.  Also, if it becomes
necessary to troubleshoot a problem with these patch applications, we
have the means to authenticate what they are using to ensure there are
no counterfeits being offered to users.


That means that only the README and library file remains.

When the README for Windows keep its length then I don't want to

copy

this on the dowload webpage. ;-)

So, when we put the README for all platforms in their ZIP files then

we

can just put a pointer to it on the download webpage and thats it.

[orcmid]

Yes, that seems like a fine idea.  The README can be linked the same

way the .md5, .sha256, and .asc are linked.


Also, the README may become simpler if we can link to some of the

information and not have so much detail in the README text itself.  It
might even be useful to have an .html README for that matter.  But that
is all extra.  Right now I think we want to get into the testing and see
how to smooth what we have.


PS: A friend of mine is looking into the MacOSX situation.  He points

out that one can use the Finder to do the job without users having to
use Terminal sessions.  I don't have further information at this time.


PPS: The inclusion of scripts that do the job is also worthy of

consideration, perhaps making it unnecessary to build executables.  I
will be looking at finding a .bat file that works safely for th

RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Dennis E. Hamilton]

Beta version 0.1.0 is now nearing completion.

It will include two scripts, one for applying the patch, the other for 
reverting the patch.

The .zip will also have a copy of the original 4.1.2 tl.dll as well as the new 
one.  These are used in the procedures to verify the files that are present in 
the OpenOffice configuration in order to apply the patch and also to remove it.

Next steps:
 * Additional path testing of the two scripts and verification that operation 
on Windows XP and on Windows 10 work as expected.

 * Updating of the README to reflect the availability of the batch-file scripts 
as well as the manual procedure if ever needed.

 * Although the Zips already carry executable code (i.e., DLLs) there may be 
some Antivirus push-back where the policy is to not allow .zip files with 
scripts in them.  The README will also have to address that possibility.

 - Dennis

> -Original Message-
> From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
> Sent: Monday, August 8, 2016 09:58
> To: dev@openoffice.apache.org
> Cc: q...@openoffice.apache.org
> Subject: RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> 
> Alpha version 0.0.1 of README-4.1.2-patch1-apply-Windows.txt has been
> introduced into the files (and the .zip) at
> <https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-
> patch1/binaries/Windows>.
> 
> This version reflects suggestions by Marcus Lange, Pedro Lino, and Keith
> McKenna.  Suggestions that are not (yet) implemented will be discussed
> in replies to their messages and on the bugzilla issue at
> <https://bz.apache.org/ooo/show_bug.cgi?id=127065>.
> 
> 
> By its nature, this material is intended for users operating on Windows.
> In some cases, incompatible forms are used on the Subversion server
> where the above files are situated.  Version 0.0.1 attempts to
> accommodate for this incompatibility.  In continuing to verify the
> procedure, please indicate whether there are (now) difficulties using
> the text files, especially on Windows.
> 
> Users of Linux systems may have difficulties with some utilities for
> which the Windows versions of the same tool (e.g., md5sum) do not
> produce Linux-acceptable line endings.  It is useful to know if that is
> still the case.  The files have been confirmed to be usable using the
> utilities built for use on Windows.
> 
> For future versions, the use of HTML instead of text will be considered.
> HTML does not have white-space incompatibility problems across different
> platforms. The HTML will also be digitally-signed as a means of
> verifying its authenticity.
> 
> In addition to possibly using HTML as a better form for cross-platform
> use of text, attention will now move toward introducing scripts that
> automatically apply the change, replacing all of steps 9-18.
> 
> Meanwhile, it is valuable to continue testing that the replacement file
> produces no regression or introduction of any defects not seen using an
> unmodified Apache OpenOffice 4.1.2.
> 
>  - Dennis
> 
> 
> > -Original Message-
> > From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
> > Sent: Tuesday, August 2, 2016 20:31
> > To: dev@openoffice.apache.org
> > Cc: q...@openoffice.apache.org
> > Subject: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> >
> > Testing of an Apache OpenOffice 4.1.2-patch1 procedure is requested.
> >
> > The files to be used in testing are at
> > <https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-
> patch1/binaries/Windows>.
> >
> > The files to be tested and reviewed are
> >
> >  * README-4.1.2-patch1-apply-Windows.txt
> >The description of the procedure for applying a corrected
> >library file to installed copies of Apache OpenOffice 4.1.2
> >on Windows.  Read this first before deciding to download
> >the Zip file and attempting the procedure.
> >
> >  * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip
> >The Zip archive containing the files to be used in the
> >procedure.  There is a copy of the README within the
> >archive as well.
> >
> >  * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc
> >  * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.md5
> >  * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.sha256
> >Files that provide a digital signature, an MD5 hash,
> >and an SHA256 hash that can be used to verify the
> >integrity of the download and, in the case of the
> >digital signature, the authenticity and accuracy of
> >the download.
> >
> > REQUESTED TESTING
> >
> >  * [OPTIONAL] If you are able to check any of the .asc,
> >.md5, and .sha25

Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows)

[Carl Marcum]

On 08/10/2016 03:09 AM, Jan Høydahl wrote:

9. aug. 2016 kl. 13.23 skrev Carl Marcum :
...
Could we use a cross-platform installer like izpack [1]?

I started trying it out last weekend and it looks like it could do the job of 
running a rename script and copying in the library.


I previously used izPack for cross platform install of a Tomcat application.
You can develop custom plugins for izPack as well as custom scripts, so 
creating something which looks for AOO in a number
of predefined locations, and also validates the correct version dependency, 
would probably be within reach as well.
I think you can tell izPack to do actions with elevated privileges.

I also tested generating a Windows-executable wrapper using Launch4J 
(http://launch4j.sourceforge.net/ ), and it 
worked well.
The resulting exe file is self contained, will auto-resolve any installed JRE 
on the system, or display a popup with
Java download link if it cannot find Java on the system. Launch4J can also 
generate executable wrappers for macOS but
I did not try that. Both izPack and launch4j can be built from e.g. an Ant 
build script.

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com



Hi Jan,

That's good information. I hadn't seen launch4j before.

Even though we probably won't use an installer for this case, I have 
other uses for launch4j.


Thanks for the tip !

Carl


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows)

[Jan Høydahl]

> 9. aug. 2016 kl. 13.23 skrev Carl Marcum :
> ...
> Could we use a cross-platform installer like izpack [1]?
> 
> I started trying it out last weekend and it looks like it could do the job of 
> running a rename script and copying in the library.


I previously used izPack for cross platform install of a Tomcat application.
You can develop custom plugins for izPack as well as custom scripts, so 
creating something which looks for AOO in a number
of predefined locations, and also validates the correct version dependency, 
would probably be within reach as well.
I think you can tell izPack to do actions with elevated privileges.

I also tested generating a Windows-executable wrapper using Launch4J 
(http://launch4j.sourceforge.net/ ), and it 
worked well.
The resulting exe file is self contained, will auto-resolve any installed JRE 
on the system, or display a popup with
Java download link if it cannot find Java on the system. Launch4J can also 
generate executable wrappers for macOS but
I did not try that. Both izPack and launch4j can be built from e.g. an Ant 
build script.

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

RE: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows)

[Dennis E. Hamilton]

> -Original Message-
> From: Marcus [mailto:marcus.m...@wtnet.de]
> Sent: Tuesday, August 9, 2016 15:26
> To: dev@openoffice.apache.org
> Subject: Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING]
> Applying openoffice-4.1.2-patch1 for Windows)
> 
> Am 08/09/2016 11:12 PM, schrieb Kay Schenk:
> > [top posting]
> > I'm in the process of trying to "sync" instructions for Linux32,
> > Linux64, and MacOSX at the moment. As far as instructions on the
> actual
> > HOTFIX page, we need to have just a "general" instruction for ALL zips
> > that simply says -- "Unzip this package to some folder of your
> choosing
> > and read the README that's included." Everything else should be in the
> > various READMEs for each platform.
> 
> yes, this shortens the webpage a lot.
> 
> > I should be done with all edits by this evening for a final review
> > before zipping and signing.
> 
> When the ZIP files are ready, I can do the checks for Linux and Windows.
> 
> Marcus
[orcmid] 

I have a working Windows batch-file script for installing the patch, but I have 
not updated the documentation yet and I need to do tests on Windows XP to make 
certain that the script works there too.

The next update for Windows will be version 0.1.0 and be beta level.

There might be an 0.2.0 if the README is changed from .txt to .html to get 
around line-ending incompatibilities depending on what platform is used for 
what.

Once those clear, we can look at adjustments for 1.0.0 and general release 
after a little regression checking.

I suspect the general will happen on Thursday or Friday.
> 
> 
> 
> > On 08/05/2016 09:28 AM, Dennis E. Hamilton wrote:
> >> Branching off the part that is not about the Windows 4.1.2-patch1
> [TESTING].
> >>
> >>> -Original Message-
> >>> From: Marcus [mailto:marcus.m...@wtnet.de]
> >>> Sent: Thursday, August 4, 2016 15:52
> >>> To: dev@openoffice.apache.org
> >>> Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> >>>
> >>> Am 08/05/2016 12:26 AM, schrieb Kay Schenk:
> >> [ ... ]
> >>>>
> >>>> hmmm...well no zips for Mac, Linux32, or Linux 64 -- yet.
> >>>>
> >>>> Should we get started on these?
> >>>
> >>> it depends what we want that they should contain. The ZIP file for
> >>> Windows contains a LICENSE and NOTICE file as well as an ASC file
> for
> >>> the DLL. As it is only a patch IMHO we don't need to provide another
> >>> LICENSE and NOTICE file which is already available in the OpenOffice
> >>> installation. Also the ASC is not necessary as we provide it already
> >>> (together with MD5 and SHA256) for the whole ZIP file.
> >> [orcmid]
> >>
> >> I think there is a misunderstanding.  Two matters:
> >>
> >>   1. The use of LICENSE is required by the ALv2 itself, and the ASF
> practice is to include NOTICE as well on binary distributions.  The
> patch qualifies, especially when it is moved to general distribution.
> It is also easy and harmless to provide.
> >>
> >>   2. The reason for preserving the .asc on the shared-library binary
> is because it authenticates with respect to who produced it and
> establishes that it has not been modified as supplied in the package (or
> as the result of some glitch in creation of the Zip).  It provides a
> level of accountability and, also, auditability.
> >>
> >> Even though few people will check all of these, they remain possible
> to be checked.  Since this is a matter of security vulnerabilities and
> involves elevation of privilege to perform, I believe it is important to
> demonstrate diligence and care, so that users have confidence in this
> procedure to the extent they are comfortable.  Also, if it becomes
> necessary to troubleshoot a problem with these patch applications, we
> have the means to authenticate what they are using to ensure there are
> no counterfeits being offered to users.
> >>>
> >>> That means that only the README and library file remains.
> >>>
> >>> When the README for Windows keep its length then I don't want to
> copy
> >>> this on the dowload webpage. ;-)
> >>>
> >>> So, when we put the README for all platforms in their ZIP files then
> we
> >>> can just put a pointer to it on the download webpage and thats it.
> >> [orcmid]
> >>
> >> Yes, that seems like a fine idea.  The README can be linked the same
> way the .md5, .sha256, and .asc are 

Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows)

[Kay Schenk]

[top posting]
I'm in the process of trying to "sync" instructions for Linux32,
Linux64, and MacOSX at the moment. As far as instructions on the actual
HOTFIX page, we need to have just a "general" instruction for ALL zips
that simply says -- "Unzip this package to some folder of your choosing
and read the README that's included." Everything else should be in the
various READMEs for each platform.

