Am 27.01.2017 um 20:04 schrieb Dennis E. Hamilton:
-----Original Message-----
From: Marcus [mailto:marcus.m...@wtnet.de]
Sent: Friday, January 27, 2017 09:55
To: dev@openoffice.apache.org
Subject: Re: [lazy consensus] FreeBSD as a new supported platform?
Am 27.01.2017 um 18:50 schrieb Dennis E. Hamilton:
-----Original Message-----
From: Rory O'Farrell [mailto:ofarr...@iol.ie]
Sent: Friday, January 27, 2017 07:59
To: dev@openoffice.apache.org
Subject: Re: [lazy consensus] FreeBSD as a new supported platform?
On Fri, 27 Jan 2017 07:49:51 -0800
"Dennis E. Hamilton" <orc...@apache.org> wrote:
In thinking about this, I suggest that supported means (1)
dist.apache.org authenticated binary distributions (as mirrored) are
provided from source releases and (2) bugzilla provides for the
platform
as a named OS [type].
I note that OS/2 and FreeBSD (and Solaris) qualify under (2) but not
under (1). I've seen other open-source projects link to sources of
other builds without including them under their umbrella of official
releases. Not certain where bugs are supposed to be reported in
those
cases.
- Dennis
PS: Whether or not there is a link to support.openoffice.org in a
distributed binary is no help because counterfeit distributions do
that
too.
But surely the distributed binary would have links to valid checksum
files on the AOO distribution site, which counterfeit distributions
would not have?
[orcmid]
It depends how the counterfeit is distributed. Most of them are with
download pages and installers that do not provide any kind of links to
hash values or digital signature files. These target casual users and
they give no evidence of hashes and signatures that users would check,
even if they knew what to do with such links.
The check-for-updates in the binary is also not always altered.
Note that the binary does not have those links. It is the download
page that provides them.
... where it IMHO belongs. When you have installed the software an it's
running, then nobody cares about the question "Is the install package
broken or not?". When you are afraid of getting maybe maleware then you
(search for and) verify the checksums *before* you start any
installation.
[orcmid]
Yes, of course.
And it is crucial that the hashes and signature files *not* be mirrored.
Having them only available at dist.apache.org is the secure way to detect that
the mirror-downloaded binary is authentic and unaltered.
right, we as OpenOffice project we should make sure that we refer only
to our own files and servers. So, I hope that there is no faulty link. ;-)
Marcus
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org
