Re: Reporting broken download link
Hello My two cents... On such download problems, we never have answer to this: - does the downloaded file have the correct checksum ? This is not easy to check for an ordinary user, but Elizabeth Morgan should be able to do it. If the checksum is incorrect, then it is indeed a problem. Since Roberto knows the suspect mirrors, he could verify if these mirrors do indeed store compromised files, by testing their checksum. I would not be surprised if the mirror files were found correct. My idea is that Chrome flags a file as suspect, not because of the file content, but as a result of statistical data about similar file names retrieved from SourceForge or other sites. We know that SourceForge advertising contents sometimes provide (or provided) malicious files pretending to be OpenOffice. Bernard Message de Louis Suárez-Potts date 2014-12-09 23:50 : On 09 Dec2014, at 17:41, Roberto Galoppini roberto.galopp...@gmail.com wrote: 2014-12-09 21:23 GMT+01:00 Rory O'Farrell ofarr...@iol.ie: On Tue, 9 Dec 2014 15:14:24 -0500 Louis Suárez-Potts lui...@gmail.com wrote: Hi On 09 Dec2014, at 15:11, Rory O'Farrell ofarr...@iol.ie wrote: On Tue, 09 Dec 2014 13:48:44 -0600 Elizabeth Morgan elizabethallynmor...@gmail.com wrote: UPDATE: It's my entire development team that's encountering the issue at the moment -- we're having to refit a good number of computers, and all of them are detecting it as malicious after downloading from Sourceforge via official link from openoffice.org Remember that you can check the download for integrity by the methods described in http://www.openoffice.org/download/checksums.html Your team only need one download for each O/S. They can move it about on USB key or DVD or network. I think Elizabeth’s point is that there is something amiss with the linkage from OpenOffice to SF to users. The problem, reading her post, could lie with SF. But my guess is that Elizabeth is more than competent to file an issue describing more precisely the problem so that we can resolve it. I can certainly confirm, from many reports on the Forum, that Chrome is identifying SourceForge OO files on the automatic download as malicious. The same reports suggest that the direct download link gives the same files without triggering any malicious file warning from Chrome. We are trying to talk to Google to better understand what's going on, in the meantime we excluded all the blacklisted OpenOffice mirror URLs from the selection used when users download. When downloading OO now, you should get the file without any warning. This is only a short-term solution but should help for the time being. We hope to learn soon more about the actual google chrome policies and why those are tagging as malicious few open source projects out there. Roberto Thanks, Roberto, for the explanation. Perhaps an issue that reflects the ongoing discussion would help with Elizabeth’s situation and also others? (And the parallel discussion on signing downloads is probably not entirely irrelevant?) (BTW, I use Google Chrome Canary on OS X 10.2—a dev. editions, for both—and every now and then there are misreadings of a code’s legitimacy. Happens.) louis louis On 12/9/2014 1:37 PM, Marcus wrote: Am 12/09/2014 04:29 PM, schrieb Elizabeth Morgan: Not technically broken per say in the notion of won't actually connect to the .exe file, but Chrome keeps registering all of the Open Office downloads as malicious. Even past versions. please make sure that you download only from the official source: http://www.openoffice.org/download/ which will offer you the binaries from Sourceforge.net. They are hosting the installation files for us. Currently we haven't heard from other users about this problem. So, I think for the moment that it's a reason that doesn't lay within the Apache OpenOffice project. E.g., does Chrome search in a public place for malicious domains? If yes, maybe this place is not up-to-date or not working or something else. Marcus - - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Reporting broken download link
2014-12-11 9:17 GMT+01:00 Bernard Marcelly marce...@club-internet.fr: Hello My two cents... On such download problems, we never have answer to this: - does the downloaded file have the correct checksum ? This is not easy to check for an ordinary user, but Elizabeth Morgan should be able to do it. If the checksum is incorrect, then it is indeed a problem. Since Roberto knows the suspect mirrors, he could verify if these mirrors do indeed store compromised files, by testing their checksum. I would not be surprised if the mirror files were found correct. Files are correct. Of course some mirrors are more popular (download-wise) than others. My idea is that Chrome flags a file as suspect, not because of the file content, but as a result of statistical data about similar file names retrieved from SourceForge or other sites. We know that SourceForge advertising contents sometimes provide (or provided) malicious files pretending to be OpenOffice. We have been investigating the issue in all possible ways, and while the final word is up to Google. Having said that, Apache OpenOffice is just one of the few projects affected. Projects like FreeCAD are also experiencing the very same problem and I believe those are not a target for malicious variations. If you search for google chrome download problems you'll see this is a pretty big issue. As per my previous mail, we're trying to connect with Google folks using all possible channels, hope to be able to talk to them within this week. Roberto Bernard Message de Louis Suárez-Potts date 2014-12-09 23:50 : On 09 Dec2014, at 17:41, Roberto Galoppini roberto.galopp...