date:20120827

Andrea,
  Thanks for your explanation!
  I think we can just follow the original process if the development is on
a feature branch, and close the defect only when the fix is available on
main trunk or a release. While if the fix is delivered directly to trunk or
a release branch, we can take the lighter approach and go quickly to CLOSED
status.

- Simon


2012/8/25 Andrea Pescetti 

> On 22/08/2012 Shenfeng Liu wrote:
>
>>(2) I'm not sure what's the difference between the status *Verified*
>> and
>> *Closed*. IMO all the defects verified should finally be closed.
>>
>
> In the old OpenOffice.org project, where the QA process was probably more
> formal, the meaning were the following:
> - Verified: a developer snapshot (in binary form) contains the fix
> - Closed: a stable version (in binary form) contains the fix
>
> So in theory one should now go through all the VERIFIED issues, check them
> with version 3.4.1 and set them to RESOLVED CLOSED if the fix works.
>
> In practice the code now has fewer complexities than it used to have (it
> had dozens of "Child workspaces", or CWS, where development was done) so
> it's understandable that we take a lighter approach on this too.
>
> Regards,
>   Andrea.
>

Re: svn commit: r1377482 - /incubator/ooo/trunk/main/external_deps.lst

2012-08-27 Thread Andre Fischer


On 26.08.2012 21:20, Dave Fisher wrote:

Hi,

We need to do more work to have proper compliance with Apache Infrastructure 
policy in managing external dependencies.

I may not be precisely correct and am looking for confirmation, but In general 
i think we need to

(1) Completely avoid using svn.apache.org. I don't think we are allowed to do 
this even as a backup URL.


Removing svn.apache.org was planned for after the release 3.4.1. I would 
have done it this week. Thanks that you took care of it.




(2) Use mirrors or maven for ASF dependencies where we use the current release. 
If we use mirrors then archive.apache.org should be the backup for the mirror 
so that we aren't in trouble if the project has a release. If a maven 
repository were used then there would be no issue.


Using ASF mirrors is difficult to do automatically.  Doing the same for 
projects hosted on SourceForge is easy.  That is the reason why some ASF 
dependencies are fetched from apache-extras.


Apache extras *is* the backup for all external dependencies that are not 
extensions.




(3) If we use mirrors then we should allow the user to choose which mirror.


That would break every automatic build.



But before we start making changes we should finally figure out the 
policies that constrain our technical choices.  I agree that the current 
download mechanism is not perfect.  One reason for that is that the 
policies regarding licenses of the tarballs and possible download 
locations for them are a moving target.

In the past months I was always trying to find a technical solution that
a) would work reliably
b) could be implemented in the short time until the next release and
c) would fit the newest requirements of where we were allowed to store 
the tarballs.


If using the original servers is not the policy de jour anymore, fine. 
If SHA1 is better than MD5, good.  If maven is "better" than 
apache-extras, excellent.

We should just make up our minds.

-Andre






If we decide to take the time to go the maven route. I can use the example of 
ant and maven repos from the Apache POI build.xml.

Notes about maven repos. Infra [1], maven central [2] and example of an 
externally hosted repo [3]

This area needs careful attention.

The current script is here: main/solenv/bin/download_external_dependencies.pl

Regards,
Dave

[1] http://apache.org/dev/repository-faq.html  and
[2] http://maven.apache.org/guides/mini/guide-central-repository-upload.html
[3] 
http://repo.maven.apache.org/maven2/javax/activation/activation/1.0.2/activation-1.0.2.pom


On Aug 26, 2012, at 11:58 AM, w...@apache.org wrote:


Author: wave
Date: Sun Aug 26 18:58:08 2012
New Revision: 1377482

URL: http://svn.apache.org/viewvc?rev=1377482&view=rev
Log:
one more small step to infra compliance. still to do removing use of svn as a 
backup and for current releases of ASF software the archive is not proper - 
either a mirror or the maven repository is required.

Modified:
incubator/ooo/trunk/main/external_deps.lst

Modified: incubator/ooo/trunk/main/external_deps.lst
URL: 
http://svn.apache.org/viewvc/incubator/ooo/trunk/main/external_deps.lst?rev=1377482&r1=1377481&r2=1377482&view=diff
==
--- incubator/ooo/trunk/main/external_deps.lst (original)
+++ incubator/ooo/trunk/main/external_deps.lst Sun Aug 26 18:58:08 2012
@@ -72,7 +72,7 @@ if ( true )
if (SOLAR_JAVA == TRUE)
 MD5 = 17960f35b2239654ba608cf1f3e256b3
 name = lucene-2.9.4-src.tar.gz
-URL1 = 
http://www.us.apache.org/dist/lucene/java/2.9.4/lucene-2.9.4-src.tar.gz
+URL1 = 
http://archive.apache.org/dist/lucene/java/2.9.4/lucene-2.9.4-src.tar.gz
 URL2 = $(OOO_EXTRAS)$(MD5)-$(name)
 # Fall back to a version in SVN from a previous revsion.
 URL3 = 
http://svn.apache.org/repos/asf/!svn/bc/1337615/incubator/ooo/trunk/ext_sources/$(MD5)-$(name)

Re: [QA][Call For Review] SD SVT case

Hi, Simon:

The template is contained in SVT cases. If needed, we could add this case

On Thu, Aug 23, 2012 at 3:21 PM, Shenfeng Liu  wrote:

> Yi Xuan,
>   Do we have the scenario of applying template in SVT?
>
> - Simon
>
>
> 2012/8/22 Yi Xuan Liu 
>
> > hi, all
> >
> > I developed a sd SVT case, it contains several operations on sd:
> >
> > 1) Create a new sd file
> > 2) New slide
> > 3) Insert table
> > 4) Insertpictures
> > 5) Insert slide from other external file
> > 6) Slide show settings
> > 7) slide show
> > 8) save and close
> > 9) loop 1~8 and check memory
> >
> > And this patch also updates UIMap class.
> >
> > Its patch is at https://issues.apache.org/ooo/show_bug.cgi?id=120658
> >
> > And the sample file used in this test case is at
> > https://issues.apache.org/ooo/show_bug.cgi?id=120659
> >
> > Please help to review. Thanks
> >
>

Re: [QA][Call For Review] SD SVT case

Yi Xuan,
  So my understanding is that when new a slide (step 2), it is based on a
pre-defined template, right? If so, I think it is ok now, no need for
additional case.
  Thanks!

- Simon


2012/8/27 Yi Xuan Liu 

> Hi, Simon:
>
> The template is contained in SVT cases. If needed, we could add this case
>
> On Thu, Aug 23, 2012 at 3:21 PM, Shenfeng Liu  wrote:
>
> > Yi Xuan,
> >   Do we have the scenario of applying template in SVT?
> >
> > - Simon
> >
> >
> > 2012/8/22 Yi Xuan Liu 
> >
> > > hi, all
> > >
> > > I developed a sd SVT case, it contains several operations on sd:
> > >
> > > 1) Create a new sd file
> > > 2) New slide
> > > 3) Insert table
> > > 4) Insertpictures
> > > 5) Insert slide from other external file
> > > 6) Slide show settings
> > > 7) slide show
> > > 8) save and close
> > > 9) loop 1~8 and check memory
> > >
> > > And this patch also updates UIMap class.
> > >
> > > Its patch is at https://issues.apache.org/ooo/show_bug.cgi?id=120658
> > >
> > > And the sample file used in this test case is at
> > > https://issues.apache.org/ooo/show_bug.cgi?id=120659
> > >
> > > Please help to review. Thanks
> > >
> >
>

[QA][Call for review] SW SVT operations on sample files

hi,all


I developed two SVT cases on sample files "ScenarioDesign.odt" and
"complex.odt".


   - On sample file "ScenarioDesign.odt", which size is 67KB, 4 pages and
   ontains lots of tables.


  This operation on this file mainly contains:

  1. Merge cells
  2. Split cells
  3. Insert Rows/Columns
  4. Delete Rows/Columns
  5. Loop 1~4 and check memory



   - On sample file "complex.odt", which size is 26MB, 26 pages and ontains
   lots of pictures and tables.


  This operation on this file mainly contains:

  1. Format paragraph
  2. Insert pictures in table
  3. Insert OLE object
  4. Insert Chart

The patch is at https://issues.apache.org/ooo/show_bug.cgi?id=120722

Please help to review, thanks!

Re: [QA][Call For Review] SD SVT case

Yes, simon[?]

On Mon, Aug 27, 2012 at 4:19 PM, Shenfeng Liu  wrote:

> Yi Xuan,
>   So my understanding is that when new a slide (step 2), it is based on a
> pre-defined template, right? If so, I think it is ok now, no need for
> additional case.
>   Thanks!
>
> - Simon
>
>
> 2012/8/27 Yi Xuan Liu 
>
> > Hi, Simon:
> >
> > The template is contained in SVT cases. If needed, we could add this case
> >
> > On Thu, Aug 23, 2012 at 3:21 PM, Shenfeng Liu 
> wrote:
> >
> > > Yi Xuan,
> > >   Do we have the scenario of applying template in SVT?
> > >
> > > - Simon
> > >
> > >
> > > 2012/8/22 Yi Xuan Liu 
> > >
> > > > hi, all
> > > >
> > > > I developed a sd SVT case, it contains several operations on sd:
> > > >
> > > > 1) Create a new sd file
> > > > 2) New slide
> > > > 3) Insert table
> > > > 4) Insertpictures
> > > > 5) Insert slide from other external file
> > > > 6) Slide show settings
> > > > 7) slide show
> > > > 8) save and close
> > > > 9) loop 1~8 and check memory
> > > >
> > > > And this patch also updates UIMap class.
> > > >
> > > > Its patch is at https://issues.apache.org/ooo/show_bug.cgi?id=120658
> > > >
> > > > And the sample file used in this test case is at
> > > > https://issues.apache.org/ooo/show_bug.cgi?id=120659
> > > >
> > > > Please help to review. Thanks
> > > >
> > >
> >
>

[HELP]usage of XIndexReplace.replaceByIndex()?

2012-08-27 Thread lou ql

I'm using UNO API to set graphic bullet for a piece of text in SD, the
graphic is from gallery "Bullets".

There are 62 gif graphics in gallery "Bullets", and I set them as the
bullet graphic one by one. Most work fine, but the last 3 gif graphics
fails: the value of GraphicURL is
vnd.sun.star.GraphicObject: after
"replaceByIndex", but not the value I set.

Then I tried use only the last 4 gif graphics as parameters then run again,
all work...

 setGraphicBullets(String inputUniqueID){
   Object numberingrules =
m_xtextProps.getPropertyValue("NumberingRules");
XIndexReplace xReplace = (XIndexReplace) UnoRuntime.queryInterface(
 XIndexReplace.class, numberingrules);

PropertyValue[] props = new PropertyValue[3];
props[0] = new PropertyValue();
props[0].Name = "NumberingType";
props[0].Value = new Short(NumberingType.BITMAP );

props[1] = new PropertyValue();
props[1].Name = "GraphicURL";
props[1].Value = "vnd.sun.star.GraphicObject:"+inputUniqueID;

props[2] = new PropertyValue();
props[2].Name = "GraphicSize";
props[2].Value = new Size(500,500);

//set numberingType
xReplace.replaceByIndex(0, props);
*//failure: for the last 3 gifs, after this, I tried to get the GraphicURL
value, it's vnd.sun.star.GraphicObject:*

m_xtextProps.setPropertyValue("NumberingRules", numberingrules);
  //set numbering level to 0
m_xtextProps.setPropertyValue("NumberingLevel", new
Short((short)0));
}

the parameter "inputUniqueID" is the uniqueID of the gallery items in
"Bullets" theme:
String[] getUniqueID()
{
Object ogalleryThemeProvider =
app.getServiceFactory().createInstance("com.sun.star.gallery.GalleryThemeProvider");
XGalleryThemeProvider xgalleryThemeProvider =
(XGalleryThemeProvider)UnoRuntime.queryInterface(XGalleryThemeProvider.class,
ogalleryThemeProvider);

//get the "Bullets" theme
Object bulletTheme = xgalleryThemeProvider.getByName("Bullets");
XGalleryTheme xbulletTheme =
(XGalleryTheme)UnoRuntime.queryInterface(XGalleryTheme.class, bulletTheme);

//get the items in "Bullets" theme one by one, set as parameter
int count = xbulletTheme.getCount();
String[] uniqueID = new String[count];
for(int i=0; i

[API] Problem with currency formatter in text field

2012-08-27 Thread Carsten Demmrich

Hello, i have a problem with formatting of a text field. I create a text 
field in Java and insert this in a document.
The content is 0.0 and the format is the default currency. But the 
content is not formatted. The document show me 0.0 and not 0,00 €.

