Return-Path: X-Original-To: apmail-incubator-ooo-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-ooo-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1888D9D00 for ; Fri, 2 Mar 2012 18:15:52 +0000 (UTC) Received: (qmail 89890 invoked by uid 500); 2 Mar 2012 18:15:51 -0000 Delivered-To: apmail-incubator-ooo-dev-archive@incubator.apache.org Received: (qmail 89828 invoked by uid 500); 2 Mar 2012 18:15:51 -0000 Mailing-List: contact ooo-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: ooo-dev@incubator.apache.org Delivered-To: mailing list ooo-dev@incubator.apache.org Received: (qmail 89820 invoked by uid 99); 2 Mar 2012 18:15:51 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Mar 2012 18:15:51 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of dave2wave@comcast.net designates 76.96.27.243 as permitted sender) Received: from [76.96.27.243] (HELO qmta13.emeryville.ca.mail.comcast.net) (76.96.27.243) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Mar 2012 18:15:45 +0000 Received: from omta17.emeryville.ca.mail.comcast.net ([76.96.30.73]) by qmta13.emeryville.ca.mail.comcast.net with comcast id gh331i0051afHeLADiFQrv; Fri, 02 Mar 2012 18:15:24 +0000 Received: from [192.168.1.74] ([67.180.51.144]) by omta17.emeryville.ca.mail.comcast.net with comcast id giFP1i01v36gVt78diFQYF; Fri, 02 Mar 2012 18:15:24 +0000 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1084) Subject: Re: Symantec WS.Reputation.1 Errors: What we can do From: Dave Fisher In-Reply-To: Date: Fri, 2 Mar 2012 10:15:23 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: References: To: ooo-dev@incubator.apache.org X-Mailer: Apple Mail (2.1084) X-Virus-Checked: Checked by ClamAV on apache.org On Mar 2, 2012, at 9:52 AM, Rob Weir wrote: > On Fri, Mar 2, 2012 at 12:25 PM, Dave Fisher = wrote: >>=20 >> On Mar 2, 2012, at 7:00 AM, Rob Weir wrote: >>=20 >>> Several testers have mentioned this anti-virus error when installing >>> the AOO 3.4 dev snapshot build. This is not a virus. >>> "WS.Reputation" errors come from Symantec Antivirus based on their >>> "reputation-based" threat assessments. Essentially, they evaluate >>> software that you are about to install according to a range of >>> factors, including how new the file is, how many other people have >>> installed it, whether the installer is digitally signed, etc. It is >>> not just one factor, but a proprietary mix of weighted factors. >>>=20 >>> We're probably getting penalized based on several of these factors. >>> Note that with the final AOO 3.4 release we'll be in the same >>> position, since that installer will also be new,etc. >>>=20 >>> A few things we should consider doing: >>>=20 >>> 1) Make sure the readme file and install instructions cover this = case >>> and explain what the user should do, e.g. "Run anyways" >>>=20 >>> 2) We can make a request to Symantec to "whitelist" our installer. >>> This takes a couple of weeks for them to process. And we can';t = start >>> this work in advance since they need the SHA-256 hash of our >>> installer: >>>=20 >>> https://submit.symantec.com/whitelist/isv/ >>>=20 >>> 3) We could digitally sign our Windows installers. Apache already >>> requires a detached signature. But Symantec has no idea about = these. >>> We need traditional Windows exe code signing. This will help us = with >>> Windows 8 as well. So it is something we probably want to look into >>> at some point. >>=20 >> This is likely to be a release requirement. Remember all artifacts in = an Apache Release must be signed and installers are artifacts. (This = touches your discussion on the other thread about what is AOO, what is = powered by, and what is "White Label") >>=20 >=20 > Right. But all that is required are *detached* signatures. These are > fine for human verification, but they don't help in this case. >=20 >> I believe that signing process is being worked on elsewhere in the = foundation in a way that can make this an easy part of the release = process. I've a little experience with signing installers a few years = ago, but I won't have many cycles for it for a few weeks. I'll look in = my ML archives and ask the question on the appropriate Incubator ML = about our participation in these tests. >>=20 >=20 > With current approach, it is based on "web of trust". So Release > Manager, and other PMC members verify and sign. But normal code > signing on Windows is more hierarchical, and based on a trusted root > CA, etc. Is the plan to have each PMC have its own signing cert? In > this case the IPMC? I'll need to confirm the status with Infrastructure, but I think that an = ASF wide certificate was being considered. There was a lot of debate and = it is hard to know without followup what happened. I'll ask now. Regards, Dave >=20 > -Rob >=20 >> Regards, >> Dave >>=20 >>>=20 >>> My recommendation: >>>=20 >>> Plan on doing 1. Do 2. as soon as we have a release. Look into 3. = for AOO 4.0. >>>=20 >>> Regards, >>>=20 >>> -Rob >>=20