On 08/11/2016 12:50 PM, Kay sch...@apache.org wrote: > > > On 08/09/2016 02:12 PM, Kay Schenk wrote: >> [top posting] >> I'm in the process of trying to "sync" instructions for Linux32, >> Linux64, and MacOSX at the moment. As far as instructions on the actual >> HOTFIX page, we need to have just a "general" instruction for ALL zips >> that simply says -- "Unzip this package to some folder of your choosing >> and read the README that's included." Everything else should be in the >> various READMEs for each platform. >> >> I should be done with all edits by this evening for a final review >> before zipping and signing. > > Ok, I've now moved on to creating zip files, etc for Linux32, Linux64 > and Mac. > > My openssl version on does NOT supply digest sha256. Is it OK to use > sha1? MD5 already computed for each of these.
sha1 is referenced on the ASF code signing page so I decided it was OK. :) So I think I'm done with the Linux32, Linux64, and MacOSX zip artifacts. Please check at: https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/binaries/ If anything's amiss, it's likely I can't get back to this until Sunday. Or feel free to fix. > >> >> On 08/05/2016 09:28 AM, Dennis E. Hamilton wrote: >>> Branching off the part that is not about the Windows 4.1.2-patch1 [TESTING]. >>> >>>> -----Original Message----- >>>> From: Marcus [mailto:marcus.m...@wtnet.de] >>>> Sent: Thursday, August 4, 2016 15:52 >>>> To: dev@openoffice.apache.org >>>> Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows >>>> >>>> Am 08/05/2016 12:26 AM, schrieb Kay Schenk: >>> [ ... ] >>>>> >>>>> hmmm...well no zips for Mac, Linux32, or Linux 64 -- yet. >>>>> >>>>> Should we get started on these? >>>> >>>> it depends what we want that they should contain. The ZIP file for >>>> Windows contains a LICENSE and NOTICE file as well as an ASC file for >>>> the DLL. As it is only a patch IMHO we don't need to provide another >>>> LICENSE and NOTICE file which is already available in the OpenOffice >>>> installation. Also the ASC is not necessary as we provide it already >>>> (together with MD5 and SHA256) for the whole ZIP file. >>> [orcmid] >>> >>> I think there is a misunderstanding. Two matters: >>> >>> 1. The use of LICENSE is required by the ALv2 itself, and the ASF practice >>> is to include NOTICE as well on binary distributions. The patch qualifies, >>> especially when it is moved to general distribution. It is also easy and >>> harmless to provide. >>> >>> 2. The reason for preserving the .asc on the shared-library binary is >>> because it authenticates with respect to who produced it and establishes >>> that it has not been modified as supplied in the package (or as the result >>> of some glitch in creation of the Zip). It provides a level of >>> accountability and, also, auditability. >>> >>> Even though few people will check all of these, they remain possible to be >>> checked. Since this is a matter of security vulnerabilities and involves >>> elevation of privilege to perform, I believe it is important to demonstrate >>> diligence and care, so that users have confidence in this procedure to the >>> extent they are comfortable. Also, if it becomes necessary to troubleshoot >>> a problem with these patch applications, we have the means to authenticate >>> what they are using to ensure there are no counterfeits being offered to >>> users. >>>> >>>> That means that only the README and library file remains. >>>> >>>> When the README for Windows keep its length then I don't want to copy >>>> this on the dowload webpage. ;-) >>>> >>>> So, when we put the README for all platforms in their ZIP files then we >>>> can just put a pointer to it on the download webpage and thats it. >>> [orcmid] >>> >>> Yes, that seems like a fine idea. The README can be linked the same way >>> the .md5, .sha256, and .asc are linked. >>> >>> Also, the README may become simpler if we can link to some of the >>> information and not have so much detail in the README text itself. It >>> might even be useful to have an .html README for that matter. But that is >>> all extra. Right now I think we want to get into the testing and see how >>> to smooth what we have. >>> >>> PS: A friend of mine is looking into the MacOSX situation. He points out >>> that one can use the Finder to do the job without users having to use >>> Terminal sessions. I don't have further information at this time. >>> >>> PPS: The inclusion of scripts that do the job is also worthy of >>> consideration, perhaps making it unnecessary to build executables. I will >>> be looking at finding a .bat file that works safely for the Windows case. >>> That can make the instructions much shorter :). >>> >>>> >>>> To cut a long story short: >>>> I would say yes for a ZIP file for every platform. >>> [ ... ] >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org >>> For additional commands, e-mail: dev-h...@openoffice.apache.org >>> >> > -- Kay Schenk Apache OpenOffice ---------------------------------------- "Things work out best for those who make the best of the way things work out." -- John Wooden --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