Why?

private void setTextField(Object[] value)
{
try
{
XTextDocument xTextDocument = (XTextDocument) 
UnoRuntime.queryInterface(XTextDocument.class, oBean.getDocument());
XController xController = 
xTextDocument.getCurrentController();
XTextViewCursorSupplier xTextViewCursorSupplier = 
(XTextViewCursorSupplier) 
UnoRuntime.queryInterface(XTextViewCursorSupplier.class, xController);
XTextViewCursor xDocTextCursor = 
xTextViewCursorSupplier.getViewCursor();


XText xText = xDocTextCursor.getText();

xText.insertTextContent(xDocTextCursor, 
createTextField(xTextDocument, (String) value[2], (String) value[1]), 
false);

}
catch (Exception e)
{
logger.error(e);
}
}

private XDependentTextField createTextField(XTextDocument xTextDocument, 
String fieldName, String fieldValue)

{
XMultiServiceFactory xMultiServiceFactory = 
(XMultiServiceFactory) 
UnoRuntime.queryInterface(XMultiServiceFactory.class, xTextDocument);
XTextFieldsSupplier xTextFieldsSupplier = (XTextFieldsSupplier) 
UnoRuntime.queryInterface(XTextFieldsSupplier.class, xTextDocument);
XNameAccess xNamedFieldMasters = 
xTextFieldsSupplier.getTextFieldMasters();

XDependentTextField userField = null;
XPropertySet masterPropSet = null;

try
{
// Create the field...
userField = (XDependentTextField) 
UnoRuntime.queryInterface(XDependentTextField.class, 
xMultiServiceFactory.createInstance("com.sun.star.text.TextField.User"));


if 
(!xNamedFieldMasters.hasByName("com.sun.star.text.FieldMaster.User." + 
fieldName))

{
// Create the field master...
masterPropSet = (XPropertySet) 
UnoRuntime.queryInterface(XPropertySet.class, 
xMultiServiceFactory.createInstance("com.sun.star.text.FieldMaster.User"));


// Set the field name and content...
masterPropSet.setPropertyValue("Name", fieldName);
masterPropSet.setPropertyValue("Content", fieldValue);

if (fieldValue.equals("0.0"))
{
// Query the number formats supplier of the document
com.sun.star.util.XNumberFormatsSupplier 
xNumberFormatsSupplier = (com.sun.star.util.XNumberFormatsSupplier) 
UnoRuntime.queryInterface(com.sun.star.util.XNumberFormatsSupplier.class, xTextDocument); 



// Get the number formats from the supplier
com.sun.star.util.XNumberFormats xNumberFormats = 
xNumberFormatsSupplier.getNumberFormats();


// Query the XNumberFormatTypes interface
com.sun.star.util.XNumberFormatTypes 
xNumberFormatTypes = (com.sun.star.util.XNumberFormatTypes) 
UnoRuntime.queryInterface(com.sun.star.util.XNumberFormatTypes.class, 
xNumberFormats);


// Get the number format index key of the default 
currency

// format,
// note the empty locale for default locale
com.sun.star.lang.Locale aLocale = new 
com.sun.star.lang.Locale();
int nCurrencyKey = 
xNumberFormatTypes.getStandardFormat(com.sun.star.util.NumberFormat.CURRENCY, 
aLocale);


XPropertySet fieldProperties = (XPropertySet) 
UnoRuntime.queryInterface(XPropertySet.class, userField);
fieldProperties.setPropertyValue("NumberFormat", 
new Integer(nCurrencyKey));


}
}
else
{
masterPropSet = (XPropertySet) 
UnoRuntime.queryInterface(XPropertySet.class, 
xNamedFieldMasters.getByName("com.sun.star.text.FieldMaster.User." + 
fieldName));

}

// Attach the fieldmaster to the field...
userField.attachTextFieldMaster(masterPropSet);
}
catch (java.lang.Exception e)
{
 logger.error(e);
}
return userField;
}

Kind regrads
Carsten

Re: svn commit: r1357306 - /incubator/ooo/trunk/main/solenv/bin/build.pl

2012-08-27 Thread Andre Fischer

On 25.08.2012 17:55, Ariel Constenla-Haile wrote:

On Wed, Aug 15, 2012 at 08:52:17AM +0200, Pavel Janík wrote:

Hi Andre,

On Jul 11, 2012, at 9:21 AM, Andre Fischer wrote:

On 10.07.2012 21:47, Pavel Janík wrote:

Andre,

this particular change is incompatible with my build system. I do
[meta-shell code]:

I should have explained this change better (or at all). It is only
intended as a temporary hack to find out the reason for the build
breaker of the 64bit Linux buildbot build.

is the problem already solved? -- Pavel Janík

It is not solved. The main bug with it, is that now it hides where the
build is breaking; I faced it yesterday on my own build, and now it can
be seen in the Win build bot: the build continues regardless any error
on any module, and breaks in instsetoo_native due to missing compiled
stuff:

http://ci.apache.org/projects/openoffice/buildlogs/win/main/instsetoo_native/wntmsci12.pro/misc/logs/util.txt

Even worst, the build bot only reports an error when trying to copy the
install sets generated in instsetoo_native
http://ci.apache.org/builders/aoo-win7/builds/281/steps/MasterShellCommand_1/logs/stdio

IMHO we should revert this change, otherwise we have no idea where the
build breaks.

It is still possible to see where the build breaks. But it takes more
than a quick look into the build overview. This change makes it
possible to see some build breakers at all (those that cause the build
to hang: in such a case the buildbot terminates the build without
writing any output for the module in which the hang occurs)

But I think I understand what you mean. It is very inconvenient.

I have reverted my last change in build.pl.

-Andre

Testtool has removed from installation set

2012-08-27 Thread Zhe Liu

Hi,
See the bug:
https://issues.apache.org/ooo/show_bug.cgi?id=120399
Linux
ooobasis*-testtool*.deb & ooobasis*-testtool*.rpm will be not generated
Mac
All files related to testtool will be not included in the dmg.
Windows
In Custom Setup page of installation Wizard, testtool will be not
included in "Optional Components"
Call for volunteers to verify it.
The source code still is not removed. It is more complex, I will do it
in the next.

-- 
Best Regards
>From aliu...@gmail.com

Re: [API] Problem with currency formatter in text field

2012-08-27 Thread Fernand Vanrie


 Carsten ,

you need a "refresch" off the field ?

hope it helps

Fernand
Hello, i have a problem with formatting of a text field. I create a 
text field in Java and insert this in a document.
The content is 0.0 and the format is the default currency. But the 
content is not formatted. The document show me 0.0 and not 0,00 €.

Why?

private void setTextField(Object[] value)
{
try
{
XTextDocument xTextDocument = (XTextDocument) 
UnoRuntime.queryInterface(XTextDocument.class, oBean.getDocument());
XController xController = 
xTextDocument.getCurrentController();
XTextViewCursorSupplier xTextViewCursorSupplier = 
(XTextViewCursorSupplier) 
UnoRuntime.queryInterface(XTextViewCursorSupplier.class, xController);
XTextViewCursor xDocTextCursor = 
xTextViewCursorSupplier.getViewCursor();


XText xText = xDocTextCursor.getText();

xText.insertTextContent(xDocTextCursor, 
createTextField(xTextDocument, (String) value[2], (String) value[1]), 
false);

}
catch (Exception e)
{
logger.error(e);
}
}

private XDependentTextField createTextField(XTextDocument 
xTextDocument, String fieldName, String fieldValue)

{
XMultiServiceFactory xMultiServiceFactory = 
(XMultiServiceFactory) 
UnoRuntime.queryInterface(XMultiServiceFactory.class, xTextDocument);
XTextFieldsSupplier xTextFieldsSupplier = 
(XTextFieldsSupplier) 
UnoRuntime.queryInterface(XTextFieldsSupplier.class, xTextDocument);
XNameAccess xNamedFieldMasters = 
xTextFieldsSupplier.getTextFieldMasters();

XDependentTextField userField = null;
XPropertySet masterPropSet = null;

try
{
// Create the field...
userField = (XDependentTextField) 
UnoRuntime.queryInterface(XDependentTextField.class, 
xMultiServiceFactory.createInstance("com.sun.star.text.TextField.User"));


if 
(!xNamedFieldMasters.hasByName("com.sun.star.text.FieldMaster.User." + 
fieldName))

{
// Create the field master...
masterPropSet = (XPropertySet) 
UnoRuntime.queryInterface(XPropertySet.class, 
xMultiServiceFactory.createInstance("com.sun.star.text.FieldMaster.User"));


// Set the field name and content...
masterPropSet.setPropertyValue("Name", fieldName);
masterPropSet.setPropertyValue("Content", fieldValue);

if (fieldValue.equals("0.0"))
{
// Query the number formats supplier of the document
com.sun.star.util.XNumberFormatsSupplier 
xNumberFormatsSupplier = (com.sun.star.util.XNumberFormatsSupplier) 
UnoRuntime.queryInterface(com.sun.star.util.XNumberFormatsSupplier.class, 
xTextDocument);


// Get the number formats from the supplier
com.sun.star.util.XNumberFormats xNumberFormats = 
xNumberFormatsSupplier.getNumberFormats();


// Query the XNumberFormatTypes interface
com.sun.star.util.XNumberFormatTypes 
xNumberFormatTypes = (com.sun.star.util.XNumberFormatTypes) 
UnoRuntime.queryInterface(com.sun.star.util.XNumberFormatTypes.class, 
xNumberFormats);


// Get the number format index key of the default 
currency

// format,
// note the empty locale for default locale
com.sun.star.lang.Locale aLocale = new 
com.sun.star.lang.Locale();
int nCurrencyKey = 
xNumberFormatTypes.getStandardFormat(com.sun.star.util.NumberFormat.CURRENCY, 
aLocale);


XPropertySet fieldProperties = (XPropertySet) 
UnoRuntime.queryInterface(XPropertySet.class, userField);
fieldProperties.setPropertyValue("NumberFormat", new 
Integer(nCurrencyKey));


}
}
else
{
masterPropSet = (XPropertySet) 
UnoRuntime.queryInterface(XPropertySet.class, 
xNamedFieldMasters.getByName("com.sun.star.text.FieldMaster.User." + 
fieldName));

}

// Attach the fieldmaster to the field...
userField.attachTextFieldMaster(masterPropSet);
}
catch (java.lang.Exception e)
{
 logger.error(e);
}
return userField;
}

Kind regrads
Carsten

Re: Open-office downloading site - FLV player advertisement

2012-08-27 Thread Roberto Galoppini

On Sun, Aug 26, 2012 at 10:54 PM, Fernando Cassia  wrote:

> On Sun, Aug 26, 2012 at 5:19 PM, Roberto Galoppini  >wrote:
>
> > actually in different geographies are displayed different ads, and I need
> > the actual URL to eventually report internally issues with malware. Can
> you
> > help me with that?
> >
>
> Yes, sure,
>
> destination URL is
>
> http://googleads.g.doubleclick.net/aclk?sa=l&ai=BCRkjin46UKfLB-Oh6AHC3YDADcewquYCx6ODs0-_z4ayggGgnAEQARgBIOHmmwI4AFDPo7Wh-P8BYKGAgIAooAGxsdPfA7IBD3NvdXJjZWZvcmdlLm5ldLoBETMwMHgyNTBfcGFzX2FiZ25jyAEC2gGNAWh0dHA6Ly9zb3VyY2Vmb3JnZS5uZXQvcHJvamVjdHMvb3Blbm9mZmljZW9yZy5taXJyb3IvZmlsZXMvc3RhYmxlLzMuNC4xL0FwYWNoZV9PcGVuT2ZmaWNlX2luY3ViYXRpbmdfMy40LjFfV2luX3g4Nl9pbnN0YWxsX2VuLVVTLmV4ZS9kb3dubG9hZPgBAcACCcgCp8fbIqgDAfUDAAQAgPUDEKAGAuAGv4uhIQ&num=1&sig=AOD64_2QTgRUfp_AjSv0IdpcBux87BneTA&client=ca-ostg_js&adurl=http://www.superbvideoconverter.com/gb/si/%3Fadnm%3D21227763559%26i%3Ds%26grid%3DA%26lg%3DEN%26cc%3DAR%26clg%3Den%26c%3D1%26d%3D1%26cid%3D_97893889%26kw%3D%26mn%3Dsourceforge.net%26Network%3DD%26expr%3D%26agid%3D_9599537584
>

Think this is a different one, though. Supervideoconverter seems to be
virus-free.
Also FLV videoplayer, at least the one I have been able to find googling,
seems to be virus-free.
It must be said that without the exact URL I can't check if that version of
FLV videoplayer is virus-free.

Roberto

>
> And source image is
> http://pagead2.googlesyndication.com/simgad/15861613925973749392
>
> cached for the record, here:
> http://the13thfloor.org/sf-rogue-adverts/
>
> and fwiw I get that while coming from an Argentina IP (186.142.241.x subnet
> - Claro FFTH - www.claro.com.ar)
>
> FC
>
> --
> During times of Universal Deceit, telling the truth becomes a revolutionary
> act
> Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto
> Revolucionario
> - George Orwell
>

-- 

This e- mail message is intended only for the named recipient(s) above. It 
may contain confidential and privileged information. If you are not the 
intended recipient you are hereby notified that any dissemination, 
distribution or copying of this e-mail and any attachment(s) is strictly 
prohibited. If you have received this e-mail in error, please immediately 
notify the sender by replying to this e-mail and delete the message and any 
attachment(s) from your system. Thank you.

Re: [QA Report]Weekly report

2012-08-27 Thread TJ Frazier


On 8/27/2012 02:52, Ji Yan wrote:

Hi all,

  I put QA weekly report in [1]. also defect status report in [2]. Please
review.

[1]http://wiki.openoffice.org/wiki/QA/Report/WeeklyReport/20120827
[2]http://wiki.openoffice.org/wiki/QA/Report/DefectStatus/20120827


Hi,

<http://wiki.openoffice.org/wiki/QA/Report/DefectStatus/DefectStatus20120827/WeeklyConfirmed>

shows the same Issue number for all entries.

/tj/

OpenOffice.org Business Partnership Inquiry

2012-08-27 Thread fa...@filepuma.com

Hi OpenOffice.org Webmaster,
 
I'm sorry to bother you.
I am Faith from Filepuma.com. I write to you just to consult whether we can 
have a potential chance to cooperate with you. And recently we have updated 
your product at our site that you can have a visit.

Filepuma.com is a website for providing the simplest method of downloading the 
newest versions of the best software, and we are not focusing on quantity but 
quality. To make your downloads as fast as possible, we provide very fast 
servers with 100Mb connections.

You are really a great tool and OpenOffice.org enjoys great reputation among 
users. We're very interested in becoming the mirror for OpenOffice.org 
download. I'm sure our partnership can guarantee you great advantages. We can 
do a few things to promote your program like newsletter mentions and front-page 
exposure. 

If you have any other ideas we are very open and happy to discuss them on 
becoming OpenOffice.org's mirror download link. What we want to have is a 
win-win relationship that benefits us both. We strongly think that business 
cooperation between you and us will be a wise decision, and both of us can have 
more triumphs.

Looking forward to receiving your feedback very much. Thanks for your time.

P.S. If answering mails like this one is not among your daily tasks, please 
forward it to the appropriate executive. Thanks again.

Best regards,

Faith Lee
fa...@filepuma.com
Filepuma.com

Re: Unofficial Apache OO Debian repository updated

2012-08-27 Thread Marcelo Santana

On Sun, 26 Aug 2012 16:47:23 -0400, Wolf Halton 
wrote:

Hi there,

> Sounds like it might not take too much effort to get it to work in
> Ubuntu.

As the packages are the same provided by Apache Foundation, if you can
install Apache OO running "dpkg -i *.deb" you also can install using
this repository with bonus to may use any package manager that you
prefer.

--
Marcelo G. Santana (aka msantana) | GNU/Linux User number: #208778
  http://blog.msantana.eng.br | http://identi.ca/mgsantana
  http://www.debianbrasil.org | http://br.gnome.org
 GnuPG fprint: 88FB 5D63 ED02 3B5D 90D6  3A3E 8698 1CC9 89C5 5467

Re: Unofficial Apache OO Debian repository updated

2012-08-27 Thread Marcelo Santana

On Mon, 27 Aug 2012 09:18:59 +0200, Mechtilde  wrote:

[...]
 
