RE: Tools for building and checking a release candidate
> -Original Message- > From: Andrea Pescetti [mailto:pesce...@apache.org] > Sent: Tuesday, September 20, 2016 15:59 > To: dev@openoffice.apache.org > Subject: Re: Tools for building and checking a release candidate > > Dennis E. Hamilton wrote: > >> From: Andrea Pescetti > >> We are signing. ... Just, we do it in a way that Windows > >> doesn't like. > > > > It is not about Windows not liking the PGP signatures. It never sees > them. > > Sure. I wrote that Windows doesn't like the way we sign (detached), not > that it doesn't like the signatures. > > > To favorably compare a procedure that requires expert users to perform > manually seems odd to me. > > Just to be clear, and I have written it multiple times: > Windows-compatible signatures would be nice to have. On the other hand, > this would also need significant effort; and experience shows that it is > not a major priority for Windows users (we've received only a few > requests about it; Mac users, on the contrary, seem to ask for it more > often, probably because of a stricter behavior on Mac OS X). [orcmid] So, there is no need to provide greater user protection because casual users don't [know to] ask for it? And the Operating System doesn't complain strongly enough? I think this would also give us more ability to discourage unscrupulous producers from wrapping AOO in their own .exe for their mercantile purposes, something that concerns us as a project. We fairly regularly have to request that users be certain that they get their downloads from mirrors that we feed. Most of all it demonstrates care in an observable form and is an aspect of being trustworthy. I agree there are activities that trump this, such as data-loss crashers, saved-file corruption cases, and security-vulnerability fixes. I think we should keep our eye on this. - Dennis > > Regards, >Andrea. > > - > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
RE: Tools for building and checking a release candidate
> -Original Message- > From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org] > Sent: Tuesday, September 20, 2016 15:18 > To: dev@openoffice.apache.org > Subject: RE: Tools for building and checking a release candidate > > > > > -Original Message- > > From: Andrea Pescetti [mailto:pesce...@apache.org] > > Sent: Tuesday, September 20, 2016 14:37 > > To: dev@openoffice.apache.org > > Subject: Re: Tools for building and checking a release candidate > > [ ... ] > > We are signing. We always did. Just, we do it in a way that Windows > > doesn't like. The "signed installers" discussion comes from this > > incompatibility. > [orcmid] > > A little touch-up on the situation. > > It is not about Windows not liking the PGP signatures. It never sees > them. > What Windows sees are Windows-specified signatures embedded in the > downloaded software itself (and also on the DLLs and such that are > installed. > > These are part of the file properties. Those properties that can be > inspected by users and, even better, operating system software. That is > what we don't do (although other producers of OpenOffice-lineage > software do). > > To favorably compare a procedure that requires expert users to perform > manually seems odd to me. [orcmid] PS. What the embedded signature provides to not-so-expert users is an easy way to check that a download from any site is signed by an authentic source. It also may pacify anti-virus and browser download tools. Those message requesting administrator permission to perform an install will also be more re-assuring. Although not so foolproof *after* a download has been installed, with a little more expertise users can also verify whether soffice.exe, etc., are also authentic. That could be true even though an installer delivered adware/malware on the side. > > > But, security-wise, we are already providing a detached > > GPG (or PGP) signature for all files. See > > https://www.apache.org/dev/release-signing#sign-release > > > > Regards, > >Andrea. > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > > For additional commands, e-mail: dev-h...@openoffice.apache.org > > > - > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Tools for building and checking a release candidate
Dennis E. Hamilton wrote: From: Andrea Pescetti We are signing. ... Just, we do it in a way that Windows doesn't like. It is not about Windows not liking the PGP signatures. It never sees them. Sure. I wrote that Windows doesn't like the way we sign (detached), not that it doesn't like the signatures. To favorably compare a procedure that requires expert users to perform manually seems odd to me. Just to be clear, and I have written it multiple times: Windows-compatible signatures would be nice to have. On the other hand, this would also need significant effort; and experience shows that it is not a major priority for Windows users (we've received only a few requests about it; Mac users, on the contrary, seem to ask for it more often, probably because of a stricter behavior on Mac OS X). Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
RE: Tools for building and checking a release candidate