I should be done with all edits by this evening for a final review
before zipping and signing.

On 08/05/2016 09:28 AM, Dennis E. Hamilton wrote:
> Branching off the part that is not about the Windows 4.1.2-patch1 [TESTING].
> 
>> -Original Message-
>> From: Marcus [mailto:marcus.m...@wtnet.de]
>> Sent: Thursday, August 4, 2016 15:52
>> To: dev@openoffice.apache.org
>> Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
>>
>> Am 08/05/2016 12:26 AM, schrieb Kay Schenk:
> [ ... ]
>>>
>>> hmmm...well no zips for Mac, Linux32, or Linux 64 -- yet.
>>>
>>> Should we get started on these?
>>
>> it depends what we want that they should contain. The ZIP file for
>> Windows contains a LICENSE and NOTICE file as well as an ASC file for
>> the DLL. As it is only a patch IMHO we don't need to provide another
>> LICENSE and NOTICE file which is already available in the OpenOffice
>> installation. Also the ASC is not necessary as we provide it already
>> (together with MD5 and SHA256) for the whole ZIP file.
> [orcmid] 
> 
> I think there is a misunderstanding.  Two matters:
> 
>  1. The use of LICENSE is required by the ALv2 itself, and the ASF practice 
> is to include NOTICE as well on binary distributions.  The patch qualifies, 
> especially when it is moved to general distribution.  It is also easy and 
> harmless to provide.
> 
>  2. The reason for preserving the .asc on the shared-library binary is 
> because it authenticates with respect to who produced it and establishes that 
> it has not been modified as supplied in the package (or as the result of some 
> glitch in creation of the Zip).  It provides a level of accountability and, 
> also, auditability.
> 
> Even though few people will check all of these, they remain possible to be 
> checked.  Since this is a matter of security vulnerabilities and involves 
> elevation of privilege to perform, I believe it is important to demonstrate 
> diligence and care, so that users have confidence in this procedure to the 
> extent they are comfortable.  Also, if it becomes necessary to troubleshoot a 
> problem with these patch applications, we have the means to authenticate what 
> they are using to ensure there are no counterfeits being offered to users.
>>
>> That means that only the README and library file remains.
>>
>> When the README for Windows keep its length then I don't want to copy
>> this on the dowload webpage. ;-)
>>
>> So, when we put the README for all platforms in their ZIP files then we
>> can just put a pointer to it on the download webpage and thats it.
> [orcmid] 
> 
> Yes, that seems like a fine idea.  The README can be linked the same way the 
> .md5, .sha256, and .asc are linked.
> 
> Also, the README may become simpler if we can link to some of the information 
> and not have so much detail in the README text itself.  It might even be 
> useful to have an .html README for that matter.  But that is all extra.  
> Right now I think we want to get into the testing and see how to smooth what 
> we have.
> 
> PS: A friend of mine is looking into the MacOSX situation.  He points out 
> that one can use the Finder to do the job without users having to use 
> Terminal sessions.  I don't have further information at this time.
> 
> PPS: The inclusion of scripts that do the job is also worthy of 
> consideration, perhaps making it unnecessary to build executables.  I will be 
> looking at finding a .bat file that works safely for the Windows case.  That 
> can make the instructions much shorter :).
> 
>>
>> To cut a long story short:
>> I would say yes for a ZIP file for every platform.
> [ ... ]
> 
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
> For additional commands, e-mail: dev-h...@openoffice.apache.org
> 

-- 

MzK

"Time spent with cats is never wasted."
   -- Sigmund Freud

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows)

[Carl Marcum]

On 08/05/2016 12:28 PM, Dennis E. Hamilton wrote:

Branching off the part that is not about the Windows 4.1.2-patch1 [TESTING].


-Original Message-
From: Marcus [mailto:marcus.m...@wtnet.de]
Sent: Thursday, August 4, 2016 15:52
To: dev@openoffice.apache.org
Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

Am 08/05/2016 12:26 AM, schrieb Kay Schenk:

[ ... ]

hmmm...well no zips for Mac, Linux32, or Linux 64 -- yet.

Should we get started on these?

it depends what we want that they should contain. The ZIP file for
Windows contains a LICENSE and NOTICE file as well as an ASC file for
the DLL. As it is only a patch IMHO we don't need to provide another
LICENSE and NOTICE file which is already available in the OpenOffice
installation. Also the ASC is not necessary as we provide it already
(together with MD5 and SHA256) for the whole ZIP file.

[orcmid]

I think there is a misunderstanding.  Two matters:

  1. The use of LICENSE is required by the ALv2 itself, and the ASF practice is 
to include NOTICE as well on binary distributions.  The patch qualifies, 
especially when it is moved to general distribution.  It is also easy and 
harmless to provide.

  2. The reason for preserving the .asc on the shared-library binary is because 
it authenticates with respect to who produced it and establishes that it has 
not been modified as supplied in the package (or as the result of some glitch 
in creation of the Zip).  It provides a level of accountability and, also, 
auditability.

Even though few people will check all of these, they remain possible to be 
checked.  Since this is a matter of security vulnerabilities and involves 
elevation of privilege to perform, I believe it is important to demonstrate 
diligence and care, so that users have confidence in this procedure to the 
extent they are comfortable.  Also, if it becomes necessary to troubleshoot a 
problem with these patch applications, we have the means to authenticate what 
they are using to ensure there are no counterfeits being offered to users.

That means that only the README and library file remains.

When the README for Windows keep its length then I don't want to copy
this on the dowload webpage. ;-)

So, when we put the README for all platforms in their ZIP files then we
can just put a pointer to it on the download webpage and thats it.

[orcmid]

Yes, that seems like a fine idea.  The README can be linked the same way the 
.md5, .sha256, and .asc are linked.

Also, the README may become simpler if we can link to some of the information 
and not have so much detail in the README text itself.  It might even be useful 
to have an .html README for that matter.  But that is all extra.  Right now I 
think we want to get into the testing and see how to smooth what we have.

PS: A friend of mine is looking into the MacOSX situation.  He points out that 
one can use the Finder to do the job without users having to use Terminal 
sessions.  I don't have further information at this time.

PPS: The inclusion of scripts that do the job is also worthy of consideration, 
perhaps making it unnecessary to build executables.  I will be looking at 
finding a .bat file that works safely for the Windows case.  That can make the 
instructions much shorter :).


To cut a long story short:
I would say yes for a ZIP file for every platform.

[ ... ]




Could we use a cross-platform installer like izpack [1]?

I started trying it out last weekend and it looks like it could do the 
job of running a rename script and copying in the library.


A few notes.

It can:
display a readme to explain what will happen.
display our license for acceptance.
run a script depending on platform.
Copy in files based on platform.

Requires Java on the machine to run installer.
Also the user need to be able to use a file chooser to find the AOO 
directory.


If so I will continue to pursue this but may need so help with the 
scripts and testing.


[1] http://izpack.org/

Thanks,
Carl

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Dennis E. Hamilton]

Alpha version 0.0.1 of README-4.1.2-patch1-apply-Windows.txt has been 
introduced into the files (and the .zip) at 
.

This version reflects suggestions by Marcus Lange, Pedro Lino, and Keith 
McKenna.  Suggestions that are not (yet) implemented will be discussed in 
replies to their messages and on the bugzilla issue at 
.


By its nature, this material is intended for users operating on Windows.  In 
some cases, incompatible forms are used on the Subversion server where the 
above files are situated.  Version 0.0.1 attempts to accommodate for this 
incompatibility.  In continuing to verify the procedure, please indicate 
whether there are (now) difficulties using the text files, especially on 
Windows.

Users of Linux systems may have difficulties with some utilities for which the 
Windows versions of the same tool (e.g., md5sum) do not produce 
Linux-acceptable line endings.  It is useful to know if that is still the case. 
 The files have been confirmed to be usable using the utilities built for use 
on Windows.

For future versions, the use of HTML instead of text will be considered.  HTML 
does not have white-space incompatibility problems across different platforms. 
The HTML will also be digitally-signed as a means of verifying its authenticity.

In addition to possibly using HTML as a better form for cross-platform use of 
text, attention will now move toward introducing scripts that automatically 
apply the change, replacing all of steps 9-18.

Meanwhile, it is valuable to continue testing that the replacement file 
produces no regression or introduction of any defects not seen using an 
unmodified Apache OpenOffice 4.1.2.

 - Dennis


> -Original Message-
> From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org]
> Sent: Tuesday, August 2, 2016 20:31
> To: dev@openoffice.apache.org
> Cc: q...@openoffice.apache.org
> Subject: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> 
> Testing of an Apache OpenOffice 4.1.2-patch1 procedure is requested.
> 
> The files to be used in testing are at
> .
> 
> The files to be tested and reviewed are
> 
>  * README-4.1.2-patch1-apply-Windows.txt
>The description of the procedure for applying a corrected
>library file to installed copies of Apache OpenOffice 4.1.2
>on Windows.  Read this first before deciding to download
>the Zip file and attempting the procedure.
> 
>  * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip
>The Zip archive containing the files to be used in the
>procedure.  There is a copy of the README within the
>archive as well.
> 
>  * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc
>  * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.md5
>  * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.sha256
>Files that provide a digital signature, an MD5 hash,
>and an SHA256 hash that can be used to verify the
>integrity of the download and, in the case of the
>digital signature, the authenticity and accuracy of
>the download.
> 
> REQUESTED TESTING
> 
>  * [OPTIONAL] If you are able to check any of the .asc,
>.md5, and .sha256 files against the .zip, report any
>difficulties that may have been encountered.
> 
>  * If you performed the procedure, report
> * the version of Microsoft Windows and the type of
>   account used (administrator or standard user).
> * report whether the procedure succeeded
> * if the procedure failed or met with difficulties,
>   please summarize the problems and how you over-
>   came any of them
> 
>  * [IMPORTANT] Identify any missing, incomplete or
>confusing information in the README.  Describe what you
>see as important improvements before making general
>release of the procedure for use by non-expert users of
>Apache OpenOffice on Windows.
> 
> The goal is to provide as much as we can to assist Windows users in
> applying this fix with confidence and success.  The experience of more-
> knowledgable users who appreciate the difficulties of non-experts is
> important in achieving that.
> 
> Thank you for any effort you invest and the feedback you provide.
> 
>  - Dennis
> 
> 
> 
> 
> 
> 
>  -- Dennis E. Hamilton
> orc...@apache.org
> dennis.hamil...@acm.org+1-206-779-9430
> https://keybase.io/orcmid  PGP F96E 89FF D456 628A
> X.509 certs used and requested for signed e-mail
> 
> 
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
> For additional commands, e-mail: dev-h...@openoffice.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Kay Schenk]

On Thu, Aug 4, 2016 at 3:52 PM, Marcus  wrote:

> Am 08/05/2016 12:26 AM, schrieb Kay Schenk:
>
>> On 08/04/2016 02:21 PM, Marcus wrote:
>>
>>> Am 08/03/2016 05:31 AM, schrieb Dennis E. Hamilton:
>>>
 Testing of an Apache OpenOffice 4.1.2-patch1 procedure is requested.