> That is a problem. There is no META-Package to manage the high numbers
> of packages you have to install.

I agree with you. I intend to create META-packages for each language
but for while I preferred to release closely to AOO's release to have a
feedback from all as soon as possible.
 
> I didn't find a short description which packages you have to install
> for a working installation.

As you can see in README file[1], e.g. for Deutsch version you need to
run:

$ gpg --recv-keys 90127F5B && gpg --export --armor 90127F5B|sudo
apt-key add -

and

$ sudo apt-get update && sudo apt-get install openoffice.org3-de
ooobasis3.4-de-binfilter openoffice.org3-writer openoffice.org3-calc
openoffice.org3-impress openoffice.org3-base openoffice.org3-draw
openoffice.org3-math ooobasis3.4-pyuno ooobasis3.4-ooofonts
ooobasis3.4-ooolinguistic openoffice.org-debian-menus

[1]http://sourceforge.net/projects/apacheoo-deb/files/debian/


Kind regards,

--
Marcelo G. Santana (aka msantana) | GNU/Linux User number: #208778
  http://blog.msantana.eng.br | http://identi.ca/mgsantana
  http://www.debianbrasil.org | http://br.gnome.org
 GnuPG fprint: 88FB 5D63 ED02 3B5D 90D6  3A3E 8698 1CC9 89C5 5467

Re: [QA Report]Weekly report

2012-08-27 Thread Ji Yan

Hi TJ,

  Thanks for finding this issue, I correct the defect list.

2012/8/27 TJ Frazier 

> On 8/27/2012 02:52, Ji Yan wrote:
>
>> Hi all,
>>
>>   I put QA weekly report in [1]. also defect status report in [2]. Please
>> review.
>>
>> [1]http://wiki.openoffice.org/**wiki/QA/Report/WeeklyReport/**20120827<http://wiki.openoffice.org/wiki/QA/Report/WeeklyReport/20120827>
>> [2]http://wiki.openoffice.org/**wiki/QA/Report/DefectStatus/**20120827<http://wiki.openoffice.org/wiki/QA/Report/DefectStatus/20120827>
>>
>>  Hi,
>
> <http://wiki.openoffice.org/**wiki/QA/Report/DefectStatus/**
> DefectStatus20120827/**WeeklyConfirmed<http://wiki.openoffice.org/wiki/QA/Report/DefectStatus/DefectStatus20120827/WeeklyConfirmed>
> >
>
> shows the same Issue number for all entries.
>
> /tj/
>
>


-- 


Thanks & Best Regards, Yan Ji

Re: [VOTE] Apache OpenOffice Community Graduation Vote

The ASF releases source code. We produce it, we develop it, we license it
and we release it.

We have also, as a courtesy to the community, released binaries (read: pre-
compiled and built s/w) as well. The binaries MUST be based on
the actual released code. But the s/w itself is what is produced and
released by the PMC.

This is not a new or unique question. Heck, httpd for *years*
released pre-built binaries as a courtesy to the community (mostly
the windows builds).

At issue is whether or not binaries can fall under the same
"protection" and "authority" as the source code. The question
to answer is "what exactly do you want". Do you want the builds
done on ASF hardware to be deemed "official" to the exclusion of
all other builds? What exactly does "official" mean anyway?

IMO, what is important is that the end-user obtains a binary that
he/she knows is (1) build from the actual, unadulterated office
source code release and (2) was built by someone trustworthy.
So having some sort of "build release manager" or takes
these binaries, checks that they were built correctly, and
then signing the binaries seems, to me, to be enough to cover
what we, and the end-users, need.

On Aug 24, 2012, at 2:49 PM, Joe Schaefer  wrote:

> Exactly- just work within the constraints
> and there is no practical problem whatsoever.
> 
> 
> 
> 
> 
>> 
>> From: Andrew Rist 
>> To: gene...@incubator.apache.org 
>> Sent: Friday, August 24, 2012 2:44 PM
>> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>> 
>> 
>> On 8/24/2012 11:19 AM, Joe Schaefer wrote:
>>> Really, all this fuss over the LABELLING of
>>> a file being distributed does not add value
>>> to either the org, the podling, or the users
>>> of the software.  Nowhere is it written that
>>> you CANNOT DISTRIBUTE BINARIES, however it
>>> has always been clear that they are provided
>>> for the convenience of our users, not as part
>>> of an "official" release.  That however does
>>> not mean that things like release announcements
>>> cannot refer users to those binaries, it simply
>>> means those announcements need to reference the
>>> sources as "the thing that was formally voted on
>>> and approved by the ASF".
>> 
>> Thus...
>> 
>> Binaries created /from /the Official Release?
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
 
 From: Dave Fisher 
 To: gene...@incubator.apache.org
 Sent: Friday, August 24, 2012 1:56 PM
 Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
 
 
 On Aug 24, 2012, at 10:09 AM, Rob Weir wrote:
 
> On Fri, Aug 24, 2012 at 12:45 PM, Rob Weir  wrote:
>> On Fri, Aug 24, 2012 at 12:32 PM, Marvin Humphrey
>>  wrote:
>>> Returning to this topic after an intermission...
>>> 
>>> On Tue, Aug 21, 2012 at 6:18 AM, Bertrand Delacretaz
>>>  wrote:
 On Tue, Aug 21, 2012 at 11:54 AM, Jürgen Schmidt 
  wrote:
> ...As one of the active developers I would have a serious problem if 
> we as
> project couldn't provide binary releases for our users. And I thought
> the ASF is a serious enough institution that can ensure to deliver
> binaries of these very popular end user oriented software and can of
> course protect the very valuable brand OpenOffice that the ASF now 
> owns
> as well...
 As has been repeatedly mentioned in this thread and elsewhere, at the
 moment ASF releases consist of source code, not binaries.
>>> My impression from this discussion is that many podling contributors are
>>> dismayed by this policy, and that there is an element within the PPMC 
>>> which
>>> remains convinced that it is actually up to individual PMCs within the 
>>> ASF to
>>> set policy as to whether binaries are official or not.
>>> 
>> If there actually is an ASF-wide Policy concerning binaries then I
>> would expect that:
>> 
>> 1) It would come from the ASF Board, or from a Legal Affairs, not as
>> individual opinions on the IPMC list
>> 
>> 2) It would be documented someplace, as other important ASF policies
>> are documented
>> 
> And 2a)  Actually state the constraints of the policy, i.e., what is
> allowed or disallowed by the policy.  Merely inventing a label like
> "convenience" or "unofficial" gives absolutely zero direction to
> PMC's.  It is just a label.  Consider what the IPMC's Release Guide
> gives with regards to the source artifact.  It is labeled "canonical",
> but that level is backed up with requirements, e.g., that every
> release must include it, that it must be signed, etc.  Similarly,
> podling releases are not merely labeled "podling releases", but policy
> defines requirements, e.g., a disclaimer, a required IPMC vote, etc.
> 
> I hope I am not being too pedantic here.  But I would like to have a
> policy def

Re: [VOTE] Apache OpenOffice Community Graduation Vote

On Aug 26, 2012, at 10:26 AM, Joe Schaefer  wrote:

> No.  There is NO WAY IN HELL the org can indemnify
> a volunteer who produces a binary build themselves.
> 
> Please don't bother asking legal-discuss to tackle this.
> 

Here's an analogy: for a long, long time Bill Rowe has taken
it upon himself to create binary builds of Apache httpd for
the large Windows community. Netware binary builds are also
occasionally released (see http://httpd.apache.org/download.cgi).

These are available right from the official httpd download
page and located right next to the official source code,
yet they are artifacts NOT released (officially) by the
ASF or the httpd PMC, but are available from a "trusted"
source.

Isn't that all the end-user cares about? And isn't that
sufficient for AOO?

Re: [VOTE] Apache OpenOffice Community Graduation Vote

On Aug 27, 2012, at 8:56 AM, donald_harbi...@us.ibm.com wrote:
> 
> Yes, that's what end users care about. But it's not sufficient for AOO 
> since we are seeking alternative distribution channels.

What does that mean? Can I grok "alternative distribution channels"
as "more mirrors" or something else?

Emanuel Antonio de Almeida is out of the office.

2012-08-27 Thread emanuel . almeida


I will be out of the office starting  27/08/2012 and will not return until 
17/09/2012.

Para qualquer assunto, encaminhe sua mensagem para Carlos Henrique dos Santos 
Oliveira - chsolive...@globmail.com.br

Para qualquer assunto relacionado com o Suporte Unidades, contate Carlos 
Henrique dos Santos Oliveira - chsolive...@globmail.com.br. e Lucas
Nicolli Tosi - lucas.t...@globmail.com.br

Please, to any subject, please send your message for Carlos Henrique dos Santos 
Oliveira - chsolive...@globmail.com.br

To subjects about Suporte Unidades Embraer, foward your message to Carlos 
Henrique dos Santos Oliveira - chsolive...@globmail.com.br. and Lucas
Nicolli Tosi - lucas.t...@globmail.com.br

Re: How to confirm old issues with AOO 3.4.1 ?

2012-08-27 Thread Herbert Duerr


Hi Oliver,

On 26.08.2012 14:13, oliver.brinz...@gmx.de wrote:

How can I confirm old issues with new versions of AOO?

Background: Some of my issues are more than 10 years old - originally submitted 
with oo 1.0 ;-)
Some of them still exist, others may be fixed without closing the corresponding 
issue.

Btw: I was told not to change the "Version" field.

Could we add a field "last confirmed with AOO", for example?
IMHO this would be more effective than adding a simple comment.


Good idea. I added the custom field "cf_lastconfirmedver" which you'll 
find under the title "Latest Confirmation on".


There are some minor problems though. The versions available for that 
field should be the ones from "target milestones", but linking these two 
entries is not possible in the current version of Bugzilla. Also only 
members with "canconfirm" bits should be able to change the field but as 
of now it cannot be protected.


Herbert

[QA][Call for Review] SC SVT cases on ods sample file

hi,all:

I developed a sc SVT case on an ods sample file. This sample file is 9M,
which contains 35 sheets and lots of pictures and objects.

The operation is

1.  Insert sheet
2.  Insert chart
3.  Insert picture
4.  Insert fontwork
5.  loop 1~4

The patch is at https://issues.apache.org/ooo/show_bug.cgi?id=120725

Please help to review. Thanks!

Re: [VOTE] Apache OpenOffice Community Graduation Vote

2012-08-27 Thread Ross Gardler

There are, as many have pointed out, two issues. The first is, can AOO do
what it is doing - the answer to this one is yes and has been clearly
expressed a number of times in this thread. The second is whether AOO can
go a step further than what it is already doing. The answer to this is No,
as has been expressed a number of times in this thread.

If we separate these issues out then we can proceed. The first issue is
resolved (the release vote passed with the original objection being
withdrawn). The second issue remains open. It is for the AOO PPMC to find a
solution to this.

I can see two potential solutions to the problem. Which is right for the
AOO project is not the concern of gernal@. So let's drop general@ from this
discussion so we can focus on the actual problem rather than this never
ending circular thread.
On Aug 27, 2012 8:56 AM,  wrote:

> Jim Jagielski  wrote on 08/27/2012 08:43:35 AM:
>
> > From: Jim Jagielski 
> > To: gene...@incubator.apache.org, Joe Schaefer
> > , Rob Weir ,
> > Cc: "ooo-dev@incubator.apache.org" 
> > Date: 08/27/2012 08:44 AM
> > Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
> >
> >
> > On Aug 26, 2012, at 10:26 AM, Joe Schaefer 
> wrote:
> >
> > > No.  There is NO WAY IN HELL the org can indemnify
> > > a volunteer who produces a binary build themselves.
> > >
> > > Please don't bother asking legal-discuss to tackle this.
> > >
> >
> > Here's an analogy: for a long, long time Bill Rowe has taken
> > it upon himself to create binary builds of Apache httpd for
> > the large Windows community. Netware binary builds are also
> > occasionally released (see http://httpd.apache.org/download.cgi).
> >
> > These are available right from the official httpd download
> > page and located right next to the official source code,
> > yet they are artifacts NOT released (officially) by the
> > ASF or the httpd PMC, but are available from a "trusted"
> > source.
> >
> > Isn't that all the end-user cares about? And isn't that
> > sufficient for AOO?
>
> Yes, that's what end users care about. But it's not sufficient for AOO
> since we are seeking alternative distribution channels. Effort to
> exponentially expand distribution channels require code signing. These
> discussions were started on legal@ with no resolution. Sorry I don't have
> the reference for that handy.
>
>
> >
> > -
> > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> > For additional commands, e-mail: general-h...@incubator.apache.org
> >
>

Re: [VOTE] Apache OpenOffice Community Graduation Vote

Re adding ooo-dev@ since this is STILL an AOO issue.

On Aug 27, 2012, at 9:38 AM, Rob Weir  wrote:

> On Mon, Aug 27, 2012 at 8:59 AM, Jim Jagielski  wrote:
>> 
>> On Aug 27, 2012, at 8:56 AM, donald_harbi...@us.ibm.com wrote:
>>> 
>>> Yes, that's what end users care about. But it's not sufficient for AOO
>>> since we are seeking alternative distribution channels.
>> 
>> What does that mean? Can I grok "alternative distribution channels"
>> as "more mirrors" or something else?
>> 
> 
> You probably don't see this on the server yet, but end-user operating
> systems, both desktop and devices, both at OS level as well as in
> browsers and with antivirus software, are shifting over to excluding
> non-signed executable by default.

Believe it or not, I actually use end-user OSs. I am right now! Wow!

>  This is equally true of software
> distributed on CD's, via downloads, or listed in OS-vendor "stores".
> That is the direction that the industry is going.  Any desktop
> application that ignores this trend will become unusable by most
> users.  Instead of detached digital signatures that Apache releases
> already carry, the OS vendors expect integrated signatures via code
> signing.
> 
> Where I hear the churning is over whether the technological change -
> code signing rather than detached PGP/GPG signatures -- means anything
> different from a liability standpoint.  One could argue that a
> signatures merely vouches for authentication, integrity and
> non-repudiation -- the classic guarantees of a digital signature.  But
> I'm hearing others suggest that the move from one technology to
> another technology for signing suggests additional guarantees about
> the content of the signed artifact, above and beyond what the ASF
> normally offers.  But of course, any additional liability is
> explicitly disclaimed by the Apache License.
> 
> So given that other Apache projects distribute binaries that are
> 
> 1) approved by the PMC's
> 
> 2) distributed on Apache mirrors
> 
> 3) linked to as ASF products by project websites
> 
> 4) accompanied by PGP/GPG detached signatures
> 
> ...what additional liability do we believe comes from the
> technological change from one signature mechanism to another?   Or
> specifically, what liability is added that is not already explicitly
> disclaimed by ALv2?
> 

A signature does 2 things:

  1. Ensures that no bits have been changed
  2. That the bits come from a known (and trusted) entity.

The fact that we've used GPG-signed artifacts is immaterial, imo.

