+1 (non-binding [;<) on PMC approval of any slip-stream. I don't understand why full rebuilds are required. The only crucial file that needs signing is the .exe that is downloaded and extracts the actual setup files. All it does is extract a number of fixed files and then run the extracted setup.exe.
If a signed version of that .exe can be created, using the existing setups delivered with the current 4.1.1 .exe files, there is nothing else to do. It has to be done once for each language, but that's it. No full rebuilds, no new dates on files. The extracted setups would be binary identical to each of the current ones for 4.1.1, so it is easy to verify that the signed .exe does not deliver anything but the already reviewed installs. That might be unworkable, but it is definitely worth seeing if it is possible rather than going through a full-up set of build processes. - Dennis PS: Rob's analysis is very useful to keep in mind as we look at other ways to increase confidence in the AOO binaries and the AOO site as preferable for those downloads. I think grabbing the low-hanging fruit and getting something simple through the process is also desirable, especially since we are starting from zero using the signing process. -----Original Message----- From: jan i [mailto:j...@apache.org] Sent: Tuesday, December 9, 2014 08:29 To: dev; Dennis Hamilton Subject: Re: Signing AOO 4.1.1 (was RE: Budapest and thereafter) On 9 December 2014 at 16:26, Dennis E. Hamilton <dennis.hamil...@acm.org> wrote: > Andrea, > [ ... ] > (Or even sign the existing installer > file, if it is in the proper format for inserting the information and > signature.) That is, the .cab, .msi, and setup.exe would be completely > unchanged. > No we need to rebuild (and for every language), because the last step in the build process needs to be repeated, we cannot just patch the files. If we could move away from 1 install set pr language, the job would be about 30 times faster :-) AOO is special compared to most other projects, in that the majority of our users use the binary package. As a consequence, I recommend a PMC vote, even if its not strictly needed. [ ... ] > > It would still have to be project-managed in the sense that all of the > measures to preserve binary authenticity and provide accompanying binary > release management internal to AOO should be followed. > [ ... ] --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