 The files to be used in testing are at
 .



>> hmmm...well no zips for Mac, Linux32, or Linux 64 -- yet.
>>
>> Should we get started on these?
>>
>
> it depends what we want that they should contain. The ZIP file for Windows
> contains a LICENSE and NOTICE file as well as an ASC file for the DLL. As
> it is only a patch IMHO we don't need to provide another LICENSE and NOTICE
> file which is already available in the OpenOffice installation. Also the
> ASC is not necessary as we provide it already (together with MD5 and
> SHA256) for the whole ZIP file.
>

​I'm Ok with the extra "asc" on the library especially if the supplier of
the library is not the same person who supplies the entire  zip.​


​I'm not convinced we need LICENSE and NOTICE either.

In any case, we need to come to a conclusion about what will be included
and by whom.
These zips all need to be signed, so only AOO developers who have already
supplied keys on:

​http://www.apache.org/dist/openoffice/KEYS

can sign these. Of course, it's not TOO late to generate a release key and
add names to the list. :)



> That means that only the README and library file remains.
>
> When the README for Windows keep its length then I don't want to copy this
> on the dowload webpage. ;-)
>
> So, when we put the README for all platforms in their ZIP files then we
> can just put a pointer to it on the download webpage and thats it.
>
> To cut a long story short:
> I would say yes for a ZIP file for every platform.
>
>* apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc

>>>
>>> I don't know if this is OK or still bad:
>>>
>>> gpg --verify apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc
>>> apache-openoffice-4.1.2-patch1-apply-Win_x86.zip
>>> gpg: Signature made Tue 02 Aug 2016 06:24:08 AM CEST using RSA key ID
>>> D456628A
>>> gpg: Good signature from "keybase.io/orcmid (confirmed identifier)
>>> "
>>> gpg: aka "orcmid (Dennis E. Hamilton)"
>>> gpg: aka "orcmid Apache (code signing)>> >"
>>> gpg: aka "Dennis E. Hamilton (orcmid)
>>> "
>>> gpg: WARNING: This key is not certified with a trusted signature!
>>> gpg:  There is no indication that the signature belongs to the
>>> owner.
>>>
>>
>> I get this on sig checks also. There's probably a step we're missing to
>> specify "trust" locally.
>>
>> See:
>> http://www.apache.org/dev/release-signing.html
>>
>
> OK, thanks.
>
>
> Marcus
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
> For additional commands, e-mail: dev-h...@openoffice.apache.org
>
>


-- 
--
MzK

"Time spent with cats is never wasted."
-- Sigmund Freud

Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Marcus]

Am 08/07/2016 07:30 PM, schrieb Dennis E. Hamilton:

-Original Message-
From: Marcus [mailto:marcus.m...@wtnet.de]
Sent: Sunday, August 7, 2016 09:21
To: dev@openoffice.apache.org
Cc: q...@openoffice.apache.org
Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

Feedback for the .zip file:

Do you have a reason in mind for the "apply" in the file name? I would
delete this as I don't see a benefit and it would shorten the file name.

[orcmid]

I used the apply suffix to allow for there being a (semi-)automatic version 
that worked automatically later.  I would then propose hotfix or something for 
that.  This allowed for both to exist at some point.

I'd rather not change that now since folks know to look for it by that name, it 
is used in the readme, etc.


it's just a test version which can still be changed. So, I would shorten 
the name it and edit also the README.



When extracting a ZIP file I cannot stand it when no subdirectory is
included and the files are extracted where the current directory is at
the moment. So, I've to search for the new files.

[orcmid]

The Extract ... tool for Windows automatically creates a folder to put 
everything into, although it will be in the same folder as the .zip.  So having 
a folder in there simply adds an extra level.  That is using the Windows 
extract.


Ah, OK. I always use "Extract here".


Other tools, such as WinZip also allow the user to choose a folder destination, 
although it might take more work, and knowledgeable users of Zip tools know how 
to tell what to do that works according to the README.


Marcus




Therefore please include a "files" dir (or similar name) into the ZIP
file.

[orcmid]

The normal choice would be something like 4.1.2-patch1-apply :).




Feedback for the README file.

[orcmid]

Thank you.  I will go over all of the suggestions on the README that have come 
in so far, and provide an update today.




Line 25:
It should be improve into "please consult a knowledgable person (e.g.,
family member work colleauge, acquaintance) that is able to assist you".
At least for me it sounds better.

Line 41.
Put all OPTIONAL things at the section end.

Line 44/45:
old: "... that are part of the system.installed."
new: "... that are part of the installed system."

Line 64/65:
One "which" is double.

Line 86-89:
I don't know if this is necessary for this process. I think it would
just foster help requests to the dev@ mailing list.

Line 111:
I would write ", the .zip file is available to use.".

Line 114:
One "or" is double.

Line 131:
No, there is no folder extracted. Please include one (see at the top of
this mail).

[orcmid]

Did you not use the Windows "Extract ..." action on the context menu?



Line 147:
IMHO this was stated already. Please don't rename the new file in the
ZIP file. Otherwise the user has to do an additional file rename which
should not be done.

[orcmid]

That must be a misunderstanding.  I don't propose anything like that.



Line 153:
The same for the ASC file.

Line 183 and 186:
Both parts can be described together to save 1 step.

Line 208:
This step should be avoided (see at the top of this mail).

Line 222-231:
As stated previously (line 86-89).

Line 240:
To give (again) the hint that OpenOffice should be closed before
renaming the files would be nice to the user.


I hope this feedback is helpful for you.

[orcmid]

Yes, thank you.  I will look more closely when making the edits.



Marcus



Am 08/03/2016 05:31 AM, schrieb Dennis E. Hamilton:

Testing of an Apache OpenOffice 4.1.2-patch1 procedure is requested.

The files to be used in testing are at
<https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-

patch1/binaries/Windows>.


The files to be tested and reviewed are

   * README-4.1.2-patch1-apply-Windows.txt
 The description of the procedure for applying a corrected
 library file to installed copies of Apache OpenOffice 4.1.2
 on Windows.  Read this first before deciding to download
 the Zip file and attempting the procedure.

   * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip
 The Zip archive containing the files to be used in the
 procedure.  There is a copy of the README within the
 archive as well.

   * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc
   * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.md5
   * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.sha256
 Files that provide a digital signature, an MD5 hash,
 and an SHA256 hash that can be used to verify the
 integrity of the download and, in the case of the
 digital signature, the authenticity and accuracy of
 the download.

REQUESTED TESTING

   * [OPTIONAL] If you are able to check any of the .asc,
 .md5, and .sha256 files against the .zip, report any
 difficulties that may have been encountered.

   * If you performed the proc

RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Dennis E. Hamilton]

> -Original Message-
> From: Marcus [mailto:marcus.m...@wtnet.de]
> Sent: Sunday, August 7, 2016 09:21
> To: dev@openoffice.apache.org
> Cc: q...@openoffice.apache.org
> Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> 
> Feedback for the .zip file:
> 
> Do you have a reason in mind for the "apply" in the file name? I would
> delete this as I don't see a benefit and it would shorten the file name.
[orcmid] 

I used the apply suffix to allow for there being a (semi-)automatic version 
that worked automatically later.  I would then propose hotfix or something for 
that.  This allowed for both to exist at some point.

I'd rather not change that now since folks know to look for it by that name, it 
is used in the readme, etc.

> 
> When extracting a ZIP file I cannot stand it when no subdirectory is
> included and the files are extracted where the current directory is at
> the moment. So, I've to search for the new files.
[orcmid] 

The Extract ... tool for Windows automatically creates a folder to put 
everything into, although it will be in the same folder as the .zip.  So having 
a folder in there simply adds an extra level.  That is using the Windows 
extract. 

Other tools, such as WinZip also allow the user to choose a folder destination, 
although it might take more work, and knowledgeable users of Zip tools know how 
to tell what to do that works according to the README.

> 
> Therefore please include a "files" dir (or similar name) into the ZIP
> file.
[orcmid] 

The normal choice would be something like 4.1.2-patch1-apply :).
> 
> 
> 
> Feedback for the README file.
[orcmid] 

Thank you.  I will go over all of the suggestions on the README that have come 
in so far, and provide an update today.


> 
> Line 25:
> It should be improve into "please consult a knowledgable person (e.g.,
> family member work colleauge, acquaintance) that is able to assist you".
> At least for me it sounds better.
> 
> Line 41.
> Put all OPTIONAL things at the section end.
> 
> Line 44/45:
> old: "... that are part of the system.installed."
> new: "... that are part of the installed system."
> 
> Line 64/65:
> One "which" is double.
> 
> Line 86-89:
> I don't know if this is necessary for this process. I think it would
> just foster help requests to the dev@ mailing list.
> 
> Line 111:
> I would write ", the .zip file is available to use.".
> 
> Line 114:
> One "or" is double.
> 
> Line 131:
> No, there is no folder extracted. Please include one (see at the top of
> this mail).
[orcmid] 

Did you not use the Windows "Extract ..." action on the context menu?

> 
> Line 147:
> IMHO this was stated already. Please don't rename the new file in the
> ZIP file. Otherwise the user has to do an additional file rename which
> should not be done.
[orcmid] 

That must be a misunderstanding.  I don't propose anything like that.

> 
> Line 153:
> The same for the ASC file.
> 
> Line 183 and 186:
> Both parts can be described together to save 1 step.
> 
> Line 208:
> This step should be avoided (see at the top of this mail).
> 
> Line 222-231:
> As stated previously (line 86-89).
> 
> Line 240:
> To give (again) the hint that OpenOffice should be closed before
> renaming the files would be nice to the user.
> 
> 
> I hope this feedback is helpful for you.
[orcmid] 

Yes, thank you.  I will look more closely when making the edits.