But recall in all this that even when the PMC releases code, it is
signed by the individual RM, and not by the PMC itself.

Re: [VOTE] Apache OpenOffice Community Graduation Vote

On Mon, Aug 27, 2012 at 9:57 AM, Jim Jagielski  wrote:
> Re adding ooo-dev@ since this is STILL an AOO issue.
>
> On Aug 27, 2012, at 9:38 AM, Rob Weir  wrote:
>
>> On Mon, Aug 27, 2012 at 8:59 AM, Jim Jagielski  wrote:
>>>
>>> On Aug 27, 2012, at 8:56 AM, donald_harbi...@us.ibm.com wrote:

 Yes, that's what end users care about. But it's not sufficient for AOO
 since we are seeking alternative distribution channels.
>>>
>>> What does that mean? Can I grok "alternative distribution channels"
>>> as "more mirrors" or something else?
>>>
>>
>> You probably don't see this on the server yet, but end-user operating
>> systems, both desktop and devices, both at OS level as well as in
>> browsers and with antivirus software, are shifting over to excluding
>> non-signed executable by default.
>
> Believe it or not, I actually use end-user OSs. I am right now! Wow!
>

I did not mean to imply otherwise.  But I am quite confident that few,
if any other Apache projects are developing end-user software, so they
might not be aware of this trend from the software development
perspective.

>>  This is equally true of software
>> distributed on CD's, via downloads, or listed in OS-vendor "stores".
>> That is the direction that the industry is going.  Any desktop
>> application that ignores this trend will become unusable by most
>> users.  Instead of detached digital signatures that Apache releases
>> already carry, the OS vendors expect integrated signatures via code
>> signing.
>>
>> Where I hear the churning is over whether the technological change -
>> code signing rather than detached PGP/GPG signatures -- means anything
>> different from a liability standpoint.  One could argue that a
>> signatures merely vouches for authentication, integrity and
>> non-repudiation -- the classic guarantees of a digital signature.  But
>> I'm hearing others suggest that the move from one technology to
>> another technology for signing suggests additional guarantees about
>> the content of the signed artifact, above and beyond what the ASF
>> normally offers.  But of course, any additional liability is
>> explicitly disclaimed by the Apache License.
>>
>> So given that other Apache projects distribute binaries that are
>>
>> 1) approved by the PMC's
>>
>> 2) distributed on Apache mirrors
>>
>> 3) linked to as ASF products by project websites
>>
>> 4) accompanied by PGP/GPG detached signatures
>>
>> ...what additional liability do we believe comes from the
>> technological change from one signature mechanism to another?   Or
>> specifically, what liability is added that is not already explicitly
>> disclaimed by ALv2?
>>
>
> A signature does 2 things:
>
>   1. Ensures that no bits have been changed
>   2. That the bits come from a known (and trusted) entity.
>

Almost.  It doesn't guarantee trust.  CA's don't require any specific
level of software quality assurance before they issue a certificate.
Any trust is implied by association with the identity of the signer.
So it is a brand association.  This is similar to the association that
comes with association with a project's release announcement, or from
distribution via Apache mirrors, or links from Apache websites.  These
all imply -- in one degree or another -- an association with Apache,
and the trust that flows from that.

But what code signing does do is help protect ASF reputation.  By
having the binaries signed we can distance ourselves from those who
distribute versions of AOO with virus and malware attached.  Again,
this is something you probably don't see in the server world, but it
is quite common with popular end-user open source software.

So trust (reputation) is important.  But we're already seeing that
trust and reputation can be hurt by lack of code signing.

> The fact that we've used GPG-signed artifacts is immaterial, imo.
>

To a savvy user the use of the detached digital signature can provide
exactly the same assurances that code signing would do.  Exactly the
same thing.  It just happens to be that the industry has moved toward
a CA model rather than a web of trust model.

> But recall in all this that even when the PMC releases code, it is
> signed by the individual RM, and not by the PMC itself.
>

Correct.  But the concerns in the thread were about individual
liability.  Having an individual signature (whether GPG/PGP or
Authenticode) certainly doesn't make the story any better.

So I wonder if the best solution here is to make it clear in the
language of the certificate that it is an "unofficial, convenience
binary"?

-Rob

Re: [VOTE] Apache OpenOffice Community Graduation Vote

2012-08-27 Thread donald_harbison

Jim Jagielski  wrote on 08/27/2012 08:43:35 AM:

> From: Jim Jagielski 
> To: gene...@incubator.apache.org, Joe Schaefer 
> , Rob Weir , 
> Cc: "ooo-dev@incubator.apache.org" 
> Date: 08/27/2012 08:44 AM
> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
> 
> 
> On Aug 26, 2012, at 10:26 AM, Joe Schaefer  
wrote:
> 
> > No.  There is NO WAY IN HELL the org can indemnify
> > a volunteer who produces a binary build themselves.
> > 
> > Please don't bother asking legal-discuss to tackle this.
> > 
> 
> Here's an analogy: for a long, long time Bill Rowe has taken
> it upon himself to create binary builds of Apache httpd for
> the large Windows community. Netware binary builds are also
> occasionally released (see http://httpd.apache.org/download.cgi).
> 
> These are available right from the official httpd download
> page and located right next to the official source code,
> yet they are artifacts NOT released (officially) by the
> ASF or the httpd PMC, but are available from a "trusted"
> source.
> 
> Isn't that all the end-user cares about? And isn't that
> sufficient for AOO?

Yes, that's what end users care about. But it's not sufficient for AOO 
since we are seeking alternative distribution channels. Effort to 
exponentially expand distribution channels require code signing. These 
discussions were started on legal@ with no resolution. Sorry I don't have 
the reference for that handy.


> 
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>

Re: [VOTE] Apache OpenOffice Community Graduation Vote

After this, please drop general@

On Aug 27, 2012, at 10:16 AM, Rob Weir  wrote:

>> 
>> A signature does 2 things:
>> 
>>  1. Ensures that no bits have been changed
>>  2. That the bits come from a known (and trusted) entity.
>> 
> 
> Almost.  It doesn't guarantee trust.

Sure it does. If something is signed by Bill or Ross, etc I
trust that it came from them. Anything else is tangential to
what a signature provides.

>  CA's don't require any specific
> level of software quality assurance before they issue a certificate.
> Any trust is implied by association with the identity of the signer.
> So it is a brand association.  This is similar to the association that
> comes with association with a project's release announcement, or from
> distribution via Apache mirrors, or links from Apache websites.  These
> all imply -- in one degree or another -- an association with Apache,
> and the trust that flows from that.
> 
> But what code signing does do is help protect ASF reputation.

Huh? All it says is that these bits originated from this entity.
If you trust that entity, then you can trust those bits. The
"reputation" stuff is part of the release process, not the signing
process.

>  By
> having the binaries signed we can distance ourselves from those who
> distribute versions of AOO with virus and malware attached.  Again,
> this is something you probably don't see in the server world, but it
> is quite common with popular end-user open source software.

Again... Huh??? WTF do you think we sign code, esp stuff destined for
the server? So the end-user is ensured that the bits came from a
trusted source.

"Oh look, I found the Apache 2.4.3 source tarball on some warez site
signed by 'Ben Dover' who has an unknown key. Looks good to me. Think
I'll install it on my website"

> 
> So trust (reputation) is important.  But we're already seeing that
> trust and reputation can be hurt by lack of code signing.

We. Sign. Code.

So I'm again unsure what the issue is... it sounds like we're talking
in circles. Can we have a real-world example? From my understanding,
Apple's App Store is likely the most onerous situation. So what, right
now, is "broken" with the AOO release process as related to the App
Store and what would need to be done to "fix" it?

If that's the wrong example, I'll take any other one.

Re: [API] Problem with currency formatter in text field

2012-08-27 Thread Carsten Demmrich


Hi Fernand,

the refresh don´t have a effect.

// Attach the fieldmaster to the field...
userField.attachTextFieldMaster(masterPropSet);
((XRefreshable) UnoRuntime.queryInterface(XRefreshable.class, 
xTextFieldsSupplier.getTextFields())).refresh();


Am 27.08.2012 11:48, schrieb Fernand Vanrie:

Carsten ,

you need a "refresch" off the field ?

hope it helps

Fernand
Hello, i have a problem with formatting of a text field. I create a 
text field in Java and insert this in a document.
The content is 0.0 and the format is the default currency. But the 
content is not formatted. The document show me 0.0 and not 0,00 €.

Why?

private void setTextField(Object[] value)
{
try
{
XTextDocument xTextDocument = (XTextDocument) 
UnoRuntime.queryInterface(XTextDocument.class, oBean.getDocument());

XController xController = xTextDocument.getCurrentController();
XTextViewCursorSupplier xTextViewCursorSupplier = 
(XTextViewCursorSupplier) 
UnoRuntime.queryInterface(XTextViewCursorSupplier.class, xController);
XTextViewCursor xDocTextCursor = 
xTextViewCursorSupplier.getViewCursor();


XText xText = xDocTextCursor.getText();

xText.insertTextContent(xDocTextCursor, 
createTextField(xTextDocument, (String) value[2], (String) value[1]), 
false);

}
catch (Exception e)
{
logger.error(e);
}
}

private XDependentTextField createTextField(XTextDocument 
xTextDocument, String fieldName, String fieldValue)

{
XMultiServiceFactory xMultiServiceFactory = (XMultiServiceFactory) 
UnoRuntime.queryInterface(XMultiServiceFactory.class, xTextDocument);
XTextFieldsSupplier xTextFieldsSupplier = (XTextFieldsSupplier) 
UnoRuntime.queryInterface(XTextFieldsSupplier.class, xTextDocument);
XNameAccess xNamedFieldMasters = 
xTextFieldsSupplier.getTextFieldMasters();

XDependentTextField userField = null;
XPropertySet masterPropSet = null;

try
{
// Create the field...
userField = (XDependentTextField) 
UnoRuntime.queryInterface(XDependentTextField.class, 
xMultiServiceFactory.createInstance("com.sun.star.text.TextField.User"));


if 
(!xNamedFieldMasters.hasByName("com.sun.star.text.FieldMaster.User." 
+ fieldName))

{
// Create the field master...
masterPropSet = (XPropertySet) 
UnoRuntime.queryInterface(XPropertySet.class, 
xMultiServiceFactory.createInstance("com.sun.star.text.FieldMaster.User"));


// Set the field name and content...
masterPropSet.setPropertyValue("Name", fieldName);
masterPropSet.setPropertyValue("Content", fieldValue);

if (fieldValue.equals("0.0"))
{
// Query the number formats supplier of the document
com.sun.star.util.XNumberFormatsSupplier xNumberFormatsSupplier = 
(com.sun.star.util.XNumberFormatsSupplier) 
UnoRuntime.queryInterface(com.sun.star.util.XNumberFormatsSupplier.class, 
xTextDocument);


// Get the number formats from the supplier
com.sun.star.util.XNumberFormats xNumberFormats = 
xNumberFormatsSupplier.getNumberFormats();


// Query the XNumberFormatTypes interface
com.sun.star.util.XNumberFormatTypes xNumberFormatTypes = 
(com.sun.star.util.XNumberFormatTypes) 
UnoRuntime.queryInterface(com.sun.star.util.XNumberFormatTypes.class, 
xNumberFormats);


// Get the number format index key of the default currency
// format,
// note the empty locale for default locale
com.sun.star.lang.Locale aLocale = new com.sun.star.lang.Locale();
int nCurrencyKey = 
xNumberFormatTypes.getStandardFormat(com.sun.star.util.NumberFormat.CURRENCY, 
aLocale);


XPropertySet fieldProperties = (XPropertySet) 
UnoRuntime.queryInterface(XPropertySet.class, userField);
fieldProperties.setPropertyValue("NumberFormat", new 
Integer(nCurrencyKey));


}
}
else
{
masterPropSet = (XPropertySet) 
UnoRuntime.queryInterface(XPropertySet.class, 
xNamedFieldMasters.getByName("com.sun.star.text.FieldMaster.User." + 
fieldName));

}

// Attach the fieldmaster to the field...
userField.attachTextFieldMaster(masterPropSet);
}
catch (java.lang.Exception e)
{
logger.error(e);
}
return userField;
}

Kind regrads
Carsten

Re: [VOTE] Apache OpenOffice Community Graduation Vote

On Mon, Aug 27, 2012 at 10:38 AM, Jim Jagielski  wrote:
> After this, please drop general@
>
> On Aug 27, 2012, at 10:16 AM, Rob Weir  wrote:
>
>>>
>>> A signature does 2 things:
>>>
>>>  1. Ensures that no bits have been changed
>>>  2. That the bits come from a known (and trusted) entity.
>>>
>>
>> Almost.  It doesn't guarantee trust.
>
> Sure it does. If something is signed by Bill or Ross, etc I
> trust that it came from them. Anything else is tangential to
> what a signature provides.
>

Identity != Trust.

Identity + Reputation == Trust.

The signature only guarantees identity.

>
>>  CA's don't require any specific
>> level of software quality assurance before they issue a certificate.
>> Any trust is implied by association with the identity of the signer.
>> So it is a brand association.  This is similar to the association that
>> comes with association with a project's release announcement, or from
>> distribution via Apache mirrors, or links from Apache websites.  These
>> all imply -- in one degree or another -- an association with Apache,
>> and the trust that flows from that.
>>
>> But what code signing does do is help protect ASF reputation.
>
> Huh? All it says is that these bits originated from this entity.
> If you trust that entity, then you can trust those bits. The
> "reputation" stuff is part of the release process, not the signing
> process.
>

End users know absolutely nothing about Apache release process.  They
know brands.  So their view of trust is brand-based, not informed by
the technical minutia of Apache release process.  Of course, given a
suboptimal process, if bad releases result from this, then the brand
reputation will suffer over time.

>>  By
>> having the binaries signed we can distance ourselves from those who
>> distribute versions of AOO with virus and malware attached.  Again,
>> this is something you probably don't see in the server world, but it
>> is quite common with popular end-user open source software.
>
> Again... Huh??? WTF do you think we sign code, esp stuff destined for
> the server? So the end-user is ensured that the bits came from a
> trusted source.
>

End-users ascribe trust to brands.  With education they might learn to
ascribe trust to validated/signed binaries based on the identity of
the signer.  But this has not been a great success in the web world,
with SSL certificates, etc.  Phishing is an industry now.

