RE: Anti-Virus vendors warnings
Hi I don't know is that helpful information. Symantec delete that files in my case - writerfilter\qa\cppunittests\rtftok\data\pass\ sf_508f4e169fb76c80745d3541bd01b0a2-73462-minimized.rtf Virus:Trojan.Mdropper - d:\bld\deb\workdir\UnpackedTarball\icu\source\bin\ genrb.exe Virus: Suspicious.Cloud - d:\bld\deb\workdir\UnpackedTarball\nss\nss\lib\zlib\out\ example.exe Virus: Suspicious.Cloud.5 The rtf-file have excluded from the scan. When I have this follow autogen.sh setting then the exe have the virus --with-external-tar=/cygdrive/d/src/lo/externalsrc --enable-pch --disable-ccache --disable-activex --disable-atl --enable-debug --with-ant-home=/cygdrive/d/src/lo/apache-ant-1.9.4 --with-junit=/cygdrive/d/src/lo/junit-4.10.jar --with-visual-studio=2012 BUT with this autogen.sh setting NO VIRUS for exe --with-external-tar=/cygdrive/d/src/lo/externalsrc --enable-pch --disable-ccache --disable-activex --disable-atl --enable-dbgutil --with-ant-home=/cygdrive/d/src/lo/apache-ant-1.9.4 --with-junit=/cygdrive/d/src/lo/junit-4.10.jar --with-visual-studio=2012 --with-lang=de en-GB In the Release Version have this autogen.sh setting and have the Virus for exe --with-external-tar=/cygdrive/d/src/lo/externalsrc --enable-pch --disable-ccache --disable-activex --disable-atl --with-ant-home=/cygdrive/d/src/lo/apache-ant-1.9.4 --with-junit=/cygdrive/d/src/lo/junit-4.10.jar I'm not really sure why, but it works in my case. Juergen ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: Anti-Virus vendors warnings
On 06/10/14 16:45, Juergen Funk Mailinglist wrote: Hi I don't know is that helpful information. Symantec delete that files in my case - writerfilter\qa\cppunittests\rtftok\data\pass\ sf_508f4e169fb76c80745d3541bd01b0a2-73462-minimized.rtf Virus:Trojan.Mdropper hi Juergen, i hope we can encrypt this one like the CVE test-cases, so it doesn't cause warnings any more. - d:\bld\deb\workdir\UnpackedTarball\icu\source\bin\ genrb.exe Virus: Suspicious.Cloud - d:\bld\deb\workdir\UnpackedTarball\nss\nss\lib\zlib\out\ example.exe Virus: Suspicious.Cloud.5 The rtf-file have excluded from the scan. those are probably not something we can work around easily; can you report and upload these files as false positive to your Anti-virus tool vendor? i mean, you are paying them for the tool, so they should fix it if it doesn't work :) When I have this follow autogen.sh setting then the exe have the virus --enable-debug BUT with this autogen.sh setting NO VIRUS for exe --enable-dbgutil so that's the random difference, perhaps it's because dbgutil uses MSVC debug runtime? fun... ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice
RE: Anti-Virus vendors warnings
If it needs forensics to find out what was blocked, then the av-solution is crap My thesis is that all av-solutions are deeply flawed =) So only way is to do as already written in the buildinstructions and common sense when actually looking at the AV-solutions' reports: Disable monitoring for the build. Not only will that not break the build, but also save some cycles for actually compiling stuff instead of checking lots of intermediate files. I'd love to have some easy way of detecting any AV solution. I suspect doing something like this: http://stackoverflow.com/questions/1331887/detect-antivirus-on-windows-using -c-sharp - [nicholas ferguson] That is not a solution for 2014. In the news you can read about groups of people grabbing a ton of info from governments, companies...illegally through some transport/internet protocols. So major companies have strict rules that even a developer cannot touch their anti-virus settings. Or if they try... they get dismissed. So your solution prevents that type of developer from working with LibreOffice. ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: Anti-Virus vendors warnings
On Thu, 2014-10-02 at 08:38 -0400, nicholas ferguson wrote: [nicholas ferguson] I was able to reproduce Norton killing of genrb.exe ... This will give you an example to consider a proper solution. And this highlights the gravity. genrb.exe is a major player in building even a release mode...correct? Actually, I've no idea =) looks like it's an incidental ICU tool that is compiled; whether it is actually -used- would need further investigation. Assuming it is not used (quite possible) - then not-compiling that thing is (perhaps) an easy first step to improve things. git grep genrb suggests that it's not used. Any chance you could look into that ? I assume we are re-using ICU's internal make stuff and we need to patch more bits out that are not used. then run norton antivirus against that folder It will remove genrb.exe Most interesting; so - I guess failing the don't compile it easy hack - it might be interesting to binary chop the 'virus' compiled out of the pristine ICU source ;-) perhaps we could use it as a tiny fingerprint to write a lame virus checker detector. Interesting, ATB, Michael. -- michael.me...@collabora.com , Pseudo Engineer, itinerant idiot ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice
RE: Anti-Virus vendors warnings