> 
> Marcus
> 
> 
> 
> Am 08/03/2016 05:31 AM, schrieb Dennis E. Hamilton:
> > Testing of an Apache OpenOffice 4.1.2-patch1 procedure is requested.
> >
> > The files to be used in testing are at
> > <https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-
> patch1/binaries/Windows>.
> >
> > The files to be tested and reviewed are
> >
> >   * README-4.1.2-patch1-apply-Windows.txt
> > The description of the procedure for applying a corrected
> > library file to installed copies of Apache OpenOffice 4.1.2
> > on Windows.  Read this first before deciding to download
> > the Zip file and attempting the procedure.
> >
> >   * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip
> > The Zip archive containing the files to be used in the
> > procedure.  There is a copy of the README within the
> > archive as well.
> >
> >   * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc
> >   * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.md5
> >   * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.sha256
> > Files that provide a digital signature, an MD5 hash,
> > and an SHA256 hash tha

Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Marcus]

Feedback for the .zip file:

Do you have a reason in mind for the "apply" in the file name? I would 
delete this as I don't see a benefit and it would shorten the file name.


When extracting a ZIP file I cannot stand it when no subdirectory is 
included and the files are extracted where the current directory is at 
the moment. So, I've to search for the new files.


Therefore please include a "files" dir (or similar name) into the ZIP file.



Feedback for the README file.

Line 25:
It should be improve into "please consult a knowledgable person (e.g., 
family member work colleauge, acquaintance) that is able to assist you".

At least for me it sounds better.

Line 41.
Put all OPTIONAL things at the section end.

Line 44/45:
old: "... that are part of the system.installed."
new: "... that are part of the installed system."

Line 64/65:
One "which" is double.

Line 86-89:
I don't know if this is necessary for this process. I think it would 
just foster help requests to the dev@ mailing list.


Line 111:
I would write ", the .zip file is available to use.".

Line 114:
One "or" is double.

Line 131:
No, there is no folder extracted. Please include one (see at the top of 
this mail).


Line 147:
IMHO this was stated already. Please don't rename the new file in the 
ZIP file. Otherwise the user has to do an additional file rename which 
should not be done.


Line 153:
The same for the ASC file.

Line 183 and 186:
Both parts can be described together to save 1 step.

Line 208:
This step should be avoided (see at the top of this mail).

Line 222-231:
As stated previously (line 86-89).

Line 240:
To give (again) the hint that OpenOffice should be closed before 
renaming the files would be nice to the user.



I hope this feedback is helpful for you.

Marcus



Am 08/03/2016 05:31 AM, schrieb Dennis E. Hamilton:

Testing of an Apache OpenOffice 4.1.2-patch1 procedure is requested.

The files to be used in testing are at
.

The files to be tested and reviewed are

  * README-4.1.2-patch1-apply-Windows.txt
The description of the procedure for applying a corrected
library file to installed copies of Apache OpenOffice 4.1.2
on Windows.  Read this first before deciding to download
the Zip file and attempting the procedure.

  * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip
The Zip archive containing the files to be used in the
procedure.  There is a copy of the README within the
archive as well.

  * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc
  * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.md5
  * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.sha256
Files that provide a digital signature, an MD5 hash,
and an SHA256 hash that can be used to verify the
integrity of the download and, in the case of the
digital signature, the authenticity and accuracy of
the download.

REQUESTED TESTING

  * [OPTIONAL] If you are able to check any of the .asc,
.md5, and .sha256 files against the .zip, report any
difficulties that may have been encountered.

  * If you performed the procedure, report
 * the version of Microsoft Windows and the type of
   account used (administrator or standard user).
 * report whether the procedure succeeded
 * if the procedure failed or met with difficulties,
   please summarize the problems and how you over-
   came any of them

  * [IMPORTANT] Identify any missing, incomplete or
confusing information in the README.  Describe what you
see as important improvements before making general
release of the procedure for use by non-expert users of
Apache OpenOffice on Windows.

The goal is to provide as much as we can to assist Windows users in applying 
this fix with confidence and success.  The experience of more-knowledgable 
users who appreciate the difficulties of non-experts is important in achieving 
that.

Thank you for any effort you invest and the feedback you provide.


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

RE: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows)

[Dennis E. Hamilton]

> -Original Message-
> From: Marcus [mailto:marcus.m...@wtnet.de]
> Sent: Friday, August 5, 2016 10:47
> To: dev@openoffice.apache.org
> Subject: Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING]
> Applying openoffice-4.1.2-patch1 for Windows)
> 
> Am 08/05/2016 06:28 PM, schrieb Dennis E. Hamilton:
[ ... ]
> >>
> >> So, when we put the README for all platforms in their ZIP files then
> we
> >> can just put a pointer to it on the download webpage and thats it.
> > [orcmid]
> >
> > Yes, that seems like a fine idea.  The README can be linked the same
> way the .md5, .sha256, and .asc are linked.
> 
> Ahm, no. ;-) As the README is *inside* the ZIP file I cannot provide a
> direct link to it. But a little text hint should do the job.
[orcmid] 

That's why I put one copy outside and one inside that travels with the Zip.  
The one outside can be linked to just like any of the other companion text 
files, and it can be accessed without downloading the archive file.  

 - Dennis
> 
> > Also, the README may become simpler if we can link to some of the
> information and not have so much detail in the README text itself.  It
> might even be useful to have an .html README for that matter.  But that
> is all extra.  Right now I think we want to get into the testing and see
> how to smooth what we have.
> >
> > PS: A friend of mine is looking into the MacOSX situation.  He points
> out that one can use the Finder to do the job without users having to
> use Terminal sessions.  I don't have further information at this time.
> 
> Great, I thought this already and provided this in the (very short)
> version of the README that Kay has already committed aside the MacOSX
> patch.
> 
> Please, can you ask your friend to have a look if it's OK and
> sufficient? If not, please ask for some more details. Thanks!
[orcmid] 

I have already pointed him to what we have in the MacOSX folder.

> 
> > PPS: The inclusion of scripts that do the job is also worthy of
> consideration, perhaps making it unnecessary to build executables.  I
> will be looking at finding a .bat file that works safely for the Windows
> case.  That can make the instructions much shorter :).
> 
> Yes, a script would be a great help to our Windows users. Unfortunately,
> I've no knowledge about how to do this scripting on Windows.
> 
> >> To cut a long story short:
> >> I would say yes for a ZIP file for every platform.
> > [ ... ]
> 
> Marcus
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
> For additional commands, e-mail: dev-h...@openoffice.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Carl Marcum]

On 08/05/2016 12:28 PM, Dennis E. Hamilton wrote:

For tracking the [TESTING] of the 4.1.2-patch1 binary for windows, I have 
created task Issue 127065,
<https://bz.apache.org/ooo/show_bug.cgi?id=127065>.  Comment 7 there already 
speaks to the untrusted identification situation.

I am adding an abridged version of this message from Carl with the part 
relevant to certificate trust.  Note that most of us who have worked on 
4.1.2-patch1 and provided digital signatures will find that identity will be 
reported as untrusted based on the Web-of-Trust technique PGP software uses.  
We can, of course, verify the fingerprints and Apache account identity and 
certify each other.  That will change the status for those of us in this 
particular circle but not necessarily for anyone who does not already trust the 
identification of enough of us.

I don't think there is any way to get into this in our README files.  However, this 
is useful for any future contributions we might make to the page at 
<http://www.apache.org/dev/release-signing.html> or anything supplemental that 
is oriented to the users of Apache OpenOffice and their particular range of skills.


-Original Message-
From: Carl Marcum [mailto:cmar...@apache.org]
Sent: Friday, August 5, 2016 03:30
To: dev@openoffice.apache.org
Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

On 08/04/2016 06:52 PM, Marcus wrote:

Am 08/05/2016 12:26 AM, schrieb Kay Schenk:

On 08/04/2016 02:21 PM, Marcus wrote:

[ ... ]

* apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc

I don't know if this is OK or still bad:

gpg --verify apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc
apache-openoffice-4.1.2-patch1-apply-Win_x86.zip
gpg: Signature made Tue 02 Aug 2016 06:24:08 AM CEST using RSA key

ID

D456628A
gpg: Good signature from "keybase.io/orcmid (confirmed identifier)
<orc...@keybase.io>"
gpg: aka "orcmid (Dennis E.

Hamilton)<orc...@msn.com>"

gpg: aka "orcmid Apache (code
signing)<orc...@apache.org>"
gpg: aka "Dennis E. Hamilton (orcmid)
<dennis.hamil...@acm.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to

the

owner.

I get this on sig checks also. There's probably a step we're missing

to

specify "trust" locally.

See:
http://www.apache.org/dev/release-signing.html

signing Dennis' key locally worked for me.
On Linux I use:
gpg --default-key 9553BF9A --sign-key D456628A

If the key you want to sign it with is already the default key you can
omit the "--default-key 9553BF9A" part.
Sometimes you may have to prefix the ID's with "0x" to denote hex.

If you trust this is Dennis' key you can send his key back with your sig
now attached and it will have more trust.
gpg --send-key 0xD456628A

If a few people do it the warning should go away. Web-of-trust  :)

Carl

[orcmid]

The warning will go away for us who have created a mutual Web-of-Trust but it 
won't help those who are not in that circle or have not somehow determined to 
trust in it themselves.  This is still useful advice about how to do it.

PS: I don't think the dist-level KEYS file is updated automatically, so the 
release KEYS set needs to be refreshed to work.  (We can check that by waiting 
for a while to see if Carl's trust of Dennis's key shows up.)


Dennis,

Yes I think I over simplified that.

Thanks for clarifying.

Best regards,
Carl


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows)

[Marcus]

Am 08/05/2016 07:02 PM, schrieb Dennis E. Hamilton:




-Original Message-
From: Kay Schenk [mailto:kay.sch...@gmail.com]
Sent: Friday, August 5, 2016 09:36
To: OOo Apache<dev@openoffice.apache.org>; Dennis Hamilton
<dennis.hamil...@acm.org>
Subject: Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING]
Applying openoffice-4.1.2-patch1 for Windows)

On Fri, Aug 5, 2016 at 9:28 AM, Dennis E. Hamilton
<dennis.hamil...@acm.org>
wrote:


Branching off the part that is not about the Windows 4.1.2-patch1
[TESTING].


-Original Message-
From: Marcus [mailto:marcus.m...@wtnet.de]
Sent: Thursday, August 4, 2016 15:52
To: dev@openoffice.apache.org
Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

Am 08/05/2016 12:26 AM, schrieb Kay Schenk:

[ ... ]


hmmm...well no zips for Mac, Linux32, or Linux 64 -- yet.

Should we get started on these?


it depends what we want that they should contain. The ZIP file for
Windows contains a LICENSE and NOTICE file as well as an ASC file

for

the DLL. As it is only a patch IMHO we don't need to provide another
LICENSE and NOTICE file which is already available in the OpenOffice
installation. Also the ASC is not necessary as we provide it already
(together with MD5 and SHA256) for the whole ZIP file.