This is why the OS vendors are now close to mandating signed code.
End-users cannot be trusted to verify trust on their own.   If you
want to wear a tin foil hat, you can also see this probably leading to
the U.S. Government holding a "kill switch" on software, via
certification revocations, based on any malware that comes out with a
signature.

> "Oh look, I found the Apache 2.4.3 source tarball on some warez site
> signed by 'Ben Dover' who has an unknown key. Looks good to me. Think
> I'll install it on my website"
>

Today it is more likely that they see a binary called "OpenOffice",
with or without the Apache name, and without verifying the signature,
the user just installs it.  That is the sad state of end-user security
awareness today.

This is not going to get better by technology alone.  It will require
user education as well.

>>
>> So trust (reputation) is important.  But we're already seeing that
>> trust and reputation can be hurt by lack of code signing.
>
> We. Sign. Code.
>

AOO does not currently do this, at least not in a form that end users
can verify with their tool and skill set.  But we're working in it.

> So I'm again unsure what the issue is... it sounds like we're talking
> in circles. Can we have a real-world example? From my understanding,
> Apple's App Store is likely the most onerous situation. So what, right
> now, is "broken" with the AOO release process as related to the App
> Store and what would need to be done to "fix" it?
>

Honestly?  I never said there was an issue.  I merely forwarded, as
required, the community graduation vote post to the IPMC.  But since I
did that I've heard no end of criticisms. A quick summary is:

1) The AOO 3.4.1 release ballot is defective because it refers to
binaries and Apache does not release binaries

2) Something (unspecified, though I asked on numerous occasions) about
the AOO binaries does not confirm with unwritten (though I asked on
numerous occasions) ASF policy on binaries.

3) The AOO podling should not graduate because it has an ungodly
emphasis on binaries

4) The AOO podling has some unresolved issues regarding their binaries
that they need to resolve before graduation

5) The AOO podling should bring up some (unstated, though I asked on
numerous occasions) questions to legal-discuss

6) 5) The AOO podling should bring up some (unstated, though I asked
on numerous occasions) questions to Infra

7) The AOO podling is going to ignore ASF policy and do whatever it
wants when it graduates.

8) Inchoate FUD about liability and indemnification

9) Then it morphed i

Re: [VOTE] Apache OpenOffice Community Graduation Vote

2012-08-27 Thread Daniel Shahaf

Jim Jagielski wrote on Mon, Aug 27, 2012 at 10:38:15 -0400:
> After this, please drop general@
> 
> On Aug 27, 2012, at 10:16 AM, Rob Weir  wrote:
> 
> >> 
> >> A signature does 2 things:
> >> 
> >>  1. Ensures that no bits have been changed
> >>  2. That the bits come from a known (and trusted) entity.
> >> 
> > 
> > Almost.  It doesn't guarantee trust.
> 
> Sure it does. If something is signed by Bill or Ross, etc I
> trust that it came from them. Anything else is tangential to
> what a signature provides.

A signature ties a file to a public key, and then "trusted?" is an
attribute of the public key.  Signatures do not provide trust by
themselves (i.e., without some means to establish trust in the public
keys).

Re: Open-office downloading site - FLV player advertisement

2012-08-27 Thread Issac Goldstand

Maybe I'm missing something, but how is trying to police 3rd party
(Google) ads on a 3rd party (SF) distribution link a real concern of
this PPMC?

Adverts (and the downloads to go along with this) have been popular on
massive download portals for years, and will be for years to come. 
They're usually guaranteed to be virus/spyware-free because the
advertising networks, like Google in this case, have strict policies on
what software can be advertised like this - at least for the major
players in the Electronic Software Distribution industry.  And if
they're really not legit, you can bet they're playing cat-and-mouse with
the AV vendors, too.  And at the end of the day, there's too much money
on the line for all of the players involved for this kind of ads to be
completely cut, unless we gave up leveraging SF's distribution network,
which we really probably don't want to do, although I'd be happy to be
corrected if someone from infra disagrees.

  Issac

On 27/08/2012 05:52, Roberto Galoppini wrote:
> On Sun, Aug 26, 2012 at 10:54 PM, Fernando Cassia  wrote:
>
>> On Sun, Aug 26, 2012 at 5:19 PM, Roberto Galoppini >> wrote:
>>> actually in different geographies are displayed different ads, and I need
>>> the actual URL to eventually report internally issues with malware. Can
>> you
>>> help me with that?
>>>
>> Yes, sure,
>>
>> destination URL is
>>
>> http://googleads.g.doubleclick.net/aclk?sa=l&ai=BCRkjin46UKfLB-Oh6AHC3YDADcewquYCx6ODs0-_z4ayggGgnAEQARgBIOHmmwI4AFDPo7Wh-P8BYKGAgIAooAGxsdPfA7IBD3NvdXJjZWZvcmdlLm5ldLoBETMwMHgyNTBfcGFzX2FiZ25jyAEC2gGNAWh0dHA6Ly9zb3VyY2Vmb3JnZS5uZXQvcHJvamVjdHMvb3Blbm9mZmljZW9yZy5taXJyb3IvZmlsZXMvc3RhYmxlLzMuNC4xL0FwYWNoZV9PcGVuT2ZmaWNlX2luY3ViYXRpbmdfMy40LjFfV2luX3g4Nl9pbnN0YWxsX2VuLVVTLmV4ZS9kb3dubG9hZPgBAcACCcgCp8fbIqgDAfUDAAQAgPUDEKAGAuAGv4uhIQ&num=1&sig=AOD64_2QTgRUfp_AjSv0IdpcBux87BneTA&client=ca-ostg_js&adurl=http://www.superbvideoconverter.com/gb/si/%3Fadnm%3D21227763559%26i%3Ds%26grid%3DA%26lg%3DEN%26cc%3DAR%26clg%3Den%26c%3D1%26d%3D1%26cid%3D_97893889%26kw%3D%26mn%3Dsourceforge.net%26Network%3DD%26expr%3D%26agid%3D_9599537584
>>
> Think this is a different one, though. Supervideoconverter seems to be
> virus-free.
> Also FLV videoplayer, at least the one I have been able to find googling,
> seems to be virus-free.
> It must be said that without the exact URL I can't check if that version of
> FLV videoplayer is virus-free.
>
> Roberto
>
>
>
>> And source image is
>> http://pagead2.googlesyndication.com/simgad/15861613925973749392
>>
>> cached for the record, here:
>> http://the13thfloor.org/sf-rogue-adverts/
>>
>> and fwiw I get that while coming from an Argentina IP (186.142.241.x subnet
>> - Claro FFTH - www.claro.com.ar)
>>
>> FC
>>
>> --
>> During times of Universal Deceit, telling the truth becomes a revolutionary
>> act
>> Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto
>> Revolucionario
>> - George Orwell
>>

Re: [VOTE] Apache OpenOffice Community Graduation Vote

Bullshit.  The policy is as old as the org itself and applies equally

to every project in the org including this one.  Rob, if you had the vaguest
clue about the history of what the httpd project produces you would have
some idea of what the written policy is meant to cover.  People who don't bother
to look often wind up making ignorant remarks about the written policy;
such is the nature of orgs which have zero educational standards for
participation at any level.

Policy writing itself is a long and painful process in a bottom-up org.
Very few people have enough experience with the diversity of our projects
to ensure the policy accurately reflects current activity.  The only person
who I've seen be consistently successful is Roy, and even then not without
input from others.

Your are welcome to get off your armchair and participate constructively
with others who care about the policy documentation over on site-dev@.
Otherwise I suggest you drop the antagonistic and over-the-top prose.

Re: OpenOffice.org Business Partnership Inquiry

2012-08-27 Thread Donald Whytock

Duplicate of 21 June letter.

On Mon, Aug 27, 2012 at 2:17 AM, fa...@filepuma.com  wrote:
> Hi OpenOffice.org Webmaster,
>
> I'm sorry to bother you.
> I am Faith from Filepuma.com. I write to you just to consult whether we can 
> have a potential chance to cooperate with you. And recently we have updated 
> your product at our site that you can have a visit.
>
> Filepuma.com is a website for providing the simplest method of downloading 
> the newest versions of the best software, and we are not focusing on quantity 
> but quality. To make your downloads as fast as possible, we provide very fast 
> servers with 100Mb connections.
>
> You are really a great tool and OpenOffice.org enjoys great reputation among 
> users. We're very interested in becoming the mirror for OpenOffice.org 
> download. I'm sure our partnership can guarantee you great advantages. We can 
> do a few things to promote your program like newsletter mentions and 
> front-page exposure.
>
> If you have any other ideas we are very open and happy to discuss them on 
> becoming OpenOffice.org's mirror download link. What we want to have is a 
> win-win relationship that benefits us both. We strongly think that business 
> cooperation between you and us will be a wise decision, and both of us can 
> have more triumphs.
>
> Looking forward to receiving your feedback very much. Thanks for your time.
>
> P.S. If answering mails like this one is not among your daily tasks, please 
> forward it to the appropriate executive. Thanks again.
>
> Best regards,
>
> Faith Lee
> fa...@filepuma.com
> Filepuma.com
>

Re: [VOTE] Apache OpenOffice Community Graduation Vote

On Mon, Aug 27, 2012 at 12:10 PM, Joe Schaefer  wrote:
> Bullshit.  The policy is as old as the org itself and applies equally
>

The problem is that when someone questions what the policy is, as
several IPMC members have already, the response goes no further than
yelling that the policy is well-known, obvious, unambiguous, clear,
etc.  No one is questioning the age or the equal application of the
policy.

Shutting down the discussion, without resolving the issue, just leads
to it emerging later at another point.  In fact, if you go back to the
general.i.a.o discussion from June 2011, when the AOO podling was
first proposed, some of the same concerns were raised by some of the
same IPMC members.  They were not resolved then.  They were not
resolved this time.  What do you think happens next?  Do you really
think that there is clarity now and this will not just come back
again, weeks or months later?

The IPMC is welcome to run themselves as they wish.  But I sincerely
hope that the AOO project will not emulate or tolerate this kind of
behavior and interaction.  It is very unwelcoming to newcomers to have
that mixture of condescension and bullying when questions are asked.

> to every project in the org including this one.  Rob, if you had the vaguest
> clue about the history of what the httpd project produces you would have
> some idea of what the written policy is meant to cover.  People who don't 
> bother
> to look often wind up making ignorant remarks about the written policy;
> such is the nature of orgs which have zero educational standards for
> participation at any level.
>

Certainly unwritten policies are even more susceptible to ignorant remarks.

> Policy writing itself is a long and painful process in a bottom-up org.
> Very few people have enough experience with the diversity of our projects
> to ensure the policy accurately reflects current activity.  The only person
> who I've seen be consistently successful is Roy, and even then not without
> input from others.
>

I appreciate the challenges of writing organizational policies.  I've
done this in other organizations.  But as you say, this policy "is as
old as the org itself ", and yet when it is shown that those who are
charged with implementing the policy for podlings (IPMC members)
cannot agree on what the policy is, there is still great resistance to
writing it down, amounting to even personal attacks against those who
even suggest doing this.

> Your are welcome to get off your armchair and participate constructively
> with others who care about the policy documentation over on site-dev@.

Indeed I did propose a statement of the policy.  I believe I'm the
only one who did.  But at the same time others posted that it would be
unwelcome to make any website changes without further discussion.

> Otherwise I suggest you drop the antagonistic and over-the-top prose.

I sincerely hope that nothing I said is taken as antagonistic.

Regards,

-Rob

Re: [VOTE] Apache OpenOffice Community Graduation Vote

The release documentation has far more precision in it than
a casual glance would indicate.  There is no good reason to
write about every associated topic in a policy document.
I'm not going to read /dev/release.html to you personally Rob
but I will point out that several people including the IPMC
chair have been consistently referencing and quoting the doc
to you so that you may better equip yourself to reason about
the policy through the document.


Yes there is a reason newspapers are written to an 8th grade
level but laws are written for experts in the field.  Different
target audiences with totally different fields of applicability.




- Original Message -
> From: Rob Weir 
> To: ooo-dev@incubator.apache.org
> Cc: 
> Sent: Monday, August 27, 2012 12:34 PM
> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
> 
> On Mon, Aug 27, 2012 at 12:10 PM, Joe Schaefer  
> wrote:
>>  Bullshit.  The policy is as old as the org itself and applies equally
>> 
> 
> The problem is that when someone questions what the policy is, as
> several IPMC members have already, the response goes no further than
> yelling that the policy is well-known, obvious, unambiguous, clear,
> etc.  No one is questioning the age or the equal application of the
> policy.
> 
> Shutting down the discussion, without resolving the issue, just leads
> to it emerging later at another point.  In fact, if you go back to the
> general.i.a.o discussion from June 2011, when the AOO podling was
> first proposed, some of the same concerns were raised by some of the
> same IPMC members.  They were not resolved then.  They were not
> resolved this time.  What do you think happens next?  Do you really
> think that there is clarity now and this will not just come back
> again, weeks or months later?
> 
> The IPMC is welcome to run themselves as they wish.  But I sincerely
> hope that the AOO project will not emulate or tolerate this kind of
> behavior and interaction.  It is very unwelcoming to newcomers to have
> that mixture of condescension and bullying when questions are asked.
> 
>>  to every project in the org including this one.  Rob, if you had the 
> vaguest
>>  clue about the history of what the httpd project produces you would have
>>  some idea of what the written policy is meant to cover.  People who 
> don't bother
>>  to look often wind up making ignorant remarks about the written policy;
>>  such is the nature of orgs which have zero educational standards for
>>  participation at any level.
>> 
> 
> Certainly unwritten policies are even more susceptible to ignorant remarks.
> 
>>  Policy writing itself is a long and painful process in a bottom-up org.
>>  Very few people have enough experience with the diversity of our projects
>>  to ensure the policy accurately reflects current activity.  The only person
>>  who I've seen be consistently successful is Roy, and even then not 
> without
>>  input from others.
>> 
> 
> I appreciate the challenges of writing organizational policies.  I've
> done this in other organizations.  But as you say, this policy "is as
> old as the org itself ", and yet when it is shown that those who are
> charged with implementing the policy for podlings (IPMC members)
> cannot agree on what the policy is, there is still great resistance to
> writing it down, amounting to even personal attacks against those who
> even suggest doing this.
> 
>>  Your are welcome to get off your armchair and participate constructively
>>  with others who care about the policy documentation over on site-dev@.
> 
> Indeed I did propose a statement of the policy.  I believe I'm the
> only one who did.  But at the same time others posted that it would be
> unwelcome to make any website changes without further discussion.
> 
>>  Otherwise I suggest you drop the antagonistic and over-the-top prose.
> 
> I sincerely hope that nothing I said is taken as antagonistic.
> 
> Regards,
> 
> -Rob
>

Re: [VOTE] Apache OpenOffice Community Graduation Vote

On Mon, Aug 27, 2012 at 12:45 PM, Joe Schaefer  wrote:
> The release documentation has far more precision in it than
> a casual glance would indicate.  There is no good reason to
> write about every associated topic in a policy document.
> I'm not going to read /dev/release.html to you personally Rob
> but I will point out that several people including the IPMC
> chair have been consistently referencing and quoting the doc
> to you so that you may better equip yourself to reason about
> the policy through the document.
>

Joe, this isn't about my knowledge.  I believe I have accurate
knowledge of ASF release-related policies.  The issues that I listed
-- the open questions -- they were not from me.  These were from IPMC
members, those who were voted in as ASF Members and then accepted as
IPMC members.  Those were their assertions.  You might be able to
dismiss their concerns easily.  As a PPMC member I cannot.  They all
have a vote on AOO.  I need to treat their concerns with some degree
of respect.

