incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: New: fake openoffice site
Date Wed, 28 Dec 2011 20:45:23 GMT
On Wed, Dec 28, 2011 at 3:34 PM, Dave Fisher <dave2wave@comcast.net> wrote:
>
> On Dec 28, 2011, at 12:18 PM, Dennis E. Hamilton wrote:
>
>> I see a number of factors related to the bug report, below:
>>
>> 1. The high search-result placement for a pay-for-download site
>> 2. The prospect that the download is not authentic
>> 3. The collection of a payment for the download
>>
>> It is unclear what appropriate actions are available.
>>
>> - Dennis
>>
>> INFORMAL THOUGHTS:
>>
>> 3. Technically, there is not much to be done about (3) beyond education and also
anything about the absence of any support in exchange for the payment.  (If the download
is unmodified or has a thin façade with all of the support links intact, it becomes a problem
in many ways for the project and peer-supporting users.)  This is what makes folks indignant,
but it is the least preventable so long as there is no misrepresentation.  And even then
... .
>>
>> 2. That is a more-worrisome concern to me.  This impacts packaging of distributions,
how they are authenticated, and what they incorporate that directs users to authentic sources
of support and also future versions.  It would seem that there are measures to be taken here,
along with branding.  I don't quite know how that might impact downstream developers of co-branded,
re-branded binary distributions (e.g., for a specific platform, with particular bundling,
etc.)  Apache branding requirements and ensuring that it is easy to honor them in a non-Apache
binary release is going to take some head-scratching.
>
> I believe the Foundation is working on digital signatures with certificates. The projects
releases will be signed and verifiable. Someone will need to discuss this with infrastructure.
>

And legacy OOo releases all came with MD5 hashes.  So in theory any
user who wanted to verify the authenticity of a package could.  In
practice, this is beyond the skill level of typical users.

And remember, anyone who has the incentive to sell fake versions of
OpenOffice has the incentive to create a fake certificate as well.

-Rob

> Regards,
> Dave
>
>> 1. Gaming SEO is something that it should be possible to combat and mitigate.  Having
the site in our hands can help there.  It is important to work it for NL pages as well as
the main get-your-free-downloads-here pages.
>>
>>
>>
>> -----Original Message-----
>> From: bugzilla@apache.org [mailto:bugzilla@apache.org]
>> Sent: Wednesday, December 28, 2011 11:42
>> To: ooo-issues@incubator.apache.org
>> Subject: DO NOT REPLY [Bug 118700] New: fake openoffice site
>>
>> https://issues.apache.org/ooo/show_bug.cgi?id=118700
>>
>>             Bug #: 118700
>>        Issue Type: DEFECT
>>           Summary: fake openoffice site
>>    Classification: Infrastructure
>>           Product: www
>>           Version: current
>>          Platform: All
>>        OS/Version: All
>>            Status: UNCONFIRMED
>>          Severity: major
>>          Priority: P5
>>         Component: openoffice.org website general issues
>>        AssignedTo: issues@openoffice.org
>>        ReportedBy: *redacted*
>>                CC: ooo-issues@incubator.apache.org
>>
>>
>> Hello there,
>> I'm writting from Spain.
>> I was trying to download OpenOffice. A search engine(Bing)gave me this address
>> http://office.version-es.com/
>> I found out it's not an official node, it charges 14€ to activate the download,
>> throug two Sms,charges 7.08€ each.
>> Don't know if you can do anything to prevent other people to be fooled or
>> whether there are more webs for other languages. It's very sad some people
>> dishonour your proyect and name through such bussines.
>> Thank you for attend my complain.
>> Snorquel
>> PS.- i'm unsure about who to this "issue".In case you are not involve in
>> solving this problems, I beg you help my message to reach someone who can do
>> something.
>>
>

Mime
View raw message