@gmail.com wrote: 2014-12-09 21:23 GMT+01:00 Rory O'Farrell ofarr...@iol.ie: On Tue, 9 Dec 2014 15:14:24 -0500 Louis Suárez-Potts lui...@gmail.com wrote: Hi On 09 Dec2014, at 15:11, Rory O'Farrell ofarr...@iol.ie wrote: On Tue, 09 Dec 2014 13:48:44 -0600 Elizabeth Morgan elizabethallynmor...@gmail.com wrote: UPDATE: It's my entire development team that's encountering the issue at the moment -- we're having to refit a good number of computers, and all of them are detecting it as malicious after downloading from Sourceforge via official link from openoffice.org Remember that you can check the download for integrity by the methods described in http://www.openoffice.org/download/checksums.html Your team only need one download for each O/S. They can move it about on USB key or DVD or network. I think Elizabeth’s point is that there is something amiss with the linkage from OpenOffice to SF to users. The problem, reading her post, could lie with SF. But my guess is that Elizabeth is more than competent to file an issue describing more precisely the problem so that we can resolve it. I can certainly confirm, from many reports on the Forum, that Chrome is identifying SourceForge OO files on the automatic download as malicious. The same reports suggest that the direct download link gives the same files without triggering any malicious file warning from Chrome. We are trying to talk to Google to better understand what's going on, in the meantime we excluded all the blacklisted OpenOffice mirror URLs from the selection used when users download. When downloading OO now, you should get the file without any warning. This is only a short-term solution but should help for the time being. We hope to learn soon more about the actual google chrome policies and why those are tagging as malicious few open source projects out there. Roberto Thanks, Roberto, for the explanation. Perhaps an issue that reflects the ongoing discussion would help with Elizabeth’s situation and also others? (And the parallel discussion on signing downloads is probably not entirely irrelevant?) (BTW, I use Google Chrome Canary on OS X 10.2—a dev. editions, for both—and every now and then there are misreadings of a code’s legitimacy. Happens.) louis louis On 12/9/2014 1:37 PM, Marcus wrote: Am 12/09/2014 04:29 PM, schrieb Elizabeth Morgan: Not technically broken per say in the notion of won't actually connect to the .exe file, but Chrome keeps registering all of the Open Office downloads as malicious. Even past versions. please make sure that you download only from the official source: http://www.openoffice.org/download/ which will offer you the binaries from Sourceforge.net. They are hosting the installation files for us. Currently we haven't heard from other users about this problem. So, I think for the moment that it's a reason that doesn't lay within the Apache OpenOffice project. E.g., does Chrome search in a public place for malicious domains? If yes, maybe this place is not up-to-date or not working or something else. Marcus - - To unsubscribe, e-mail:
Re: SourceForge and commercial ads - continued
Just realised I forgot to mention we have removed that in the very same day. Thanks for heads up. Roberto 2014-12-09 15:44 GMT+01:00 FR web forum ooofo...@free.fr: See today: http://hpics.li/5e52083 This ad go to h**p://maribiz.net - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Java 32
Marcus wrote: Of course I can change it in the code with a commit. However, I'm not able to create a build to check myself to see if my fix is good or produces an ugly build breaker. I'm not yet so far to build AOO from scratch myself. I wanted to try this for the quite days at this years end. Any tips? My suggestion (can be executed as a team, not necessarily by one person): 1. Find a proper wording for http://www.openoffice.org/download/common/java.html 2. Create a link www.openoffice.org/java pointing at it 3. Find a short (short!) text for the dialog box, sending the people to www.openoffice.org/java for any details (including 32 and 64-bit systems); I don't know if links are supported, but the short URL at 2 should take care of it 4. Place #3 in form of a patch in Bugzilla and send the number here (and if the patch comes from someone who is not one of the usual code committers, even better) 5. At that point it will be easy for people who have their own build tree to check the patch before we get it in, so don't worry about this. Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Java 32