So the question is not what I know, but how to respond to IPMC members
who raise points of the variety that you eloquently termed "bullshit"?

One way is to simply yell them down, say repeatedly that this is not
an issue, that policy is crystal clear, that anyone who disagrees has
subhuman mental capabilities, etc.  That is the route that some took

Another way is to first agree with precision on what the policy
actually is and to ask for specific concerns with regards to AOO and
that policy.  That was the route I was taking.

So I think we have the same view of some of the nonsense that was
expressed on the list, as well as a similar view on what ASF policy
actually is.

Perhaps we differ on how to resolve conflicts when they occur?   In
any case what works for you probably would not work for me.  So I'll
continue, in situations like these, to calmly seek clarity and
consensus.

Good cop, bad cop?

Regards,

-Rob

>
> Yes there is a reason newspapers are written to an 8th grade
> level but laws are written for experts in the field.  Different
> target audiences with totally different fields of applicability.
>
>
>
>
> - Original Message -
>> From: Rob Weir 
>> To: ooo-dev@incubator.apache.org
>> Cc:
>> Sent: Monday, August 27, 2012 12:34 PM
>> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>>
>> On Mon, Aug 27, 2012 at 12:10 PM, Joe Schaefer 
>> wrote:
>>>  Bullshit.  The policy is as old as the org itself and applies equally
>>>
>>
>> The problem is that when someone questions what the policy is, as
>> several IPMC members have already, the response goes no further than
>> yelling that the policy is well-known, obvious, unambiguous, clear,
>> etc.  No one is questioning the age or the equal application of the
>> policy.
>>
>> Shutting down the discussion, without resolving the issue, just leads
>> to it emerging later at another point.  In fact, if you go back to the
>> general.i.a.o discussion from June 2011, when the AOO podling was
>> first proposed, some of the same concerns were raised by some of the
>> same IPMC members.  They were not resolved then.  They were not
>> resolved this time.  What do you think happens next?  Do you really
>> think that there is clarity now and this will not just come back
>> again, weeks or months later?
>>
>> The IPMC is welcome to run themselves as they wish.  But I sincerely
>> hope that the AOO project will not emulate or tolerate this kind of
>> behavior and interaction.  It is very unwelcoming to newcomers to have
>> that mixture of condescension and bullying when questions are asked.
>>
>>>  to every project in the org including this one.  Rob, if you had the
>> vaguest
>>>  clue about the history of what the httpd project produces you would have
>>>  some idea of what the written policy is meant to cover.  People who
>> don't bother
>>>  to look often wind up making ignorant remarks about the written policy;
>>>  such is the nature of orgs which have zero educational standards for
>>>  participation at any level.
>>>
>>
>> Certainly unwritten policies are even more susceptible to ignorant remarks.
>>
>>>  Policy writing itself is a long and painful process in a bottom-up org.
>>>  Very few people have enough experience with the diversity of our projects
>>>  to ensure the policy accurately reflects current activity.  The only person
>>>  who I've seen be consistently successful is Roy, and even then not
>> without
>>>  input from others.
>>>
>>
>> I appreciate the challenges of writing organizational policies.  I've
>> done this in other organizations.  But as you say, this policy "is as
>> old as the org itself ", and yet when it is shown that those who are
>> charged with implementing the policy for podlings (IPMC members)
>> cannot agree on what the policy is, there is still great resistance to
>> writing it down, amounting to even personal attacks against those who
>> even suggest doing this.
>>
>>>  Your are welcome to get off your arm

Re: [VOTE] Apache OpenOffice Community Graduation Vote

2012-08-27 Thread Greg Stein

On Aug 27, 2012 9:57 AM, "Jim Jagielski"  wrote:
>...
> But recall in all this that even when the PMC releases code, it is
> signed by the individual RM, and not by the PMC itself.

Apache Subversion releases tend to have a half-dozen signatures. Thus, I'd
say they are signed by the PMC. For example:

https://dist.apache.org/repos/dist/release/subversion/subversion-1.7.6.tar.bz2.asc

Cheers,
-g

Re: [VOTE] Apache OpenOffice Community Graduation Vote

I oppose anything that generates more off-topic mailing list traffic.
Collaborative discussions surrounding documented policy belong on site-dev@.
Everything else is a waste of time for all concerned.



- Original Message -
> From: Rob Weir 
> To: ooo-dev@incubator.apache.org; Joe Schaefer 
> Cc: 
> Sent: Monday, August 27, 2012 1:02 PM
> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
> 
> On Mon, Aug 27, 2012 at 12:45 PM, Joe Schaefer  
> wrote:
>>  The release documentation has far more precision in it than
>>  a casual glance would indicate.  There is no good reason to
>>  write about every associated topic in a policy document.
>>  I'm not going to read /dev/release.html to you personally Rob
>>  but I will point out that several people including the IPMC
>>  chair have been consistently referencing and quoting the doc
>>  to you so that you may better equip yourself to reason about
>>  the policy through the document.
>> 
> 
> Joe, this isn't about my knowledge.  I believe I have accurate
> knowledge of ASF release-related policies.  The issues that I listed
> -- the open questions -- they were not from me.  These were from IPMC
> members, those who were voted in as ASF Members and then accepted as
> IPMC members.  Those were their assertions.  You might be able to
> dismiss their concerns easily.  As a PPMC member I cannot.  They all
> have a vote on AOO.  I need to treat their concerns with some degree
> of respect.
> 
> So the question is not what I know, but how to respond to IPMC members
> who raise points of the variety that you eloquently termed "bullshit"?
> 
> One way is to simply yell them down, say repeatedly that this is not
> an issue, that policy is crystal clear, that anyone who disagrees has
> subhuman mental capabilities, etc.  That is the route that some took
> 
> Another way is to first agree with precision on what the policy
> actually is and to ask for specific concerns with regards to AOO and
> that policy.  That was the route I was taking.
> 
> So I think we have the same view of some of the nonsense that was
> expressed on the list, as well as a similar view on what ASF policy
> actually is.
> 
> Perhaps we differ on how to resolve conflicts when they occur?   In
> any case what works for you probably would not work for me.  So I'll
> continue, in situations like these, to calmly seek clarity and
> consensus.
> 
> Good cop, bad cop?
> 
> Regards,
> 
> -Rob
> 
>> 
>>  Yes there is a reason newspapers are written to an 8th grade
>>  level but laws are written for experts in the field.  Different
>>  target audiences with totally different fields of applicability.
>> 
>> 
>> 
>> 
>>  - Original Message -
>>>  From: Rob Weir 
>>>  To: ooo-dev@incubator.apache.org
>>>  Cc:
>>>  Sent: Monday, August 27, 2012 12:34 PM
>>>  Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>>> 
>>>  On Mon, Aug 27, 2012 at 12:10 PM, Joe Schaefer 
> 
>>>  wrote:
   Bullshit.  The policy is as old as the org itself and applies 
> equally
 
>>> 
>>>  The problem is that when someone questions what the policy is, as
>>>  several IPMC members have already, the response goes no further than
>>>  yelling that the policy is well-known, obvious, unambiguous, clear,
>>>  etc.  No one is questioning the age or the equal application of the
>>>  policy.
>>> 
>>>  Shutting down the discussion, without resolving the issue, just leads
>>>  to it emerging later at another point.  In fact, if you go back to the
>>>  general.i.a.o discussion from June 2011, when the AOO podling was
>>>  first proposed, some of the same concerns were raised by some of the
>>>  same IPMC members.  They were not resolved then.  They were not
>>>  resolved this time.  What do you think happens next?  Do you really
>>>  think that there is clarity now and this will not just come back
>>>  again, weeks or months later?
>>> 
>>>  The IPMC is welcome to run themselves as they wish.  But I sincerely
>>>  hope that the AOO project will not emulate or tolerate this kind of
>>>  behavior and interaction.  It is very unwelcoming to newcomers to have
>>>  that mixture of condescension and bullying when questions are asked.
>>> 
   to every project in the org including this one.  Rob, if you had 
> the
>>>  vaguest
   clue about the history of what the httpd project produces you 
> would have
   some idea of what the written policy is meant to cover.  People 
> who
>>>  don't bother
   to look often wind up making ignorant remarks about the written 
> policy;
   such is the nature of orgs which have zero educational standards 
> for
   participation at any level.
 
>>> 
>>>  Certainly unwritten policies are even more susceptible to ignorant 
> remarks.
>>> 
   Policy writing itself is a long and painful process in a bottom-up 
> org.
   Very few people have enough experience with the diversity of our 
> projects
   to ensure the policy accurately reflects cu

Re: [VOTE] Apache OpenOffice Community Graduation Vote

Which better agrees with written policy anyway- the sigs
are part of the release package to be voted on and voted on
by the PMC, so even tho it constitutes individual sigs
those sigs (well at least the RM's sig) are PMC-approved.




- Original Message -
> From: Greg Stein 
> To: gene...@incubator.apache.org
> Cc: "ooo-dev@incubator.apache.org" 
> Sent: Monday, August 27, 2012 1:03 PM
> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
> 
> On Aug 27, 2012 9:57 AM, "Jim Jagielski"  
> wrote:
>> ...
>>  But recall in all this that even when the PMC releases code, it is
>>  signed by the individual RM, and not by the PMC itself.
> 
> Apache Subversion releases tend to have a half-dozen signatures. Thus, I'd
> say they are signed by the PMC. For example:
> 
> https://dist.apache.org/repos/dist/release/subversion/subversion-1.7.6.tar.bz2.asc
> 
> Cheers,
> -g
>

Help with 3.4.1 announcement questions on blog

By default blog questions are held for moderation.  I just checked and
we had quite a few comments.   I let the non-spam ones through:

https://blogs.apache.org/OOo/entry/announcing_apache_openoffice_3_41#comments

I responded to one, but since there are a few of them I could use some
help responding.  Note:  no Roller account is required to respond to a
comment.

Thanks!

-Rob

Re: Extension downloading problem

On Sun, 2012-08-26 at 19:17 +0200, Roberto Galoppini wrote:
> On Sun, Aug 26, 2012 at 1:53 PM, Andrea Pescetti wrote:
> 
> > Rob Weir wrote:
> >
> >> Also, I wonder if it would be worth submitting a patch for Apache.  It
> >> looks like they have the other content types used by OpenOffice, but
> >> not oxt files:
> >> http://svn.apache.org/repos/**asf/httpd/httpd/trunk/docs/**
> >> conf/mime.types
> >>
> >
> > Actually, it seems it's already been there for a while:
> > $ svn annotate mime.types  | grep oxt
> > 571614   fielding application/vnd.openofficeorg.**extension
> > oxt
> > $ svn log | grep 571614
> > r571614 | fielding | 2007-08-31 23:57:29 +0200(ven, 31 ago 2007) | 3 lines
> >
> > and if I put an extension on my people.apache.org account I see it's
> > served correctly (of course, this has nothing to do with the problem under
> > discussion; but if problems come from an incorrect MIME type, then people
> > reporting the problem should be able to download
> > http://people.apache.org/~**pescetti/tmp/dict-it.oxt
> > correctly).
> >
> 
> I confirm your suspects, it's a MIME config issue. I tested SourceForge
> master, that works just fine, but not all mirrors do manage it correctly.
> As a short-term solution for all extensions - either hosted at SourceForge
> or at third party website - we report the following note:
> 
> *Note: some browsers may download the extension as a .zip file; if this
> happens rename the downloaded file from .zip to .oxt*
> 
> We can then run a communication plan to inform both mirror and
> third-parties.

Hi,

Yes - very good idea on the notice.

On the mime config, if I can help with this anyway - for example if
there is a list of the  mirrors available through the extension download
site I have a copy of IE/Vista which faithfully produces the .zip file
for octect/streams and I would be willing to try it on all the mirrors..
I'd think reporting on success would best be to you direct, I wouldn't
want to come off as demanding here (@Roberto - if that would help, I
will).

Unless - I'm assuming it is not that ning servers don't support it, is
it worth the time (I'll do so if someone thinks so) to actually check at
the project?

Best,

//drew

> 
> Roberto
> 
> 
> >
> > Regards,
> >   Andrea.
> >
>

Re: [VOTE] Apache OpenOffice Community Graduation Vote

+1.
On Aug 27, 2012, at 1:07 PM, Joe Schaefer  wrote:

> Which better agrees with written policy anyway- the sigs
> are part of the release package to be voted on and voted on
> by the PMC, so even tho it constitutes individual sigs
> those sigs (well at least the RM's sig) are PMC-approved.
> 
> 
> 
> 
> - Original Message -
>> From: Greg Stein 
>> To: gene...@incubator.apache.org
>> Cc: "ooo-dev@incubator.apache.org" 
>> Sent: Monday, August 27, 2012 1:03 PM
>> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>> 
>> On Aug 27, 2012 9:57 AM, "Jim Jagielski"  
>> wrote:
>>> ...
>>> But recall in all this that even when the PMC releases code, it is
>>> signed by the individual RM, and not by the PMC itself.
>> 
>> Apache Subversion releases tend to have a half-dozen signatures. Thus, I'd
>> say they are signed by the PMC. For example:
>> 
>> https://dist.apache.org/repos/dist/release/subversion/subversion-1.7.6.tar.bz2.asc
>> 
>> Cheers,
>> -g
>> 
> 
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>

Re: [VOTE] Apache OpenOffice Community Graduation Vote

On Aug 27, 2012, at 11:21 AM, Rob Weir  wrote:

> 
> Identity != Trust.
> 
> Identity + Reputation == Trust.
> 
> The signature only guarantees identity.