> -Original Message- > From: Andrea Pescetti [mailto:pesce...@apache.org] > Sent: Tuesday, September 20, 2016 14:37 > To: dev@openoffice.apache.org > Subject: Re: Tools for building and checking a release candidate > > On 18/09/2016 Marcus wrote: > > Am 09/17/2016 01:00 PM, schrieb Patricia Shanahan: > >> Are there any tools to help put together an AOO release? If so, where > >> are they? > > We don't have any. But I've provided a script that I've just used for a > test 4.1.3 build. It will find packages in a build tree (after the build > has completed), arrange them in the appropriate directories, compute the > hashes and sign. > > It's currently located here: > http://svn.apache.org/viewvc/openoffice/devtools/build-scripts/4.1.3/ > > It only works on Linux-64 but it is trivial to extend it to cover > Linux-32, probably Mac OS X and maybe also Windows (provided one has a > Bash environment). > > > Maybe Andrea can help you as he has more experience, e.g., with > uploads > > to Sourceforge. > > Uploads to SourceForge are trivial (just a rsync); but anyway they > happen after the tree has already been arranged properly, so they are > unrelated to arranging the tree. > > >> Each binary needs to be signed, presumably by the person building it. > > IMHO we haven't done any signing until now - at least not officially. > > We are signing. We always did. Just, we do it in a way that Windows > doesn't like. The "signed installers" discussion comes from this > incompatibility. [orcmid] A little touch-up on the situation. It is not about Windows not liking the PGP signatures. It never sees them. What Windows sees are Windows-specified signatures embedded in the downloaded software itself (and also on the DLLs and such that are installed. These are part of the file properties. Those properties that can be inspected by users and, even better, operating system software. That is what we don't do (although other producers of OpenOffice-lineage software do). To favorably compare a procedure that requires expert users to perform manually seems odd to me. > But, security-wise, we are already providing a detached > GPG (or PGP) signature for all files. See > https://www.apache.org/dev/release-signing#sign-release > > Regards, >Andrea. > > - > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Tools for building and checking a release candidate
On 9/20/2016 2:37 PM, Andrea Pescetti wrote: On 18/09/2016 Marcus wrote: Am 09/17/2016 01:00 PM, schrieb Patricia Shanahan: Are there any tools to help put together an AOO release? If so, where are they? We don't have any. But I've provided a script that I've just used for a test 4.1.3 build. It will find packages in a build tree (after the build has completed), arrange them in the appropriate directories, compute the hashes and sign. It's currently located here: http://svn.apache.org/viewvc/openoffice/devtools/build-scripts/4.1.3/ It only works on Linux-64 but it is trivial to extend it to cover Linux-32, probably Mac OS X and maybe also Windows (provided one has a Bash environment). Cygwin provides a bash environment. I was asking because I was thinking of writing a similar script, but did not want to reinvent the wheel. Maybe Andrea can help you as he has more experience, e.g., with uploads to Sourceforge. Uploads to SourceForge are trivial (just a rsync); but anyway they happen after the tree has already been arranged properly, so they are unrelated to arranging the tree. Each binary needs to be signed, presumably by the person building it. IMHO we haven't done any signing until now - at least not officially. We are signing. We always did. Just, we do it in a way that Windows doesn't like. The "signed installers" discussion comes from this incompatibility. But, security-wise, we are already providing a detached GPG (or PGP) signature for all files. See https://www.apache.org/dev/release-signing#sign-release Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Tools for building and checking a release candidate
On 18/09/2016 Marcus wrote: Am 09/17/2016 01:00 PM, schrieb Patricia Shanahan: Are there any tools to help put together an AOO release? If so, where are they? We don't have any. But I've provided a script that I've just used for a test 4.1.3 build. It will find packages in a build tree (after the build has completed), arrange them in the appropriate directories, compute the hashes and sign. It's currently located here: http://svn.apache.org/viewvc/openoffice/devtools/build-scripts/4.1.3/ It only works on Linux-64 but it is trivial to extend it to cover Linux-32, probably Mac OS X and maybe also Windows (provided one has a Bash environment). Maybe Andrea can help you as he has more experience, e.g., with uploads to Sourceforge. Uploads to SourceForge are trivial (just a rsync); but anyway they happen after the tree has already been arranged properly, so they are unrelated to arranging the tree. Each binary needs to be signed, presumably by the person building it. IMHO we haven't done any signing until now - at least not officially. We are signing. We always did. Just, we do it in a way that Windows doesn't like. The "signed installers" discussion comes from this incompatibility. But, security-wise, we are already providing a detached GPG (or PGP) signature for all files. See https://www.apache.org/dev/release-signing#sign-release Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Tools for building and checking a release candidate
Am 09/17/2016 01:00 PM, schrieb Patricia Shanahan: Are there any tools to help put together an AOO release? If so, where are they? In particular, the binaries for each language for e.g. Windows will result from a build in a Windows environment. The release candidate groups the binaries by language, a transposition of the build matrix. can you tell us a bit more what your problem is and what you expect? Maybe Andrea can help you as he has more experience, e.g., with uploads to Sourceforge. Each binary needs to be signed, presumably by the person building it. IMHO we haven't done any signing until now - at least not officially. Maybe there where tests but I haven't heard about detailed results. Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Tools for building and checking a release candidate
Are there any tools to help put together an AOO release? If so, where are they? In particular, the binaries for each language for e.g. Windows will result from a build in a Windows environment. The release candidate groups the binaries by language, a transposition of the build matrix. Each binary needs to be signed, presumably by the person building it. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