On Thu, 2014-10-02 at 08:38 -0400, nicholas ferguson wrote: [nicholas ferguson] I was able to reproduce Norton killing of genrb.exe ... This will give you an example to consider a proper solution. And this highlights the gravity. genrb.exe is a major player in building even a release mode...correct? Actually, I've no idea =) looks like it's an incidental ICU tool that is compiled; whether it is actually -used- would need further investigation. Assuming it is not used (quite possible) - then not-compiling that thing is (perhaps) an easy first step to improve things. git grep genrb suggests that it's not used. Any chance you could look into that ? I assume we are re-using ICU's internal make stuff and we need to patch more bits out that are not used. [nicholas ferguson] Just take some time to study your system. ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: Anti-Virus vendors warnings
On Thu, Oct 2, 2014 at 7:54 AM, Michael Meeks michael.me...@collabora.com wrote: On Thu, 2014-10-02 at 08:38 -0400, nicholas ferguson wrote: git grep genrb suggests that it's not used. It is built and used by icu itself to generate data resource files. cd workdir/UnpackedTarball/icu grep -R genrb * Norbert ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: Anti-Virus vendors warnings
On Thu, Oct 02, 2014 at 08:38:35AM -0400, nicholas ferguson wrote: I was able to reproduce Norton killing of genrb.exe ... This will give you an example to consider a proper solution. Uh huh? Some crappy virus detector thinks that a legitimate executable created from legitimate source code contains a virus and you want _us_ to solve that? I really fail to follow the logic here... The proper solution is to disable any tools that unwarrantably break the build. D. ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: Anti-Virus vendors warnings
On 01/10/14 19:55, Michael Meeks wrote: Ideally we could find a reproducer that we could check during configure and print out: You have a (typically) rubbish AV product installed - please un-install and or disable it ;-) I think this is not about AV products being rubbish. The LibreOffice source contains over 100 test documents named CVE-*, for example: sw/qa/core/data/ww8/pass/CVE-2012-4886-1.doc sw/qa/core/data/odt/pass/CVE-2012-4233-1.odt These appear to be documents which target known security vulnerabilities in LibreOffice or other software. I have experienced build failures on Windows caused by real time protection antivirus software blocking access to such files. It would seem to be quite reasonable for antivirus software to do that. ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: Anti-Virus vendors warnings
On 2014-10-01 11:55 AM, Michael Meeks wrote: Wow. So I did a forensic on the env. And I discovered that Norton Antivirus was isolating state files and some executables being built by the LibreOffice build system. Most anti-virus products have a way of excluding specific folder hierarchies - I simply exclude my entire libreoffice working space and build folder from the AV. -- Noel Grandin ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice
RE: Anti-Virus vendors warnings
why isn't this wiki page referenced in the readme? Isn't that wiki a page for develpers. What kind of developer in your world, doesn't build a debug version, first? We used to recommend a debug version AFAIR, but the build tree on Linux with debuginfo is 30Gb small - and with debug symbols it takes forages to link. Often it's more feasible to re-build just a single module with debuginfo. [nicholas ferguson] [nicholas ferguson] I guess its english. Recommending a debug build...is saying on wiki how to put --enable-dbgutil into the autogen.input ... and then solving that wacky issue with boost. why do you think I was asking to download a debug version. of 30G... Where is it mentioned how not to keep downloading the tar files? for 3rd party dependencies. That alone is a HUGE COST OF ENTRY...to discover how to turn that off. The automatic download saves manually downloading 70 or so individual dependencies; you can argue that it sucks (and it does) - but doing that manually sucks more =) A build for a newcomer has to be run three or four times? Why should the tar files get downloaded four times? How does a newcomer turn it off after the first download? Tor had to explain that to me. This is another HIGH COST OF ENTRY. I ask questions and I get answer that don't fit my questions. ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: Anti-Virus vendors warnings