Signature does not guarantee reputation though. The point
is that reputation is dependent upon identity. And
identity is ensured via some sort of signature. And
a signature does *nothing* to guarantee "trust" in
and of itself.

> 
> End users know absolutely nothing about Apache release process.  They
> know brands.  So their view of trust is brand-based, not informed by
> the technical minutia of Apache release process.  Of course, given a
> suboptimal process, if bad releases result from this, then the brand
> reputation will suffer over time.
> 

Again, I have no idea what you are talking about.

People trust the Apache brand.
They download Apache "stuff" from somewhere.
That stuff is signed by an entity that is associated
with the Apache brand.

What the "release process is" is moot.

> 
> Today it is more likely that they see a binary called "OpenOffice",
> with or without the Apache name, and without verifying the signature,
> the user just installs it.  That is the sad state of end-user security
> awareness today.
> 
> This is not going to get better by technology alone.  It will require
> user education as well.
> 

Agreed... 

> 
> 1) The AOO 3.4.1 release ballot is defective because it refers to
> binaries and Apache does not release binaries

The ASF releases code. PMCs vote on a SVN tag and on a release tarball
(distribution) made from that tag. There is a direct and easily
followed path between the bits the end-user gets and the bits that
the PMC has determined as "the release."

The issue with voting on "just" a binary release is how is the
providence of the code ensured... If I get a binary how can I,
as an end-user, ensure that the binary was based on the official bits
and was built in a way that didn't much around with those bits.
*THAT* is what the AOO PPMC needs to work thru, since most end-user
of AOO couldn't care a fig about the bits. But just because end-users
don't care, or shouldn't care, doesn't mean that the PMC/PPMC
can just wing it. Nor can it consider the binaries as "more important"
than the code.

One possible scenario: The AOO PPMC/PMC is ready for a release
and someone steps up to RM. He/she does the normal process and
a release tag is created. At that point, binary RM's step up
and, using that tag and a well-defined (and trackable) process,
creates binaries and then sign that binary. In fact, that was/is
my intent on wanting to be on the AOO PMC is to be the Apple OSX
RM (that is, take on that responsibility).

Re: Help with 3.4.1 announcement questions on blog

On Mon, 2012-08-27 at 13:22 -0400, Rob Weir wrote:
> By default blog questions are held for moderation.  I just checked and
> we had quite a few comments.   I let the non-spam ones through:
> 
> https://blogs.apache.org/OOo/entry/announcing_apache_openoffice_3_41#comments
> 
> I responded to one, but since there are a few of them I could use some
> help responding.  Note:  no Roller account is required to respond to a
> comment.
> 
> Thanks!
> 
> -Rob
> 

Darn - there are a few - are you sure about anyone being able to comment
- I'm there right now and can't see a way to reply (I see two for which
I could do so right off)

//drew

RE: [VOTE] Apache OpenOffice Community Graduation Vote

2012-08-27 Thread Dennis E. Hamilton

There is a missing distinction here.

The discussion about signed binaries is not about external signatures of the 
kind used by release managers and others, nor about the external digests and 
signatures that might be obtained in conjunction with a download.

The signing of code that I am talking about, and that others are talking about 
(at least in part), has to do with embedded signatures that consumer operating 
systems notice and check and that are part of the artifact.  These signatures 
are used (and typically required for application certification) by Microsoft, 
Apple, Adobe, and others.  The requirement for them is not decreasing.

The discussion with regard to trust and the presumed reputation of the signer 
has merit, but it is not satisfied by external signatures in the case of 
download distributions to modern consumer platforms.

 - Dennis

PS: I love it that when recognized authorities ask that a discussion be moved 
off of a particular list and then everyone piles on that list with a vengeance. 
 This message is *not* being copied to general@ i.a.o.  

-Original Message-
From: Joe Schaefer [mailto:joe_schae...@yahoo.com] 
Sent: Monday, August 27, 2012 10:07
To: gene...@incubator.apache.org
Cc: ooo-dev@incubator.apache.org
Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote

Which better agrees with written policy anyway- the sigs
are part of the release package to be voted on and voted on
by the PMC, so even tho it constitutes individual sigs
those sigs (well at least the RM's sig) are PMC-approved.

- Original Message -
> From: Greg Stein 
> To: gene...@incubator.apache.org
> Cc: "ooo-dev@incubator.apache.org" 
> Sent: Monday, August 27, 2012 1:03 PM
> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
> 
> On Aug 27, 2012 9:57 AM, "Jim Jagielski"  
> wrote:
>> ...
>>  But recall in all this that even when the PMC releases code, it is
>>  signed by the individual RM, and not by the PMC itself.
> 
> Apache Subversion releases tend to have a half-dozen signatures. Thus, I'd
> say they are signed by the PMC. For example:
> 
> https://dist.apache.org/repos/dist/release/subversion/subversion-1.7.6.tar.bz2.asc
> 
> Cheers,
> -g
>

Re: [VOTE] Apache OpenOffice Community Graduation Vote

Why do persist in hijacking this thread Dennis?
Read the Subject again and ask yourself why you
are pursuing this line of inquiry here again-
it's just confusing people because you're asking
for new policy to be written and adopted at the
same time other people are arguing with each other
about current policy and how it applies to AOO.

Just let this discussion die please without further
ado- you need not reply again here to acknowledge
my request.





>
> From: Dennis E. Hamilton 
>To: ooo-dev@incubator.apache.org 
>Cc: j...@jagunet.com 
>Sent: Monday, August 27, 2012 1:52 PM
>Subject: RE: [VOTE] Apache OpenOffice Community Graduation Vote
> 
>There is a missing distinction here.
>
>The discussion about signed binaries is not about external signatures of the 
>kind used by release managers and others, nor about the external digests and 
>signatures that might be obtained in conjunction with a download.
>
>The signing of code that I am talking about, and that others are talking about 
>(at least in part), has to do with embedded signatures that consumer operating 
>systems notice and check and that are part of the artifact.  These signatures 
>are used (and typically required for application certification) by Microsoft, 
>Apple, Adobe, and others.  The requirement for them is not decreasing.
>
>The discussion with regard to trust and the presumed reputation of the signer 
>has merit, but it is not satisfied by external signatures in the case of 
>download distributions to modern consumer platforms.
>
>- Dennis
>
>PS: I love it that when recognized authorities ask that a discussion be moved 
>off of a particular list and then everyone piles on that list with a 
>vengeance.  This message is *not* being copied to general@ i.a.o.  
>
>-Original Message-
>From: Joe Schaefer [mailto:joe_schae...@yahoo.com] 
>Sent: Monday, August 27, 2012 10:07
>To: gene...@incubator.apache.org
>Cc: ooo-dev@incubator.apache.org
>Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>
>Which better agrees with written policy anyway- the sigs
>are part of the release package to be voted on and voted on
>by the PMC, so even tho it constitutes individual sigs
>those sigs (well at least the RM's sig) are PMC-approved.
>
>
>
>
>- Original Message -
>> From: Greg Stein 
>> To: gene...@incubator.apache.org
>> Cc: "ooo-dev@incubator.apache.org" 
>> Sent: Monday, August 27, 2012 1:03 PM
>> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>> 
>> On Aug 27, 2012 9:57 AM, "Jim Jagielski"  
>> wrote:
>>> ...
>>>  But recall in all this that even when the PMC releases code, it is
>>>  signed by the individual RM, and not by the PMC itself.
>> 
>> Apache Subversion releases tend to have a half-dozen signatures. Thus, I'd
>> say they are signed by the PMC. For example:
>> 
>> https://dist.apache.org/repos/dist/release/subversion/subversion-1.7.6.tar.bz2.asc
>> 
>> Cheers,
>> -g
>> 
>
>
>
>

Re: [VOTE] Apache OpenOffice Community Graduation Vote

And so I get back to my question... How is this new "requirement" substantially
different from the kind of signing we do today?

And please notice the word "substantially".

On Aug 27, 2012, at 1:52 PM, Dennis E. Hamilton  wrote:

> There is a missing distinction here.
> 
> The discussion about signed binaries is not about external signatures of the 
> kind used by release managers and others, nor about the external digests and 
> signatures that might be obtained in conjunction with a download.
> 
> The signing of code that I am talking about, and that others are talking 
> about (at least in part), has to do with embedded signatures that consumer 
> operating systems notice and check and that are part of the artifact.  These 
> signatures are used (and typically required for application certification) by 
> Microsoft, Apple, Adobe, and others.  The requirement for them is not 
> decreasing.
> 
> The discussion with regard to trust and the presumed reputation of the signer 
> has merit, but it is not satisfied by external signatures in the case of 
> download distributions to modern consumer platforms.
> 
> - Dennis
> 
> PS: I love it that when recognized authorities ask that a discussion be moved 
> off of a particular list and then everyone piles on that list with a 
> vengeance.  This message is *not* being copied to general@ i.a.o.  
> 
> -Original Message-
> From: Joe Schaefer [mailto:joe_schae...@yahoo.com] 
> Sent: Monday, August 27, 2012 10:07
> To: gene...@incubator.apache.org
> Cc: ooo-dev@incubator.apache.org
> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
> 
> Which better agrees with written policy anyway- the sigs
> are part of the release package to be voted on and voted on
> by the PMC, so even tho it constitutes individual sigs
> those sigs (well at least the RM's sig) are PMC-approved.
> 
> 
> 
> 
> - Original Message -
>> From: Greg Stein 
>> To: gene...@incubator.apache.org
>> Cc: "ooo-dev@incubator.apache.org" 
>> Sent: Monday, August 27, 2012 1:03 PM
>> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>> 
>> On Aug 27, 2012 9:57 AM, "Jim Jagielski"  
>> wrote:
>>> ...
>>> But recall in all this that even when the PMC releases code, it is
>>> signed by the individual RM, and not by the PMC itself.
>> 
>> Apache Subversion releases tend to have a half-dozen signatures. Thus, I'd
>> say they are signed by the PMC. For example:
>> 
>> https://dist.apache.org/repos/dist/release/subversion/subversion-1.7.6.tar.bz2.asc
>> 
>> Cheers,
>> -g
>> 
>

Re: [VOTE] Apache OpenOffice Community Graduation Vote

On Mon, 2012-08-27 at 13:38 -0400, Jim Jagielski wrote:
> On Aug 27, 2012, at 11:21 AM, Rob Weir  wrote:
> 
> > 
> > Identity != Trust.
> > 
> > Identity + Reputation == Trust.
> > 
> > The signature only guarantees identity.
> 
> Signature does not guarantee reputation though. The point
> is that reputation is dependent upon identity. And
> identity is ensured via some sort of signature. And
> a signature does *nothing* to guarantee "trust" in
> and of itself.
> 
> > 
> > End users know absolutely nothing about Apache release process.  They
> > know brands.  So their view of trust is brand-based, not informed by
> > the technical minutia of Apache release process.  Of course, given a
> > suboptimal process, if bad releases result from this, then the brand
> > reputation will suffer over time.
> > 
> 
> Again, I have no idea what you are talking about.
> 
> People trust the Apache brand.
> They download Apache "stuff" from somewhere.
> That stuff is signed by an entity that is associated
> with the Apache brand.
> 
> What the "release process is" is moot.
> 
> > 
> > Today it is more likely that they see a binary called "OpenOffice",
> > with or without the Apache name, and without verifying the signature,
> > the user just installs it.  That is the sad state of end-user security
> > awareness today.
> > 
> > This is not going to get better by technology alone.  It will require
> > user education as well.
> > 
> 
> Agreed... 
> 
> > 
> > 1) The AOO 3.4.1 release ballot is defective because it refers to
> > binaries and Apache does not release binaries
> 
> The ASF releases code. PMCs vote on a SVN tag and on a release tarball
> (distribution) made from that tag. There is a direct and easily
> followed path between the bits the end-user gets and the bits that
> the PMC has determined as "the release."
> 
> The issue with voting on "just" a binary release is how is the
> providence of the code ensured... If I get a binary how can I,
> as an end-user, ensure that the binary was based on the official bits
> and was built in a way that didn't much around with those bits.
> *THAT* is what the AOO PPMC needs to work thru, since most end-user
> of AOO couldn't care a fig about the bits. But just because end-users
> don't care, or shouldn't care, doesn't mean that the PMC/PPMC
> can just wing it. Nor can it consider the binaries as "more important"
> than the code.
> 
> One possible scenario: The AOO PPMC/PMC is ready for a release
> and someone steps up to RM. He/she does the normal process and
> a release tag is created. At that point, binary RM's step up
> and, using that tag and a well-defined (and trackable) process,
> creates binaries and then sign that binary. In fact, that was/is
> my intent on wanting to be on the AOO PMC is to be the Apple OSX
> RM (that is, take on that responsibility).

Hello Jim,

YES 

AOO as ASF project, from ASF's perspective, must conform to the current
- well defined I think - steps for the source release. No argument here.

Jim's use of the term binary RM's and brief explanation, I believe, gets
to the crux of my concerns. I would add that I see some role of
responsibility for AOO PMC with regards to supporting the artifacts it
oversees - but this is in the context of how it affects on going
decisions on things such as LTS or bug/Security releases and the like
and I don't see anything in looking at other ASF projects that leads me
to believe any of that will be anything other then welcomed.


So - if I may be so bold. Reading email this morning my gut feeling is
that there is a lot of violent agreement going on.. I'm personally a bit
lost as to why the animation on the subject of the signature - is the
disagreement over who will own the signature file?

Thanks,

Drew

AOO and Code Signing

Changing the subject to something more accurate due to thread drift.

On Mon, Aug 27, 2012 at 1:38 PM, Jim Jagielski  wrote:
>
> On Aug 27, 2012, at 11:21 AM, Rob Weir  wrote:
>
>>
>> Identity != Trust.
>>
>> Identity + Reputation == Trust.
>>
>> The signature only guarantees identity.
>
> Signature does not guarantee reputation though. The point
> is that reputation is dependent upon identity. And
> identity is ensured via some sort of signature. And
> a signature does *nothing* to guarantee "trust" in
> and of itself.
>
>>
>> End users know absolutely nothing about Apache release process.  They
>> know brands.  So their view of trust is brand-based, not informed by
>> the technical minutia of Apache release process.  Of course, given a
>> suboptimal process, if bad releases result from this, then the brand
>> reputation will suffer over time.
>>
>
> Again, I have no idea what you are talking about.
>

I've stated it twice.  Maybe it would help if you rephrased what you
think I was saying that wasn't clear?