[orcmid]

I think there is a misunderstanding.  Two matters:

  1. The use of LICENSE is required by the ALv2 itself, and the ASF
practice is to include NOTICE as well on binary distributions.  The

patch

qualifies, especially when it is moved to general distribution.  It is

also

easy and harmless to provide.

  2. The reason for preserving the .asc on the shared-library binary is
because it authenticates with respect to who produced it and

establishes

that it has not been modified as supplied in the package (or as the

result

of some glitch in creation of the Zip).  It provides a level of
accountability and, also, auditability.

Even though few people will check all of these, they remain possible

to be

checked.  Since this is a matter of security vulnerabilities and

involves

elevation of privilege to perform, I believe it is important to

demonstrate

diligence and care, so that users have confidence in this procedure to

the

extent they are comfortable.  Also, if it becomes necessary to

troubleshoot

a problem with these patch applications, we have the means to

authenticate

what they are using to ensure there are no counterfeits being offered

to

users.


That means that only the README and library file remains.

When the README for Windows keep its length then I don't want to

copy

this on the dowload webpage. ;-)

So, when we put the README for all platforms in their ZIP files then

we

can just put a pointer to it on the download webpage and thats it.

[orcmid]

Yes, that seems like a fine idea.  The README can be linked the same

way

the .md5, .sha256, and .asc are linked.

Also, the README may become simpler if we can link to some of the
information and not have so much detail in the README text itself.  It
might even be useful to have an .html README for that matter.  But

that is

all extra.  Right now I think we want to get into the testing and see

how

to smooth what we have.

PS: A friend of mine is looking into the MacOSX situation.  He points

out

that one can use the Finder to do the job without users having to use
Terminal sessions.  I don't have further information at this time.

PPS: The inclusion of scripts that do the job is also worthy of
consideration, perhaps making it unnecessary to build executables.  I

will

be looking at finding a .bat file that works safely for the Windows

case.

That can make the instructions much shorter :).



​??? I think you'd still need the executables as part of the payload. But
batch or script files would make the "installation" easier. We should
certainly consider this for future patches.​

[orcmid]

Yes, for the Windows case the .bat would be inside the Zip along with the other 
material.  It would be extracted along with the other material.  But then it 
can be executed where unzipped by an user running it as administrator in place. 
 So all of the renaming and copying business would be semi-automatic and users 
operating from non-administrator accounts would only have to authorize 
administrative operation once (it is to be hoped).

There is a variant that involves what is called a self-extracting Zip (an .exe 
file) that will run a command after doing so.  I don't know whether we want to 
do that, but it would be a way to create an installer for the patch.  That is a 
potential future step to explore for the Windows case.

One step at a time ...


yes, right. A self-executed Zip with starting the .bat after 
uncompressing would be a nice bonus.


Marcus




​  For this situation, we may as well go with what we've got I think.

Linux is very straightforward. I don't know anything about Macs. I do
know
that the Windows varients complicate thi

Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Marcus]

Am 08/05/2016 12:30 PM, schrieb Carl Marcum:

On 08/04/2016 06:52 PM, Marcus wrote:

Am 08/05/2016 12:26 AM, schrieb Kay Schenk:

On 08/04/2016 02:21 PM, Marcus wrote:

Am 08/03/2016 05:31 AM, schrieb Dennis E. Hamilton:

Testing of an Apache OpenOffice 4.1.2-patch1 procedure is requested.

The files to be used in testing are at
.





hmmm...well no zips for Mac, Linux32, or Linux 64 -- yet.

Should we get started on these?


it depends what we want that they should contain. The ZIP file for
Windows contains a LICENSE and NOTICE file as well as an ASC file for
the DLL. As it is only a patch IMHO we don't need to provide another
LICENSE and NOTICE file which is already available in the OpenOffice
installation. Also the ASC is not necessary as we provide it already
(together with MD5 and SHA256) for the whole ZIP file.

That means that only the README and library file remains.

When the README for Windows keep its length then I don't want to copy
this on the dowload webpage. ;-)

So, when we put the README for all platforms in their ZIP files then
we can just put a pointer to it on the download webpage and thats it.

To cut a long story short:
I would say yes for a ZIP file for every platform.


* apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc


I don't know if this is OK or still bad:

gpg --verify apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc
apache-openoffice-4.1.2-patch1-apply-Win_x86.zip
gpg: Signature made Tue 02 Aug 2016 06:24:08 AM CEST using RSA key ID
D456628A
gpg: Good signature from "keybase.io/orcmid (confirmed identifier)
"
gpg: aka "orcmid (Dennis E. Hamilton)"
gpg: aka "orcmid Apache (code signing)"
gpg: aka "Dennis E. Hamilton (orcmid)
"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.


I get this on sig checks also. There's probably a step we're missing to
specify "trust" locally.

See:
http://www.apache.org/dev/release-signing.html




signing Dennis' key locally worked for me.
On Linux I use:
gpg --default-key 9553BF9A --sign-key D456628A

If the key you want to sign it with is already the default key you can
omit the "--default-key 9553BF9A" part.
Sometimes you may have to prefix the ID's with "0x" to denote hex.

If you trust this is Dennis' key you can send his key back with your sig
now attached and it will have more trust.
gpg --send-key 0xD456628A

If a few people do it the warning should go away. Web-of-trust :)


thanks a lot for these details. :-)

Marcus


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows)

[Marcus]

Am 08/05/2016 06:28 PM, schrieb Dennis E. Hamilton:

Branching off the part that is not about the Windows 4.1.2-patch1 [TESTING].


-Original Message-
From: Marcus [mailto:marcus.m...@wtnet.de]
Sent: Thursday, August 4, 2016 15:52
To: dev@openoffice.apache.org
Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

Am 08/05/2016 12:26 AM, schrieb Kay Schenk:

[ ... ]


hmmm...well no zips for Mac, Linux32, or Linux 64 -- yet.

Should we get started on these?


it depends what we want that they should contain. The ZIP file for
Windows contains a LICENSE and NOTICE file as well as an ASC file for
the DLL. As it is only a patch IMHO we don't need to provide another
LICENSE and NOTICE file which is already available in the OpenOffice
installation. Also the ASC is not necessary as we provide it already
(together with MD5 and SHA256) for the whole ZIP file.

[orcmid]

I think there is a misunderstanding.  Two matters:

  1. The use of LICENSE is required by the ALv2 itself, and the ASF practice is 
to include NOTICE as well on binary distributions.  The patch qualifies, 
especially when it is moved to general distribution.  It is also easy and 
harmless to provide.

  2. The reason for preserving the .asc on the shared-library binary is because 
it authenticates with respect to who produced it and establishes that it has 
not been modified as supplied in the package (or as the result of some glitch 
in creation of the Zip).  It provides a level of accountability and, also, 
auditability.

Even though few people will check all of these, they remain possible to be 
checked.  Since this is a matter of security vulnerabilities and involves 
elevation of privilege to perform, I believe it is important to demonstrate 
diligence and care, so that users have confidence in this procedure to the 
extent they are comfortable.  Also, if it becomes necessary to troubleshoot a 
problem with these patch applications, we have the means to authenticate what 
they are using to ensure there are no counterfeits being offered to users.


sure, the text files are harmless (and small enough!) to provide them. I 
just thought that they are not really necessary. But when it's an 
requirement, then OK. And the additional ASC is an additional step of 
security verification. Also OK.



That means that only the README and library file remains.

When the README for Windows keep its length then I don't want to copy
this on the dowload webpage. ;-)

So, when we put the README for all platforms in their ZIP files then we
can just put a pointer to it on the download webpage and thats it.

[orcmid]

Yes, that seems like a fine idea.  The README can be linked the same way the 
.md5, .sha256, and .asc are linked.


Ahm, no. ;-) As the README is *inside* the ZIP file I cannot provide a 
direct link to it. But a little text hint should do the job.



Also, the README may become simpler if we can link to some of the information 
and not have so much detail in the README text itself.  It might even be useful 
to have an .html README for that matter.  But that is all extra.  Right now I 
think we want to get into the testing and see how to smooth what we have.

PS: A friend of mine is looking into the MacOSX situation.  He points out that 
one can use the Finder to do the job without users having to use Terminal 
sessions.  I don't have further information at this time.


Great, I thought this already and provided this in the (very short) 
version of the README that Kay has already committed aside the MacOSX patch.


Please, can you ask your friend to have a look if it's OK and 
sufficient? If not, please ask for some more details. Thanks!



PPS: The inclusion of scripts that do the job is also worthy of consideration, 
perhaps making it unnecessary to build executables.  I will be looking at 
finding a .bat file that works safely for the Windows case.  That can make the 
instructions much shorter :).


Yes, a script would be a great help to our Windows users. Unfortunately, 
I've no knowledge about how to do this scripting on Windows.



To cut a long story short:
I would say yes for a ZIP file for every platform.

[ ... ]


Marcus

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

RE: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows)

[Dennis E. Hamilton]