On Wed, Oct 1, 2014 at 11:55 AM, Michael Meeks michael.me...@collabora.com wrote: Dear Nicholas, On Tue, 2014-09-30 at 17:19 -0400, nicholas ferguson wrote: I duplicated their directory structure. And my build still failed. Grief; we should certainly document turning off AV more prominently. Listed quite prominently in the windows build instructions. And *any* AV-solution that blocks access should popup a corresponding message/indicator that it did so. Ideally we could find a reproducer that we could check during configure and print out: Nope, that won't help. If the user is ignoring the system's messages, why should he read ours? And checking whether virus solution xy is running probably is a surefire way to get detected as malicious beforehand so you won't be able to show that message :-) It'd be great to isolate exactly what is causing the problem, so we can save other people this suffering; I'd love to invest in that. BitDefender/Security Essentials blocks some of the CVE test-files. I assume that to be no difference here. And there's no way to have av-vendors whitelist those files, as after all they can exploit vulnerabilities in other/older software. If it needs forensics to find out what was blocked, then the av-solution is crap, or the user unwilling to look at the software's logs. On Tue, 2014-09-30 at 17:50 -0400, nicholas ferguson wrote: I think that is a bad idea. A good idea is to turn on anti virus where work is done. you can't tell developers to turn off their anti virus when working on windows. That’s crazy talk Either you disable monitoring for the build-directories, or you whitelist stuff in another way. Or use a different AV-solution. Of course false-detection in the result is another story - Symantec (Norton AV) offers a whitelisting form that I use for the official builds, so regular users don't get warning when downloading/installing the finished product. But building is a different story. I see no way to have the build free of AV-detection unless we remove all of the CVE testdocuments. In fact any AV-solution that doesn't block/break the build in a way is not tightly monitoring the system.. So only way is to do as already written in the buildinstructions and common sense when actually looking at the AV-solutions' reports: Disable monitoring for the build. Not only will that not break the build, but also save some cycles for actually compiling stuff instead of checking lots of intermediate files. Your build-account surely is not an administrative account, and not even the one you do your office work with (as the tests pop up lots of windows that would otherwise be very distracting) - so I absolutely don't see this as a huge problem. ciao Christian ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: Anti-Virus vendors warnings
On Wed, Oct 01, 2014 at 08:50:50AM -0400, nicholas ferguson wrote: Where is it mentioned how not to keep downloading the tar files? for 3rd party dependencies. That alone is a HUGE COST OF ENTRY...to discover how to turn that off. The automatic download saves manually downloading 70 or so individual dependencies; you can argue that it sucks (and it does) - but doing that manually sucks more =) A build for a newcomer has to be run three or four times? Why should the tar files get downloaded four times? How does a newcomer turn it off after the first download? Tor had to explain that to me. There is no need to turn it off. The tarballs are only downloaded _once_. It has always been that way. If it does not work for you, there is something seriously wrong on your end. D. ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: Anti-Virus vendors warnings
Hi Nicholas, *, On Wed, Oct 1, 2014 at 2:50 PM, nicholas ferguson nicholasfergu...@wingarch.com wrote: [...] Where is it mentioned how not to keep downloading the tar files? for 3rd party dependencies. That alone is a HUGE COST OF ENTRY...to discover how to turn that off. The automatic download saves manually downloading 70 or so individual dependencies; you can argue that it sucks (and it does) - but doing that manually sucks more =) The high cost of entry only comes because you just didn't follow the instructions on setting up a windows build system. https://wiki.documentfoundation.org/Development/Windows_Build_Dependencies Yes, you need to install some stuff. But all you have to do is to read and copy'n'paste the commands. A build for a newcomer has to be run three or four times? Why should the tar files get downloaded four times? How does a newcomer turn it off after the first download? The page suggests default parameters, amogst them is: --with-external-tar=/cygdrive/c/sources/lo-externalsrc And also: If you just go wild and delete everything from your sources again and again, then even when not using a separate directory, the files would not be redownloaded over and over. Don't blame the buildsystem or the documentation when you deliberately chose to do your own thing/actively work against it. ciao Christian ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice
RE: Anti-Virus vendors warnings
