flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bertrand Delacretaz <bdelacre...@apache.org>
Subject Re: [VOTE] Release InstallApacheFlex 1.0 - RC5
Date Mon, 24 Sep 2012 15:57:07 GMT

On Monday, September 17, 2012, Om wrote:

> ...The source distributions for Windows and Mac are available here:
> http://people.apache.org/~bigosmallm/installapacheflex_RC5/ ...

The release archive looks good to me, but I have one issue about the
installer use case - sorry that I didn't notice that earlier (and if I'm
correct I'm surprised that nobody brought that up).

IIUC the installer downloads a number of files (listed
in installer/src/sdk-installer-config.xml) and installs them on the user's

Does it make the user aware that that's happening? IMO there should be a
confirmation somewhere, where the user is given the option of either

a) Reviewing the list of files that are going to be downloaded, and
accepting or rejecting the whole thing

b) Say "I don't care, go ahead".

My concern is that in terms of quality and security, we don't want Apache
software to mess with people's systems without letting them know beforehand.

Another thing in the README: "This hash is compared with the hash from the
Apache Flex SDK release site -  If they match, we verify that the
downloaded binary file is a valid Apache release...". Binaries are not
Apache releases, so you shouldn't say that. I'd change it to something like
"the md5 digest of the downloaded file is compared with one obtained from
the apache.org website, and the installer aborts if they don't match".


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message