> -Original Message-
> From: Kay Schenk [mailto:kay.sch...@gmail.com]
> Sent: Friday, August 5, 2016 09:36
> To: OOo Apache <dev@openoffice.apache.org>; Dennis Hamilton
> <dennis.hamil...@acm.org>
> Subject: Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING]
> Applying openoffice-4.1.2-patch1 for Windows)
> 
> On Fri, Aug 5, 2016 at 9:28 AM, Dennis E. Hamilton
> <dennis.hamil...@acm.org>
> wrote:
> 
> > Branching off the part that is not about the Windows 4.1.2-patch1
> > [TESTING].
> >
> > > -Original Message-
> > > From: Marcus [mailto:marcus.m...@wtnet.de]
> > > Sent: Thursday, August 4, 2016 15:52
> > > To: dev@openoffice.apache.org
> > > Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> > >
> > > Am 08/05/2016 12:26 AM, schrieb Kay Schenk:
> > [ ... ]
> > > >
> > > > hmmm...well no zips for Mac, Linux32, or Linux 64 -- yet.
> > > >
> > > > Should we get started on these?
> > >
> > > it depends what we want that they should contain. The ZIP file for
> > > Windows contains a LICENSE and NOTICE file as well as an ASC file
> for
> > > the DLL. As it is only a patch IMHO we don't need to provide another
> > > LICENSE and NOTICE file which is already available in the OpenOffice
> > > installation. Also the ASC is not necessary as we provide it already
> > > (together with MD5 and SHA256) for the whole ZIP file.
> > [orcmid]
> >
> > I think there is a misunderstanding.  Two matters:
> >
> >  1. The use of LICENSE is required by the ALv2 itself, and the ASF
> > practice is to include NOTICE as well on binary distributions.  The
> patch
> > qualifies, especially when it is moved to general distribution.  It is
> also
> > easy and harmless to provide.
> >
> >  2. The reason for preserving the .asc on the shared-library binary is
> > because it authenticates with respect to who produced it and
> establishes
> > that it has not been modified as supplied in the package (or as the
> result
> > of some glitch in creation of the Zip).  It provides a level of
> > accountability and, also, auditability.
> >
> > Even though few people will check all of these, they remain possible
> to be
> > checked.  Since this is a matter of security vulnerabilities and
> involves
> > elevation of privilege to perform, I believe it is important to
> demonstrate
> > diligence and care, so that users have confidence in this procedure to
> the
> > extent they are comfortable.  Also, if it becomes necessary to
> troubleshoot
> > a problem with these patch applications, we have the means to
> authenticate
> > what they are using to ensure there are no counterfeits being offered
> to
> > users.
> > >
> > > That means that only the README and library file remains.
> > >
> > > When the README for Windows keep its length then I don't want to
> copy
> > > this on the dowload webpage. ;-)
> > >
> > > So, when we put the README for all platforms in their ZIP files then
> we
> > > can just put a pointer to it on the download webpage and thats it.
> > [orcmid]
> >
> > Yes, that seems like a fine idea.  The README can be linked the same
> way
> > the .md5, .sha256, and .asc are linked.
> >
> > Also, the README may become simpler if we can link to some of the
> > information and not have so much detail in the README text itself.  It
> > might even be useful to have an .html README for that matter.  But
> that is
> > all extra.  Right now I think we want to get into the testing and see
> how
> > to smooth what we have.
> >
> > PS: A friend of mine is looking into the MacOSX situation.  He points
> out
> > that one can use the Finder to do the job without users having to use
> > Terminal sessions.  I don't have further information at this time.
> >
> > PPS: The inclusion of scripts that do the job is also worthy of
> > consideration, perhaps making it unnecessary to build executables.  I
> will
> > be looking at finding a .bat file that works safely for the Windows
> case.
> > That can make the instructions much shorter :).
> >
> 
> ​??? I think you'd still need the executables as part of the payload. But
> batch or script files would make the "installation" easier. We should
> certainly consider this for future patches.​
[orcmid] 

Yes, for the Windows case the .bat would be inside the Zip along with the other 
material.  It 

[PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows)

[Dennis E. Hamilton]

Branching off the part that is not about the Windows 4.1.2-patch1 [TESTING].

> -Original Message-
> From: Marcus [mailto:marcus.m...@wtnet.de]
> Sent: Thursday, August 4, 2016 15:52
> To: dev@openoffice.apache.org
> Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> 
> Am 08/05/2016 12:26 AM, schrieb Kay Schenk:
[ ... ]
> >
> > hmmm...well no zips for Mac, Linux32, or Linux 64 -- yet.
> >
> > Should we get started on these?
> 
> it depends what we want that they should contain. The ZIP file for
> Windows contains a LICENSE and NOTICE file as well as an ASC file for
> the DLL. As it is only a patch IMHO we don't need to provide another
> LICENSE and NOTICE file which is already available in the OpenOffice
> installation. Also the ASC is not necessary as we provide it already
> (together with MD5 and SHA256) for the whole ZIP file.
[orcmid] 

I think there is a misunderstanding.  Two matters:

 1. The use of LICENSE is required by the ALv2 itself, and the ASF practice is 
to include NOTICE as well on binary distributions.  The patch qualifies, 
especially when it is moved to general distribution.  It is also easy and 
harmless to provide.

 2. The reason for preserving the .asc on the shared-library binary is because 
it authenticates with respect to who produced it and establishes that it has 
not been modified as supplied in the package (or as the result of some glitch 
in creation of the Zip).  It provides a level of accountability and, also, 
auditability.

Even though few people will check all of these, they remain possible to be 
checked.  Since this is a matter of security vulnerabilities and involves 
elevation of privilege to perform, I believe it is important to demonstrate 
diligence and care, so that users have confidence in this procedure to the 
extent they are comfortable.  Also, if it becomes necessary to troubleshoot a 
problem with these patch applications, we have the means to authenticate what 
they are using to ensure there are no counterfeits being offered to users.
> 
> That means that only the README and library file remains.
> 
> When the README for Windows keep its length then I don't want to copy
> this on the dowload webpage. ;-)
> 
> So, when we put the README for all platforms in their ZIP files then we
> can just put a pointer to it on the download webpage and thats it.
[orcmid] 

Yes, that seems like a fine idea.  The README can be linked the same way the 
.md5, .sha256, and .asc are linked.

Also, the README may become simpler if we can link to some of the information 
and not have so much detail in the README text itself.  It might even be useful 
to have an .html README for that matter.  But that is all extra.  Right now I 
think we want to get into the testing and see how to smooth what we have.

PS: A friend of mine is looking into the MacOSX situation.  He points out that 
one can use the Finder to do the job without users having to use Terminal 
sessions.  I don't have further information at this time.

PPS: The inclusion of scripts that do the job is also worthy of consideration, 
perhaps making it unnecessary to build executables.  I will be looking at 
finding a .bat file that works safely for the Windows case.  That can make the 
instructions much shorter :).

> 
> To cut a long story short:
> I would say yes for a ZIP file for every platform.
[ ... ]


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [PACKAGING 4.1.2-patch1 Binaries] (was RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows)

[Kay Schenk]

On Fri, Aug 5, 2016 at 9:28 AM, Dennis E. Hamilton <dennis.hamil...@acm.org>
wrote:

> Branching off the part that is not about the Windows 4.1.2-patch1
> [TESTING].
>
> > -Original Message-
> > From: Marcus [mailto:marcus.m...@wtnet.de]
> > Sent: Thursday, August 4, 2016 15:52
> > To: dev@openoffice.apache.org
> > Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> >
> > Am 08/05/2016 12:26 AM, schrieb Kay Schenk:
> [ ... ]
> > >
> > > hmmm...well no zips for Mac, Linux32, or Linux 64 -- yet.
> > >
> > > Should we get started on these?
> >
> > it depends what we want that they should contain. The ZIP file for
> > Windows contains a LICENSE and NOTICE file as well as an ASC file for
> > the DLL. As it is only a patch IMHO we don't need to provide another
> > LICENSE and NOTICE file which is already available in the OpenOffice
> > installation. Also the ASC is not necessary as we provide it already
> > (together with MD5 and SHA256) for the whole ZIP file.
> [orcmid]
>
> I think there is a misunderstanding.  Two matters:
>
>  1. The use of LICENSE is required by the ALv2 itself, and the ASF
> practice is to include NOTICE as well on binary distributions.  The patch
> qualifies, especially when it is moved to general distribution.  It is also
> easy and harmless to provide.
>
>  2. The reason for preserving the .asc on the shared-library binary is
> because it authenticates with respect to who produced it and establishes
> that it has not been modified as supplied in the package (or as the result
> of some glitch in creation of the Zip).  It provides a level of
> accountability and, also, auditability.
>
> Even though few people will check all of these, they remain possible to be
> checked.  Since this is a matter of security vulnerabilities and involves
> elevation of privilege to perform, I believe it is important to demonstrate
> diligence and care, so that users have confidence in this procedure to the
> extent they are comfortable.  Also, if it becomes necessary to troubleshoot
> a problem with these patch applications, we have the means to authenticate
> what they are using to ensure there are no counterfeits being offered to
> users.
> >
> > That means that only the README and library file remains.
> >
> > When the README for Windows keep its length then I don't want to copy
> > this on the dowload webpage. ;-)
> >
> > So, when we put the README for all platforms in their ZIP files then we
> > can just put a pointer to it on the download webpage and thats it.
> [orcmid]
>
> Yes, that seems like a fine idea.  The README can be linked the same way
> the .md5, .sha256, and .asc are linked.
>
> Also, the README may become simpler if we can link to some of the
> information and not have so much detail in the README text itself.  It
> might even be useful to have an .html README for that matter.  But that is
> all extra.  Right now I think we want to get into the testing and see how
> to smooth what we have.
>
> PS: A friend of mine is looking into the MacOSX situation.  He points out
> that one can use the Finder to do the job without users having to use
> Terminal sessions.  I don't have further information at this time.
>
> PPS: The inclusion of scripts that do the job is also worthy of
> consideration, perhaps making it unnecessary to build executables.  I will
> be looking at finding a .bat file that works safely for the Windows case.
> That can make the instructions much shorter :).
>

​??? I think you'd still need the executables as part of the payload. But
batch or script files would make the "installation" easier. We should
certainly consider this for future patches.​

​  For this situation, we may as well go with what we've got I think.

Linux is very straightforward. I don't know anything about Macs. I do know
that the Windows varients complicate things quite a bit.​


> >
> > To cut a long story short:
> > I would say yes for a ZIP file for every platform.
> [ ... ]
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
> For additional commands, e-mail: dev-h...@openoffice.apache.org
>
>


-- 
--
MzK

"Time spent with cats is never wasted."
-- Sigmund Freud

RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Dennis E. Hamilton]

For tracking the [TESTING] of the 4.1.2-patch1 binary for windows, I have 
created task Issue 127065,
<https://bz.apache.org/ooo/show_bug.cgi?id=127065>.  Comment 7 there already 
speaks to the untrusted identification situation.

I am adding an abridged version of this message from Carl with the part 
relevant to certificate trust.  Note that most of us who have worked on 
4.1.2-patch1 and provided digital signatures will find that identity will be 
reported as untrusted based on the Web-of-Trust technique PGP software uses.  
We can, of course, verify the fingerprints and Apache account identity and 
certify each other.  That will change the status for those of us in this 
particular circle but not necessarily for anyone who does not already trust the 
identification of enough of us.

I don't think there is any way to get into this in our README files.  However, 
this is useful for any future contributions we might make to the page at 
<http://www.apache.org/dev/release-signing.html> or anything supplemental that 
is oriented to the users of Apache OpenOffice and their particular range of 
skills.