http://stackoverflow.com/questions/1331887/detect-antivirus-on-windows-using-c-sharp At the end of the Windows configure; and warning hard may have helped people like Nicholas save quite a chunk of time. [nicholas ferguson] This is an example of the high cost of doing a build and development work with LibreOffie. Most developers,download the sofware. Look at the ReadME file and then proceed. when I started I had to search for something to clear up issues. I asked Michael, where's the wiki that I read for windows development. He said it was not updated, but maybe I could update it. Community, that translates, you'll have to ask us questions. So I had to ask questions to Michael and Tor. I had to work at it. That is a symptom of a high cost of entry. Instead, there should be a call to the community to update the wiki pages for developing LibreOffice on windows. Then someone like me would get and answer like..go to this wiki and follow it. The wiki would contain even FAQ about failures. Then when I ask about spinning off cppunit tests into independent apps. I know that there has been a group of people that have done that. I don't hear...oh go to this github..we have uploaded work there. I don't even hear .. go to this wiki and follow instructions and read the FAQ. What I hear instead is... yeah lots of people did that..this is their point of focus...some vague answer like that. That is a high cost of entry. I just checked the wiki page for building a release version on windows. I see it has been updated. Where is the info for a debug version? why isn't this wiki page referenced in the readme? Isn't that wiki a page for develpers. What kind of developer in your world, doesn't build a debug version, first? Where is it mentioned how not to keep downloading the tar files? for 3rd party dependencies. That alone is a HUGE COST OF ENTRY...to discover how to turn that off. ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: Anti-Virus vendors warnings
On Wed, 2014-10-01 at 08:21 -0400, nicholas ferguson wrote: This is an example of the high cost of doing a build and development work with LibreOffie. Great example. Most developers,download the sofware. Look at the ReadME file and then proceed. I don't think we have a README.Windows - and that's an obvious gap; and one that you can easily close. Please do send a suitable file and I'll check it in in your name - your first commit =) the first commit is always the hardest. Instead, there should be a call to the community Sure; let me call you to get stuck into fixing this problem =) Then when I ask about spinning off cppunit tests into independent apps. I know that there has been a group of people that have done that. Why do you think a group of people have done that ? If that existed in an easy-to-share form, someone would have shared it with you. That is a high cost of entry. I don't disagree - for Windows certainly; it's a difficult platform to provide a pre-canned solution for due its proprietary nature. why isn't this wiki page referenced in the readme? Isn't that wiki a page for develpers. What kind of developer in your world, doesn't build a debug version, first? We used to recommend a debug version AFAIR, but the build tree on Linux with debuginfo is 30Gb small - and with debug symbols it takes forages to link. Often it's more feasible to re-build just a single module with debuginfo. Where is it mentioned how not to keep downloading the tar files? for 3rd party dependencies. That alone is a HUGE COST OF ENTRY...to discover how to turn that off. The automatic download saves manually downloading 70 or so individual dependencies; you can argue that it sucks (and it does) - but doing that manually sucks more =) Again - the expectation gap here seems to be focused on your hope that someone else will improve all of this for you, whereas my expectation is that if you don't do it - no-one will =) hopefully that makes you feel responsible. All the best, Michael. -- michael.me...@collabora.com , Pseudo Engineer, itinerant idiot ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice
RE: Anti-Virus vendors warnings
The high cost of entry only comes because you just didn't follow the instructions on setting up a windows build system. https://wiki.documentfoundation.org/Development/Windows_Build_Dependencies So you are the one responsible for not putting up on that wiki how to build a debug version. You should do more windows dev... ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: Anti-Virus vendors warnings
On Wed, 2014-10-01 at 13:15 +0200, Christian Lohmaier wrote: Listed quite prominently in the windows build instructions. Great :-) BitDefender/Security Essentials blocks some of the CVE test-files. Caolan kindly committed a fix to turn off the CVE tests on Windows by default - I think that's prolly a good option here - we get the benefit of testing them on Linux / Mac with fewer worried I think. If it needs forensics to find out what was blocked, then the av-solution is crap My thesis is that all av-solutions are deeply flawed =) So only way is to do as already written in the buildinstructions and common sense when actually looking at the AV-solutions' reports: Disable monitoring for the build. Not only will that not break the build, but also save some cycles for actually compiling stuff instead of checking lots of intermediate files. I'd love to have some easy way of detecting any AV solution. I suspect doing something like this: http://stackoverflow.com/questions/1331887/detect-antivirus-on-windows-using-c-sharp At the end of the Windows configure; and warning hard may have helped people like Nicholas save quite a chunk of time. I'll file an easy-hack ;-) ATB, Michael. -- michael.me...@collabora.com , Pseudo Engineer, itinerant idiot ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice