openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject Signing AOO 4.1.1 (was RE: Budapest and thereafter)
Date Tue, 09 Dec 2014 02:29:04 GMT
I don't know if this is helpful or not.  I'm not in a position to check.

Thinking out loud:

There are two cases of signatures.

 1. Digital signing of installable components, such as DLLs and such.  This is also important
but a second-order problem.

 2. Digital signing of the installer binary (the .EXE).  That or shipping a signed .MSI.
    This is more important.  It has to do with raising the confidence in downloads and installs
and is of immediate benefit.  

It *may* be the case that the installer binary .EXE already has room in the file for a signature
and it is simply not being used.  The properties on the binary .EXE are also not filled in
for AOO 4.1.1 en-US.  Those are the ones that show a File description, File version, Product
name, Product version, Copyright, Language, etc. 

It might be worthwhile to see if the properties and signature can be injected in the .EXE
already.  And if not, it may be possible to rebuild the .EXE, since the bits are still around.
 They are what are extracted into a folder which is then used for running setup.

If feasible, this strikes me as a perfectly worthwhile exercise for slip-streaming a signed
binary of AOO 4.1.1 for Windows.  As Andrea remarks, It would also be a right-sized teething
exercise for our learning how to work through the signing process.

I'm all for starting with the least that could possibly work, even though I have no expertise
on this.

 - Dennis

-----Original Message-----
From: Andrea Pescetti [mailto:pescetti@apache.org] 
Sent: Monday, December 8, 2014 15:08
To: dev@openoffice.apache.org
Subject: Re: Budapest and thereafter.

Marcus wrote:
> Am 12/08/2014 02:32 PM, schrieb Andrea Pescetti:
>> We could actually do both, if you believe it makes sense:
>> - signed 4.1.1 (next Windows binaries only) by end of December
>> - 4.1.2 in January
> IMHO this doesn't make sense and would be just a waste of resources,
> when doing 2 releases in such a short time frame.
> But I would tend to do only the bigger release (4.1.2) - let's say in
> January/February. When ...

Honestly, Infra would like (and they are right) that after asking for 
years for digital signing, we actually use it. We can't put many 
obstacles in front of it. So a long list of things that we must have 
ready before that won't work. Signing Windows binaries will have to 
happen, and users will benefit from it in terms of trust in OpenOffice.

Assuming that more or less we can master the technology, distributing 
the 4.1.1 signed binaries is not a huge feat for us (it would need 
production of the new binaries and their upload to a new directory like 
"windows-signed" and defaulting to "windows-signed" in the JavaScript in 
the download page). It is far less than a release and at least it could 
show that on this (new for OpenOffice) topic we are ready.

In case I wasn't clear (and this is my fault for not summarizing the 
Budapest talks correctly) signed binaries have high priority. One way is 
to make a 4.1.2 release and sign it, and this requires going through the 
whole process (no, it can't be a Windows-only release). Another way is 
to ship a signed version of the existing 4.1.1 binaries as a "warm up" 
for the moment when this will be integral part of the release process.

Regards,
   Andrea.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org


Mime
View raw message