> -Original Message-
> From: Carl Marcum [mailto:cmar...@apache.org]
> Sent: Friday, August 5, 2016 03:30
> To: dev@openoffice.apache.org
> Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> 
> On 08/04/2016 06:52 PM, Marcus wrote:
> > Am 08/05/2016 12:26 AM, schrieb Kay Schenk:
> >> On 08/04/2016 02:21 PM, Marcus wrote:
[ ... ]
> >>>>* apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc
> >>>
> >>> I don't know if this is OK or still bad:
> >>>
> >>> gpg --verify apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc
> >>> apache-openoffice-4.1.2-patch1-apply-Win_x86.zip
> >>> gpg: Signature made Tue 02 Aug 2016 06:24:08 AM CEST using RSA key
> ID
> >>> D456628A
> >>> gpg: Good signature from "keybase.io/orcmid (confirmed identifier)
> >>> <orc...@keybase.io>"
> >>> gpg: aka "orcmid (Dennis E.
> Hamilton)<orc...@msn.com>"
> >>> gpg: aka "orcmid Apache (code
> >>> signing)<orc...@apache.org>"
> >>> gpg: aka "Dennis E. Hamilton (orcmid)
> >>> <dennis.hamil...@acm.org>"
> >>> gpg: WARNING: This key is not certified with a trusted signature!
> >>> gpg:  There is no indication that the signature belongs to
> the
> >>> owner.
> >>
> >> I get this on sig checks also. There's probably a step we're missing
> to
> >> specify "trust" locally.
> >>
> >> See:
> >> http://www.apache.org/dev/release-signing.html
> >
> 
> signing Dennis' key locally worked for me.
> On Linux I use:
> gpg --default-key 9553BF9A --sign-key D456628A
> 
> If the key you want to sign it with is already the default key you can
> omit the "--default-key 9553BF9A" part.
> Sometimes you may have to prefix the ID's with "0x" to denote hex.
> 
> If you trust this is Dennis' key you can send his key back with your sig
> now attached and it will have more trust.
> gpg --send-key 0xD456628A
> 
> If a few people do it the warning should go away. Web-of-trust  :)
> 
> Carl
[orcmid] 

The warning will go away for us who have created a mutual Web-of-Trust but it 
won't help those who are not in that circle or have not somehow determined to 
trust in it themselves.  This is still useful advice about how to do it.

PS: I don't think the dist-level KEYS file is updated automatically, so the 
release KEYS set needs to be refreshed to work.  (We can check that by waiting 
for a while to see if Carl's trust of Dennis's key shows up.)


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Carl Marcum]

On 08/04/2016 06:52 PM, Marcus wrote:

Am 08/05/2016 12:26 AM, schrieb Kay Schenk:

On 08/04/2016 02:21 PM, Marcus wrote:

Am 08/03/2016 05:31 AM, schrieb Dennis E. Hamilton:

Testing of an Apache OpenOffice 4.1.2-patch1 procedure is requested.

The files to be used in testing are at
. 






hmmm...well no zips for Mac, Linux32, or Linux 64 -- yet.

Should we get started on these?


it depends what we want that they should contain. The ZIP file for 
Windows contains a LICENSE and NOTICE file as well as an ASC file for 
the DLL. As it is only a patch IMHO we don't need to provide another 
LICENSE and NOTICE file which is already available in the OpenOffice 
installation. Also the ASC is not necessary as we provide it already 
(together with MD5 and SHA256) for the whole ZIP file.


That means that only the README and library file remains.

When the README for Windows keep its length then I don't want to copy 
this on the dowload webpage. ;-)


So, when we put the README for all platforms in their ZIP files then 
we can just put a pointer to it on the download webpage and thats it.


To cut a long story short:
I would say yes for a ZIP file for every platform.


   * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc


I don't know if this is OK or still bad:

gpg --verify apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc
apache-openoffice-4.1.2-patch1-apply-Win_x86.zip
gpg: Signature made Tue 02 Aug 2016 06:24:08 AM CEST using RSA key ID
D456628A
gpg: Good signature from "keybase.io/orcmid (confirmed identifier)
"
gpg: aka "orcmid (Dennis E. Hamilton)"
gpg: aka "orcmid Apache (code 
signing)"

gpg: aka "Dennis E. Hamilton (orcmid)
"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the
owner.


I get this on sig checks also. There's probably a step we're missing to
specify "trust" locally.

See:
http://www.apache.org/dev/release-signing.html




signing Dennis' key locally worked for me.
On Linux I use:
gpg --default-key 9553BF9A --sign-key D456628A

If the key you want to sign it with is already the default key you can 
omit the "--default-key 9553BF9A" part.

Sometimes you may have to prefix the ID's with "0x" to denote hex.

If you trust this is Dennis' key you can send his key back with your sig 
now attached and it will have more trust.

gpg --send-key 0xD456628A

If a few people do it the warning should go away. Web-of-trust  :)

Carl


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Kay Schenk]

On 08/04/2016 02:21 PM, Marcus wrote:
> Am 08/03/2016 05:31 AM, schrieb Dennis E. Hamilton:
>> Testing of an Apache OpenOffice 4.1.2-patch1 procedure is requested.
>>
>> The files to be used in testing are at
>> .
>>
>>

hmmm...well no zips for Mac, Linux32, or Linux 64 -- yet.

Should we get started on these?

>> The files to be tested and reviewed are
>>
>>   * README-4.1.2-patch1-apply-Windows.txt
>> The description of the procedure for applying a corrected
>> library file to installed copies of Apache OpenOffice 4.1.2
>> on Windows.  Read this first before deciding to download
>> the Zip file and attempting the procedure.
> 
> wow, really? I think I need much more time for this than an average
> evening. ;-) I'll do the README steps on Sunday.
> 
>>   * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip
>> The Zip archive containing the files to be used in the
>> procedure.  There is a copy of the README within the
>> archive as well.
> 
> - I've exchanged the DLL
> - Created a new text and presentation document with simple content.
> - Both were reopened successfully.
> 
> Anything more to test?
> 
>>   * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc
> 
> I don't know if this is OK or still bad:
> 
> gpg --verify apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc
> apache-openoffice-4.1.2-patch1-apply-Win_x86.zip
> gpg: Signature made Tue 02 Aug 2016 06:24:08 AM CEST using RSA key ID
> D456628A
> gpg: Good signature from "keybase.io/orcmid (confirmed identifier)
> "
> gpg: aka "orcmid (Dennis E. Hamilton) "
> gpg: aka "orcmid Apache (code signing) "
> gpg: aka "Dennis E. Hamilton (orcmid)
> "
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:  There is no indication that the signature belongs to the
> owner.

I get this on sig checks also. There's probably a step we're missing to
specify "trust" locally.

See:
http://www.apache.org/dev/release-signing.html



> 
>>   * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.md5
> 
> Windows 10 Home (Version 1511):
> I've visually compared the MD5 hashes from the ZIP and MD5 file
> --> OK
> 
> Linux:
> $ md5sum -c apache-openoffice-4.1.2-patch1.zip.md5
> --> OK
> 
>>   * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.sha256
> 
> Windows 10 Home (Version 1511):
> I've visually compared the SHA256 hashes from the ZIP and SHA256 file
> --> OK
> 
> Linux:
> $ sha256sum -c apache-openoffice-4.1.2-patch1.zip.sha256
> --> OK
> 
>> REQUESTED TESTING
>>
>>   * [OPTIONAL] If you are able to check any of the .asc,
>> .md5, and .sha256 files against the .zip, report any
>> difficulties that may have been encountered.
> 
> Please remove the new line at the end of the MD5 file. Otherwise it
> doesn't work on Linux:
> 
> md5sum -c apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.md5
> : No such file or directory.1.2-patch1-apply-Win_x86.zip
> : FAILED open or read.2-patch1-apply-Win_x86.zip
> md5sum: WARNING: 1 of 1 listed file could not be read
> 
>>   * If you performed the procedure, report
>>  * the version of Microsoft Windows and the type of
>>account used (administrator or standard user).
> 
> Windows 10 Home (Version 1511)
> Administrator
> 
>>  * report whether the procedure succeeded
> 
> Yes
> 
>>  * if the procedure failed or met with difficulties,
>>please summarize the problems and how you over-
>>came any of them
> 
> To do a quick check, I've used a shortcut:
> 
> I've used the Total Commander (started as administrator, a normal user
> cannot modify anything in the OpenOffice directory) and exchanged the DLL.
> 
>>   * [IMPORTANT] Identify any missing, incomplete or
>> confusing information in the README.  Describe what you
>> see as important improvements before making general
>> release of the procedure for use by non-expert users of
>> Apache OpenOffice on Windows.
> 
> Marcus
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
> For additional commands, e-mail: dev-h...@openoffice.apache.org
> 

-- 

MzK

"Time spent with cats is never wasted."
   -- Sigmund Freud

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Marcus]

Am 08/03/2016 05:31 AM, schrieb Dennis E. Hamilton:

Testing of an Apache OpenOffice 4.1.2-patch1 procedure is requested.

The files to be used in testing are at
.

The files to be tested and reviewed are

  * README-4.1.2-patch1-apply-Windows.txt
The description of the procedure for applying a corrected
library file to installed copies of Apache OpenOffice 4.1.2
on Windows.  Read this first before deciding to download
the Zip file and attempting the procedure.


wow, really? I think I need much more time for this than an average 
evening. ;-) I'll do the README steps on Sunday.



  * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip
The Zip archive containing the files to be used in the
procedure.  There is a copy of the README within the
archive as well.


- I've exchanged the DLL
- Created a new text and presentation document with simple content.
- Both were reopened successfully.

Anything more to test?


  * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc


I don't know if this is OK or still bad:

gpg --verify apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc 
apache-openoffice-4.1.2-patch1-apply-Win_x86.zip
gpg: Signature made Tue 02 Aug 2016 06:24:08 AM CEST using RSA key ID 
D456628A
gpg: Good signature from "keybase.io/orcmid (confirmed identifier) 
"

gpg: aka "orcmid (Dennis E. Hamilton) "
gpg: aka "orcmid Apache (code signing) "
gpg: aka "Dennis E. Hamilton (orcmid) 
"

gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the 
owner.



  * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.md5


Windows 10 Home (Version 1511):
I've visually compared the MD5 hashes from the ZIP and MD5 file
--> OK

Linux:
$ md5sum -c apache-openoffice-4.1.2-patch1.zip.md5
--> OK


  * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.sha256


Windows 10 Home (Version 1511):
I've visually compared the SHA256 hashes from the ZIP and SHA256 file
--> OK

Linux:
$ sha256sum -c apache-openoffice-4.1.2-patch1.zip.sha256
--> OK


REQUESTED TESTING

  * [OPTIONAL] If you are able to check any of the .asc,
.md5, and .sha256 files against the .zip, report any
difficulties that may have been encountered.


Please remove the new line at the end of the MD5 file. Otherwise it 
doesn't work on Linux:


md5sum -c apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.md5
: No such file or directory.1.2-patch1-apply-Win_x86.zip
: FAILED open or read.2-patch1-apply-Win_x86.zip
md5sum: WARNING: 1 of 1 listed file could not be read


  * If you performed the procedure, report
 * the version of Microsoft Windows and the type of
   account used (administrator or standard user).


Windows 10 Home (Version 1511)
Administrator


 * report whether the procedure succeeded


Yes


 * if the procedure failed or met with difficulties,
   please summarize the problems and how you over-
   came any of them


To do a quick check, I've used a shortcut:

I've used the Total Commander (started as administrator, a normal user 
cannot modify anything in the OpenOffice directory) and exchanged the DLL.



  * [IMPORTANT] Identify any missing, incomplete or
confusing information in the README.  Describe what you
see as important improvements before making general
release of the procedure for use by non-expert users of
Apache OpenOffice on Windows.


