Return-Path: X-Original-To: apmail-openoffice-dev-archive@www.apache.org Delivered-To: apmail-openoffice-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B36AC10FDB for ; Wed, 22 Jan 2014 16:22:39 +0000 (UTC) Received: (qmail 98111 invoked by uid 500); 22 Jan 2014 16:22:38 -0000 Delivered-To: apmail-openoffice-dev-archive@openoffice.apache.org Received: (qmail 97942 invoked by uid 500); 22 Jan 2014 16:22:38 -0000 Mailing-List: contact dev-help@openoffice.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@openoffice.apache.org Delivered-To: mailing list dev@openoffice.apache.org Received: (qmail 97934 invoked by uid 99); 22 Jan 2014 16:22:38 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Jan 2014 16:22:37 +0000 Received: from localhost (HELO mail-qc0-f169.google.com) (127.0.0.1) (smtp-auth username robweir, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Jan 2014 16:22:37 +0000 Received: by mail-qc0-f169.google.com with SMTP id w7so778486qcr.28 for ; Wed, 22 Jan 2014 08:22:36 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=dnNcBzIQ51CzJmASLJOqVIe1tK5DqlsbM9pDVsz8r9U=; b=AXGT7ADWs2gDrKNP1wdUzDhqoIxGnSjKutWF3hl/Qgm2RnzTHeda6bHW0xvc8bFYFJ tqVCNs9iPqqqx4fOKEogHkhW1BXOrSkOa41koc6ax+SUpSItEv6I9wAEjn4xiUv9miwF fNrOdjxNwd4OPj97x4zh4AA0gctYVLsaAS7p1WYB9/OIyoWBBG/rt22JnTuLB3MmmrMu KiChymx+BNFGUmYPxI5W6Ry/n3vlA8Db7sCkYylCo2DWTfvURYNos/1DXo40sBpniDWv qiHJK3kv7xBRHJCpm27SYKFNuz/w4mmOsz7vNTgfHKeJ/ku3c7wHH2cINJqLrzejaxdE syqg== MIME-Version: 1.0 X-Received: by 10.140.49.109 with SMTP id p100mr3672339qga.52.1390407756708; Wed, 22 Jan 2014 08:22:36 -0800 (PST) Received: by 10.96.25.102 with HTTP; Wed, 22 Jan 2014 08:22:36 -0800 (PST) In-Reply-To: References: Date: Wed, 22 Jan 2014 11:22:36 -0500 Message-ID: Subject: Re: Call for Comments: Apache OpenOffice Distributor Best Practices From: Rob Weir To: "dev@openoffice.apache.org" Content-Type: text/plain; charset=UTF-8 On Wed, Jan 22, 2014 at 11:05 AM, Donald Whytock wrote: > On Mon, Jan 20, 2014 at 2:14 PM, Rob Weir wrote: > >> On Thu, Dec 5, 2013 at 9:47 AM, Rob Weir wrote: >> > Details are here: >> > >> > https://blogs.apache.org/OOo/entry/call_for_comments_apache_openoffice >> > >> >> It has been over a month since we put out this call for comments. You >> can see some of them in this thread, as well as with the blog post: >> >> >> https://blogs.apache.org/OOo/entry/call_for_comments_apache_openoffice#comments >> >> The response was generally positive. However, the volume of responses >> was rather low. So I do wonder whether there is a large unmet need >> for this. For example, we have not (to my knowledge) received >> requests for a CD on the mailing list in months now. >> >> Another data point: the webpage that is #1 in Google search results >> for the query "openoffice cd" is: >> >> http://www.openoffice.org/distribution/cdrom/ >> >> It receives around 7 visits per day. Any proposal we came up with >> would be findable to user mainly through that same mechanism -- >> searching Google. Is it worth setting something up for 7 users per >> day? >> >> Note: if we removed our web pages that discuss OpenOffice CD's, the >> top link would be a vendor on Amazon.com selling an OpenOffice CD. So >> in a sense, if we just "get out of the way", it would tend to work. >> The risk would be if we see vendors starting to scam users. >> >> Next steps? If anyone really wants to have a CD distributor listing, >> I can help. But it is not sufficiently high on my priority list to >> carry this by myself. Someone else would need to take the lead. >> >> Regards, >> >> -Rob >> > > If you want to take a "get out of the way" approach, would you nevertheless > want to put up signature files for official releases, such that anything > one does buy can at least be verified before it's installed? > I think getting our installers digitally signed is important for many reasons. At the very least it reduces user confusion during the download and install process. However it won't prevent the most common kinds of abuses. We're not really seeing people modify the AOO installer and putting malware into the AOO installer. What we see is someone creating a new "installer" or "downloader" and advertising that for the users to download. This program installs the malware and then as the last step it downloads and installs the original, unmodified AOO installer. So even if we are digitally signed, it doesn't help in this case. The damage is already done before the real AOO installer is even launched. One idea, and maybe this would cause users to panic more than we want to, would be this: As the first screen of the install program have a screen that says: "Important: If you did not download this program from a known safe website then you may be at risk from viruses, etc. Apache OpenOffice is free for all users. You should not need to pay for it. If immediately before this screen you were asked to install other software applications, or asked to authorize payment for OpenOffice, then you may have been scammed. Read here for more information..." Of course, we have nothing officially against selling OpenOffice, etc. So we would want to make it easier for a real programmer to disable this screen in the installer. But it might have some value. But it is coming one step too late to really prevent the problem. Regards, -Rob > Might be too late at that point to get one's money back, but it could save > the buyer some grief with his machine. And give the buyer grounds to out a > fraudulent purveyor. > > Don --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org For additional commands, e-mail: dev-help@openoffice.apache.org