Am 11.12.2014 um 09:49 schrieb Andrea Pescetti: Marcus wrote: Of course I can change it in the code with a commit. However, I'm not able to create a build to check myself to see if my fix is good or produces an ugly build breaker. I'm not yet so far to build AOO from scratch myself. I wanted to try this for the quite days at this years end. Any tips? My suggestion (can be executed as a team, not necessarily by one person): 1. Find a proper wording for http://www.openoffice.org/download/common/java.html More detailed info is needed to overthrow the common prejudice that OpenOffice relies heavily on Java which is not even true for the Base component. A Java runtime environment (JRE) is required to use the following functionality: *Wizards*, namely: menu:FileWizardLetter... menu:FileWizardFax... menu:FileWizardAgenda... menu:FileWizardWeb Page... *Macros* JavaScript and BeanShell macros require Java The dialog menu:ToolsMacrosRun... can't be used. Without Java you can still use menu:ToolsMacrosOrganize... to run Python and Basic macros. https://issues.apache.org/ooo/show_bug.cgi?id=86541 *Extensions* Extensions coded in Java Finding keywords in the F1 help depends on Java. *Database access* All Base wizards are coded in Java. The embedded HSQLDB and any other JDBC connetion requires Java. Contrary to the current text stating that Base depends entirely on Java, most of the Base component is functional without Java. You can query and mail merge any kind of non-Java database and you can create fully functional input forms manually without the questionable help of the form wizard. You can even create a new database without Java. This results in a (less functionable) dBase directory. *Required JRE* when needing any of the above features: Any recent version of Java 7 or 8 Windwos: 32 bit JRE in any case since OpenOffice for Windows is a 32 bit application Mac: 64 bit JRE for all recent versions of OpenOffice since all recent versions for the Mac are 64 bit versions. Linux: 32 or 64 bit JRE according to the bitness of OpenOffice which should be the same as the system bitness. 2. Create a link www.openoffice.org/java pointing at it 3. Find a short (short!) text for the dialog box, sending the people to www.openoffice.org/java for any details (including 32 and 64-bit systems); I don't know if links are supported, but the short URL at 2 should take care of it This would be very easy if the dialog box would not show inadequate JREs. If it would list only the JREs with correct bitness, the list of JREs could have a slightly modified label with a 32 or 64 bit prefix like this: 32|64 bit Java runtime environments (JRE) already installed: I strongly suggest to fix the list content first. Showing the right label text with wrong options does not help much. 4. Place #3 in form of a patch in Bugzilla and send the number here (and if the patch comes from someone who is not one of the usual code committers, even better) 5. At that point it will be easy for people who have their own build tree to check the patch before we get it in, so don't worry about this. Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Reporting broken download link
I tried to download open office 4.11. My Office writer will not work because it cannot find swriter.exe. Please advise. Murray R. Miller murray1...@hotmail.com
Re: Reporting broken download link
On Thu, 11 Dec 2014 10:25:54 -0500 Murray Miller murray1...@hotmail.com wrote: I tried to download open office 4.11. My Office writer will not work because it cannot find swriter.exe. Please advise. Murray R. Miller murray1...@hotmail.com SourceForge servers, where the files are stored, were offline - I suggest you try downloading again. -- Rory O'Farrell ofarr...@iol.ie - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
RE: Java 32
+1 to Andreas. Sounds like a plan. There seems to be some disagreement on what (3), the dialog message, should be. It is likely that should be agreed first, since (1) will depend on it. That there are only possible mismatches on x64 Windows/Mac operating systems (or any others that run both x86 and x64 binaries) needs to be clear. Not in the message. I don't see making the message even more complicated about lore that will be even more confusing to casual users. For (1), the java.html page, I think we can address the concern by Andreas Säger by keeping the java.html page simple and providing progressive disclosure of specific details on supplementary pages if necessary. That means more page-translation work, so I suggest that java.html be kept straightforward and as simple as possible (but no simpler, of course, and definitely accurate) first. - Dennis -Original Message- From: Andrea Pescetti [mailto:pesce...@apache.org] Sent: Thursday, December 11, 2014 00:49 To: dev@openoffice.apache.org Subject: Re: Java 32 [ ... ] My suggestion (can be executed as a team, not necessarily by one person): 1. Find a proper wording for http://www.openoffice.org/download/common/java.html 2. Create a link www.openoffice.org/java pointing at it 3. Find a short (short!) text for the dialog box, sending the people to www.openoffice.org/java for any details (including 32 and 64-bit systems); I don't know if links are supported, but the short URL at 2 should take care of it 4. Place #3 in form of a patch in Bugzilla and send the number here (and if the patch comes from someone who is not one of the usual code committers, even better) 5. At that point it will be easy for people who have their own build tree to check the patch before we get it in, so don't worry about this. Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