Marcus

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Keith N. McKenna]

Dennis E. Hamilton wrote:
> 
> 
>> -Original Message- From: Keith N. McKenna
>> [mailto:keith.mcke...@comcast.net] Sent: Wednesday, August 3, 2016
>> 12:47 To: dev@openoffice.apache.org Subject: Re: [TESTING] Applying
>> openoffice-4.1.2-patch1 for Windows
>> 
>> Replies in line
>> 
>> Dennis E. Hamilton wrote:
>>> Testing of an Apache OpenOffice 4.1.2-patch1 procedure is
>>> requested.
>>> 
>>> The files to be used in testing are at 
>>> <https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-
>> patch1/binaries/Windows>.
>>> 
>>> The files to be tested and reviewed are
>>> 
>>> * README-4.1.2-patch1-apply-Windows.txt The description of the 
>>> procedure for applying a corrected library file to installed
>>> copies of Apache OpenOffice 4.1.2 on Windows.  Read this first
>>> before deciding to download the Zip file and attempting the
>>> procedure.
>>> 
>>> * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip The Zip
>>> archive containing the files to be used in the procedure.  There
>>> is a copy of the README within the archive as well.
>>> 
>>> * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc * 
>>> apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.md5 * 
>>> apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.sha256 Files
>>> that provide a digital signature, an MD5 hash, and an SHA256 hash
>>> that can be used to verify the integrity of the download and, in
>>> the case of the digital signature, the authenticity and accuracy
>>> of the download.
>>> 
>>> 
>>> REQUESTED TESTING
>>> 
>>> * [OPTIONAL] If you are able to check any of the .asc, .md5, and 
>>> .sha256 files against the .zip, report any difficulties that may
>>> have been encountered.
>>> 
>> [knmc] checked the zip against all of the signatures with the
>> following results: .md5 matched .sha256 matched .asc failed with
>> error not enough information to verify signature.
>> 
> [orcmid]
> 
> Had you installed my PGP key (in the current KEYS file)?
[knmc]
I imported the entire KEYS from the link provided.
[/knmc]
> How did you download the .asc file?
I used the .asc file from the zip archive.
The problem was that your key has not been certified by anyone. I
changed the owner trust in Kleopatra for your key to require only one
certification and then certified your key with mine. Once I did that the
check passed fine.
[/knmc]
> 
> [ ... ]
>>> 

>> [knmc] In section 10 of the procedure section the line "Open the
>> folder selected in step (7)" should read "Open the folder selected
>> in step (8)"
>> 
>> On the whole I found the README difficult to follow with
>> information out of sequence and extraneous information such as not
>> accepting help from unsolicited phone calls. Not bad information,
>> just out of place in a process document. Now that I have some
>> available time I will get out my "blue pencil" and mark-up the
>> document.
> [orcmid]
> 
> Note that someone has already spell-checked the document and I will
> do so in the future.
> 
> And all suggestions are welcome.
> 
[knmc]
I have also included an odt version of the document with recorded
changes, both some spell checking changes, moving some things around,
and other suggested changes.
[/knmc]
>> 
>> One improvement for the average user would be to automate the
>> process with a .bat file that could find the proper folders and do
>> the copy and rename procedures.
> [orcmid]
> 
> Oh duhh!
> 
> Yes, there is no reason a .bat file can't be included in the package.
> With "Run as Administrator" that should also relieve the pain for
> folks on non-Administrator accounts who are able to provide/select
> administrator credentials.
> 
> I would leave the longer instructions, perhaps in an Appendix, for
> those who prefer the manual procedure or who otherwise have
> reservations/problems about running a script.
> 
[knmc]
Let me try my hand at rewriting the manual instructions. I used to write
process sheets for a living be interesting to see if my engineering
skills are still up to the task.
[/knmc]

> Something to work on over the next day or two while also gaining more
> results from the current testing.
> 
> 
>> 
>>> The goal is to provide as much as we can to assist Windows users
>>> in applying this fix with confidence and success.  The experience
>>> of more-knowledgable users who appreciate the difficulties of 
>>> non-experts is important in achieving that.
>>> 
>>> Thank you for any effort you invest and the feedback you
>>> provide.
>>> 
>>> - Dennis
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> -- Dennis E. Hamilton orc...@apache.org dennis.hamil...@acm.org 
>>> +1-206-779-9430 https://keybase.io/orcmid  PGP F96E 89FF D456
>>> 628A X.509 certs used and requested for signed e-mail
>>> 
>> 
>> 
>> 



README-4.1.2-patch1-apply-Windows.odt
Description: application/vnd.oasis.opendocument.text


signature.asc
Description: OpenPGP digital signature

RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Dennis E. Hamilton]

> -Original Message-
> From: Keith N. McKenna [mailto:keith.mcke...@comcast.net]
> Sent: Wednesday, August 3, 2016 12:47
> To: dev@openoffice.apache.org
> Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> 
> Replies in line
> 
> Dennis E. Hamilton wrote:
> > Testing of an Apache OpenOffice 4.1.2-patch1 procedure is requested.
> >
> > The files to be used in testing are at
> > <https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-
> patch1/binaries/Windows>.
> >
> >  The files to be tested and reviewed are
> >
> > * README-4.1.2-patch1-apply-Windows.txt The description of the
> > procedure for applying a corrected library file to installed copies
> > of Apache OpenOffice 4.1.2 on Windows.  Read this first before
> > deciding to download the Zip file and attempting the procedure.
> >
> > * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip The Zip archive
> > containing the files to be used in the procedure.  There is a copy of
> > the README within the archive as well.
> >
> > * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc *
> > apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.md5 *
> > apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.sha256 Files that
> > provide a digital signature, an MD5 hash, and an SHA256 hash that can
> > be used to verify the integrity of the download and, in the case of
> > the digital signature, the authenticity and accuracy of the download.
> >
> >
> > REQUESTED TESTING
> >
> > * [OPTIONAL] If you are able to check any of the .asc, .md5, and
> > .sha256 files against the .zip, report any difficulties that may have
> > been encountered.
> >
> [knmc]
> checked the zip against all of the signatures with the following
> results:
> .md5 matched
> .sha256 matched
> .asc failed with error not enough information to verify signature.
> 
[orcmid] 

Had you installed my PGP key (in the current KEYS file)?  
How did you download the .asc file?

[ ... ]
> >
> [knmc]
> In section 10 of the procedure section the line "Open the folder
> selected in step (7)" should read "Open the folder selected in step (8)"
> 
> On the whole I found the README difficult to follow with information out
> of sequence and extraneous information such as not accepting help from
> unsolicited phone calls. Not bad information, just out of place in a
> process document. Now that I have some available time I will get out my
> "blue pencil" and mark-up the document.
[orcmid] 

Note that someone has already spell-checked the document and I will do so in 
the future.

And all suggestions are welcome.

> 
> One improvement for the average user would be to automate the process
> with a .bat file that could find the proper folders and do the copy and
> rename procedures.
[orcmid] 

Oh duhh!

Yes, there is no reason a .bat file can't be included in the package.  With 
"Run as Administrator" that should also relieve the pain for folks on 
non-Administrator accounts who are able to provide/select administrator 
credentials.

I would leave the longer instructions, perhaps in an Appendix, for those who 
prefer the manual procedure or who otherwise have reservations/problems about 
running a script.

Something to work on over the next day or two while also gaining more results 
from the current testing.


> 
> > The goal is to provide as much as we can to assist Windows users in
> > applying this fix with confidence and success.  The experience of
> > more-knowledgable users who appreciate the difficulties of
> > non-experts is important in achieving that.
> >
> > Thank you for any effort you invest and the feedback you provide.
> >
> > - Dennis
> >
> >
> >
> >
> >
> >
> > -- Dennis E. Hamilton orc...@apache.org dennis.hamil...@acm.org
> > +1-206-779-9430 https://keybase.io/orcmid  PGP F96E 89FF D456 628A
> > X.509 certs used and requested for signed e-mail
> >
> 
> 
> 



-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Keith N. McKenna]

Replies in line

Dennis E. Hamilton wrote:
> Testing of an Apache OpenOffice 4.1.2-patch1 procedure is requested.
> 
> The files to be used in testing are at 
> .
>
>  The files to be tested and reviewed are
> 
> * README-4.1.2-patch1-apply-Windows.txt The description of the
> procedure for applying a corrected library file to installed copies
> of Apache OpenOffice 4.1.2 on Windows.  Read this first before
> deciding to download the Zip file and attempting the procedure.
> 
> * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip The Zip archive
> containing the files to be used in the procedure.  There is a copy of
> the README within the archive as well.
> 
> * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc *
> apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.md5 *
> apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.sha256 Files that
> provide a digital signature, an MD5 hash, and an SHA256 hash that can
> be used to verify the integrity of the download and, in the case of
> the digital signature, the authenticity and accuracy of the download.
> 
> 
> REQUESTED TESTING
> 
> * [OPTIONAL] If you are able to check any of the .asc, .md5, and
> .sha256 files against the .zip, report any difficulties that may have
> been encountered.
> 
[knmc]
checked the zip against all of the signatures with the following results:
.md5 matched
.sha256 matched
.asc failed with error not enough information to verify signature.

> * If you performed the procedure, report * the version of Microsoft
> Windows and the type of account used (administrator or standard
> user). * report whether the procedure succeeded * if the procedure
> failed or met with difficulties, please summarize the problems and
> how you over- came any of them
> 
[knmc]
performed the procedure successfully on Windows 7 home premium 64 bit
using an administrator account.
Also performed the procedure successfully on the same system using an
standard user account. This was however tedious as most of the steps to
apply the patched .dll required entering the administrator password.

> * [IMPORTANT] Identify any missing, incomplete or confusing
> information in the README.  Describe what you see as important
> improvements before making general release of the procedure for use
> by non-expert users of Apache OpenOffice on Windows.
> 
[knmc]
In section 10 of the procedure section the line "Open the folder
selected in step (7)" should read "Open the folder selected in step (8)"

On the whole I found the README difficult to follow with information out
of sequence and extraneous information such as not accepting help from
unsolicited phone calls. Not bad information, just out of place in a
process document. Now that I have some available time I will get out my
"blue pencil" and mark-up the document.

One improvement for the average user would be to automate the process
with a .bat file that could find the proper folders and do the copy and
rename procedures.

> The goal is to provide as much as we can to assist Windows users in
> applying this fix with confidence and success.  The experience of
> more-knowledgable users who appreciate the difficulties of
> non-experts is important in achieving that.
> 
> Thank you for any effort you invest and the feedback you provide.
> 
> - Dennis
> 
> 
> 
> 
> 
> 
> -- Dennis E. Hamilton orc...@apache.org dennis.hamil...@acm.org
> +1-206-779-9430 https://keybase.io/orcmid  PGP F96E 89FF D456 628A 
> X.509 certs used and requested for signed e-mail
> 






signature.asc
Description: OpenPGP digital signature