[INFRA] can''t access our buildbot config file
All AOO committers should have access to our buildbot config file -- https://svn.apache.org/repos/infra/infrastructure/buildbot/aegis/buildmaster/master1/projects/openofficeorg.conf and I did until the svn issues recently. Could someone else confirm this problem before I report it? Thanks. -- - MzK There's a bit of magic in everything, and some loss to even things out. -- Lou Reed - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: [INFRA] can''t access our buildbot config file
Am 12/11/2014 08:11 PM, schrieb Kay Schenk: All AOO committers should have access to our buildbot config file -- https://svn.apache.org/repos/infra/infrastructure/buildbot/aegis/buildmaster/master1/projects/openofficeorg.conf and I did until the svn issues recently. Could someone else confirm this problem before I report it? when clicking on the link I need to login but then I get the file listed. Because it's in the Infra repo I think I've just read-only permissions. HTH Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
RE: [INFRA] can''t access our buildbot config file
I was able to see it in my browser (IE11 on Windows 8.1) after logging in with my committer ID and password. That got me read access. I didn't try checking it out in SVN. -Original Message- From: Kay Schenk [mailto:kay.sch...@gmail.com] Sent: Thursday, December 11, 2014 11:11 To: OOo Apache Subject: [INFRA] can''t access our buildbot config file All AOO committers should have access to our buildbot config file -- https://svn.apache.org/repos/infra/infrastructure/buildbot/aegis/buildmaster/master1/projects/openofficeorg.conf and I did until the svn issues recently. Could someone else confirm this problem before I report it? Thanks. -- - MzK There's a bit of magic in everything, and some loss to even things out. -- Lou Reed - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Java 32
Am 12/11/2014 04:58 PM, schrieb Dennis E. Hamilton: +1 to Andreas. Sounds like a plan. There seems to be some disagreement on what (3), the dialog message, should be. It is likely that should be agreed first, since (1) will depend on it. That there are only possible mismatches on x64 Windows/Mac operating systems (or any others that run both x86 and x64 binaries) needs to be clear. Not in the message. I don't see making the message even more complicated about lore that will be even more confusing to casual users. For (1), the java.html page, I think we can address the concern by Andreas Säger by keeping the java.html page simple and providing progressive disclosure of specific details on supplementary pages if necessary. That means more page-translation work, so I suggest that java.html be kept straightforward and as simple as possible (but no simpler, of course, and definitely accurate) first. OK, then first a developer has to sort this out before we can go on. For me it's fine. Marcus -Original Message- From: Andrea Pescetti [mailto:pesce...@apache.org] Sent: Thursday, December 11, 2014 00:49 To: dev@openoffice.apache.org Subject: Re: Java 32 [ ... ] My suggestion (can be executed as a team, not necessarily by one person): 1. Find a proper wording for http://www.openoffice.org/download/common/java.html 2. Create a link www.openoffice.org/java pointing at it 3. Find a short (short!) text for the dialog box, sending the people to www.openoffice.org/java for any details (including 32 and 64-bit systems); I don't know if links are supported, but the short URL at 2 should take care of it 4. Place #3 in form of a patch in Bugzilla and send the number here (and if the patch comes from someone who is not one of the usual code committers, even better) 5. At that point it will be easy for people who have their own build tree to check the patch before we get it in, so don't worry about this. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: [INFRA] can''t access our buildbot config file
On 12/11/2014 11:59 AM, Dennis E. Hamilton wrote: I was able to see it in my browser (IE11 on Windows 8.1) after logging in with my committer ID and password. That got me read access. I didn't try checking it out in SVN. -Original Message- From: Kay Schenk [mailto:kay.sch...@gmail.com] Sent: Thursday, December 11, 2014 11:11 To: OOo Apache Subject: [INFRA] can''t access our buildbot config file All AOO committers should have access to our buildbot config file -- https://svn.apache.org/repos/infra/infrastructure/buildbot/aegis/buildmaster/master1/projects/openofficeorg.conf and I did until the svn issues recently. Could someone else confirm this problem before I report it? Thanks. Thanks. I seem to have been disallowed even to connect for some reason. :( OK, I'll look further. -- - MzK There's a bit of magic in everything, and some loss to even things out. -- Lou Reed - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org