> People trust the Apache brand.
> They download Apache "stuff" from somewhere.
> That stuff is signed by an entity that is associated
> with the Apache brand.
>

As you know, that last step does not occur today.  If it did, then
we'd be closer.  But we really need several things to come together:

1) Trust in the brand == reputation of Apache OpenOffice, partially
based on historical reputation of "Apache", partially on historical
reputation of "OpenOffice" and partially on the novel and recent
combination.  This reputation is one of our most valuable assets, and
is what every user comes to the table with.

2) Digital signatures confirm the identity of our binaries and allow
the user (via their platform) to reject out copies that have been
modified or damaged.

3) However, the majority of users would be just as happy to install
something that claimed it was OpenOffice, even if it were not signed.
(Our 12 million downloads prove that).  So when/if we do start
signing, then user education needs to be an essential component of
this.   The platform vendors will be pushing this general idea in
parallel via their deprecation of unsigned binaries.

4) Finally is the trademark protections.  Even concerns 1-3 are
addressed this doesn't stop someone from getting a signing certificate
in the name of "Open Office" or "OpenOffice.com" or any other knock
off names.   Many (perhaps most) users would fall for this.  Look at
what happens today with knock-off domain names related to OpenOffice.
So the trademark protections are a key part of this as well.

This all works well for the ecosystem as well, since a number of
projects historically have taken the core OpenOffice binaries and
repackaged them, with added extensions, templates, clipart, etc.  By
having the core code already signed, we make it easier for them to do
their more surface level bundling and still meet OS vendor signing
requirements, provided they sign the installer.

> What the "release process is" is moot.
>
>>
>> Today it is more likely that they see a binary called "OpenOffice",
>> with or without the Apache name, and without verifying the signature,
>> the user just installs it.  That is the sad state of end-user security
>> awareness today.
>>
>> This is not going to get better by technology alone.  It will require
>> user education as well.
>>
>
> Agreed...
>
>>
>> 1) The AOO 3.4.1 release ballot is defective because it refers to
>> binaries and Apache does not release binaries
>
> The ASF releases code. PMCs vote on a SVN tag and on a release tarball
> (distribution) made from that tag. There is a direct and easily
> followed path between the bits the end-user gets and the bits that
> the PMC has determined as "the release."
>
> The issue with voting on "just" a binary release is how is the
> providence of the code ensured... If I get a binary how can I,
> as an end-user, ensure that the binary was based on the official bits
> and was built in a way that didn't much around with those bits.

How does a downloader of a source tarball know that the process you
described above was followed by a PMC?  Aside from trust, they don't.
 They trust that the PMC follows a process that ensures that these
things happen.  There is not requirement today, for example,  that
source tarballs must be produced on clean machines run by Infra.  The
ASF trusts that PMC's will do what is necessary to ensure that the RM
doesn't slip a backdoor into the source before zipping it up.  But I
bet if you did a survey you would find that few PMC's do a diff
between the tagged SVN  and the source tarball before doing a release.
 So room for error, room for malice, room for user harm even with
source tarballs.

IMHO, we should aim to create source tarballs that are more securely
built than the average ASF project, as well as binaries to that same
level.  I'd recommend collecting points of vulnerability in the
current process, then define a process that verifies each step, and
lo

Re: Help with 3.4.1 announcement questions on blog

On Mon, Aug 27, 2012 at 1:43 PM, drew  wrote:
> On Mon, 2012-08-27 at 13:22 -0400, Rob Weir wrote:
>> By default blog questions are held for moderation.  I just checked and
>> we had quite a few comments.   I let the non-spam ones through:
>>
>> https://blogs.apache.org/OOo/entry/announcing_apache_openoffice_3_41#comments
>>
>> I responded to one, but since there are a few of them I could use some
>> help responding.  Note:  no Roller account is required to respond to a
>> comment.
>>
>> Thanks!
>>
>> -Rob
>>
>
> Darn - there are a few - are you sure about anyone being able to comment
> - I'm there right now and can't see a way to reply (I see two for which
> I could do so right off)
>

Scroll to the bottom of the page.  Do you see the "Post a comment" area?

You should be able to post a response, however the response itself
will be held for moderation.

-Rob


> //drew
>
>

Re: Help with 3.4.1 announcement questions on blog

On Mon, 2012-08-27 at 14:16 -0400, Rob Weir wrote:
> On Mon, Aug 27, 2012 at 1:43 PM, drew  wrote:
> > On Mon, 2012-08-27 at 13:22 -0400, Rob Weir wrote:
> >> By default blog questions are held for moderation.  I just checked and
> >> we had quite a few comments.   I let the non-spam ones through:
> >>
> >> https://blogs.apache.org/OOo/entry/announcing_apache_openoffice_3_41#comments
> >>
> >> I responded to one, but since there are a few of them I could use some
> >> help responding.  Note:  no Roller account is required to respond to a
> >> comment.
> >>
> >> Thanks!
> >>
> >> -Rob
> >>
> >
> > Darn - there are a few - are you sure about anyone being able to comment
> > - I'm there right now and can't see a way to reply (I see two for which
> > I could do so right off)
> >
> 
> Scroll to the bottom of the page.  Do you see the "Post a comment" area?
> 
> You should be able to post a response, however the response itself
> will be held for moderation.

Got it - I was looking to reply, threaded style, to specific comments..

Thanks

> 
> -Rob
> 
> 
> > //drew
> >
> >
>

Re: Extension downloading problem

2012-08-27 Thread Roberto Galoppini

On Mon, Aug 27, 2012 at 7:22 PM, drew  wrote:

> On Sun, 2012-08-26 at 19:17 +0200, Roberto Galoppini wrote:
> > On Sun, Aug 26, 2012 at 1:53 PM, Andrea Pescetti  >wrote:
> >
> > > Rob Weir wrote:
> > >
> > >> Also, I wonder if it would be worth submitting a patch for Apache.  It
> > >> looks like they have the other content types used by OpenOffice, but
> > >> not oxt files:
> > >> http://svn.apache.org/repos/**asf/httpd/httpd/trunk/docs/**
> > >> conf/mime.types<
> http://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types>
> > >>
> > >
> > > Actually, it seems it's already been there for a while:
> > > $ svn annotate mime.types  | grep oxt
> > > 571614   fielding application/vnd.openofficeorg.**extension
> > > oxt
> > > $ svn log | grep 571614
> > > r571614 | fielding | 2007-08-31 23:57:29 +0200(ven, 31 ago 2007) | 3
> lines
> > >
> > > and if I put an extension on my people.apache.org account I see it's
> > > served correctly (of course, this has nothing to do with the problem
> under
> > > discussion; but if problems come from an incorrect MIME type, then
> people
> > > reporting the problem should be able to download
> > > http://people.apache.org/~**pescetti/tmp/dict-it.oxt<
> http://people.apache.org/%7Epescetti/tmp/dict-it.oxt>
> > > correctly).
> > >
> >
> > I confirm your suspects, it's a MIME config issue. I tested SourceForge
> > master, that works just fine, but not all mirrors do manage it correctly.
> > As a short-term solution for all extensions - either hosted at
> SourceForge
> > or at third party website - we report the following note:
> >
> > *Note: some browsers may download the extension as a .zip file; if this
> > happens rename the downloaded file from .zip to .oxt*
> >
> > We can then run a communication plan to inform both mirror and
> > third-parties.
>
> Hi,
>
> Yes - very good idea on the notice.
>
> On the mime config, if I can help with this anyway - for example if
> there is a list of the  mirrors available through the extension download
> site I have a copy of IE/Vista which faithfully produces the .zip file
> for octect/streams and I would be willing to try it on all the mirrors..
> I'd think reporting on success would best be to you direct, I wouldn't
> want to come off as demanding here (@Roberto - if that would help, I
> will).
>

Thanks Drew, but we have already scripts for that.

Roberto


>
> Unless - I'm assuming it is not that ning servers don't support it, is
> it worth the time (I'll do so if someone thinks so) to actually check at
> the project?
>
> Best,
>
> //drew
>
> >
> > Roberto
> >
> >
> > >
> > > Regards,
> > >   Andrea.
> > >
> >
>
>
>

-- 

This e- mail message is intended only for the named recipient(s) above. It 
may contain confidential and privileged information. If you are not the 
intended recipient you are hereby notified that any dissemination, 
distribution or copying of this e-mail and any attachment(s) is strictly 
prohibited. If you have received this e-mail in error, please immediately 
notify the sender by replying to this e-mail and delete the message and any 
attachment(s) from your system. Thank you.

Re: Open-office downloading site - FLV player advertisement

2012-08-27 Thread Fernando Cassia

On Mon, Aug 27, 2012 at 12:25 PM, Issac Goldstand wrote:

> Maybe I'm missing something, but how is trying to police 3rd party
> (Google) ads on a 3rd party (SF) distribution link a real concern of
> this PPMC?
>
> Adverts (and the downloads to go along with this) have been popular on
> massive download portals for years, and will be for years to come.
>

You have to admit, however, that including large green "download" buttons
in the middle of an advert banner, and knowing that such ad is displayed
while the end user is waiting for the Sourceforge.net download to begin, is
misleading to say the least...

I think a simple SF.net policy of asking advertisers not to include such
imagery on its banners would suffice to eliminate all criticism and user
confusion

FC

-- 
During times of Universal Deceit, telling the truth becomes a revolutionary
act
Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto
Revolucionario
- George Orwell

Re: AOO and Code Signing


On Aug 27, 2012, at 2:13 PM, Rob Weir  wrote:
> 
>> People trust the Apache brand.
>> They download Apache "stuff" from somewhere.
>> That stuff is signed by an entity that is associated
>> with the Apache brand.
>> 
> 
> As you know, that last step does not occur today.  If it did, then
> we'd be closer.  But we really need several things to come together:
> 
> 1) Trust in the brand == reputation of Apache OpenOffice, partially
> based on historical reputation of "Apache", partially on historical
> reputation of "OpenOffice" and partially on the novel and recent
> combination.  This reputation is one of our most valuable assets, and
> is what every user comes to the table with.

That is a totally different topic and, IMO, just muddies this
conversation.

> 
> 2) Digital signatures confirm the identity of our binaries and allow
> the user (via their platform) to reject out copies that have been
> modified or damaged.
> 

Gotcha.

> 3) However, the majority of users would be just as happy to install
> something that claimed it was OpenOffice, even if it were not signed.
> (Our 12 million downloads prove that).  So when/if we do start
> signing, then user education needs to be an essential component of
> this.   The platform vendors will be pushing this general idea in
> parallel via their deprecation of unsigned binaries.

Again, this is, IMO at least, moot and inappropriate for the real
issue of this discussion. Yeah, we need better end-user education.
Point taken. Move on to actual PMC/PPMC issues...

> 
> 4) Finally is the trademark protections.  Even concerns 1-3 are
> addressed this doesn't stop someone from getting a signing certificate
> in the name of "Open Office" or "OpenOffice.com" or any other knock
> off names.   Many (perhaps most) users would fall for this.  Look at
> what happens today with knock-off domain names related to OpenOffice.
> So the trademark protections are a key part of this as well.

tradema...@apache.org... not a pertinent topic for this discussion.

> 
> This all works well for the ecosystem as well, since a number of
> projects historically have taken the core OpenOffice binaries and
> repackaged them, with added extensions, templates, clipart, etc.  By
> having the core code already signed, we make it easier for them to do
> their more surface level bundling and still meet OS vendor signing
> requirements, provided they sign the installer.
> 
> 
> How does a downloader of a source tarball know that the process you
> described above was followed by a PMC?  Aside from trust, they don't.
> They trust that the PMC follows a process that ensures that these
> things happen.  There is not requirement today, for example,  that
> source tarballs must be produced on clean machines run by Infra.  The
> ASF trusts that PMC's will do what is necessary to ensure that the RM
> doesn't slip a backdoor into the source before zipping it up.  But I
> bet if you did a survey you would find that few PMC's do a diff
> between the tagged SVN  and the source tarball before doing a release.
> So room for error, room for malice, room for user harm even with
> source tarballs.

I would say that you are wrong and that the *vast* majority of
PMCs take the release process as the crucial issue that it is.
And if they don't't, then the PMCs are not doing what they should be
and should be corrected...

> 
> IMHO, we should aim to create source tarballs that are more securely
> built than the average ASF project, as well as binaries to that same
> level.  I'd recommend collecting points of vulnerability in the
> current process, then define a process that verifies each step, and
> look at ways to automate as much as possible. (Human error is itself a
> vulnerability).
> 

"more securely"?? What kinda comment is that? Dis'ing a large segment of
the ASF PMCs, who have been doing releases well and for a LOT longer
than AOO, is NOT a way of garnering cooperation. And, to be honest,
this sort of elitist attitude does nothing to help the current community,
much less growing it.

So, just to summarize, in this whole conversation the single solitary
point you've made is "we need to be serious about ensuring ASF->
end-user bit integrity." 

thanks

Re: Something wrong in download page for Linux users

On Sun, 2012-08-26 at 20:18 +0200, Marcus (OOo) wrote:
> Am 08/24/2012 11:52 PM, schrieb Marcus (OOo):
> > Am 08/23/2012 04:24 PM, schrieb Ariel Constenla-Haile:
> >>
> >> Hi Marcus,
> >>
> >> On Fri, May 18, 2012 at 01:49:19AM +0200, Marcus (OOo) wrote:
> >>> Am 05/18/2012 01:29 AM, schrieb Ariel Constenla-Haile:
>  On Fri, May 18, 2012 at 12:26:41AM +0200, Marcus (OOo) wrote:
> >>
> >> The system and the browser are 64 bits, the package is 32 bits.
> >
> > Interesting. The browser shows that the platform is i686 (= x86) and
> > the user agents says x86_64. Haven't seen this before.
> >
> > OK, which value is right when you don't know the truth? ;-)
> 
>  just blame it on Google :)
> 
>  http://code.google.com/p/chromium/issues/detail?id=44905
> >>>
> >>> Interesting, even Google software has old bugs. :-P
> >>>
>  Duplicated by this one?
>  http://code.google.com/p/chromium/issues/detail?id=128167
> >>>
> >>> Great. When this is solved somewhen, we can check our DL logic
> >>> again. I'll add this to the Wiki page.
> >>
> >>
> >> FYI this is fixed now in Chrome, according to the browser values shown
> >> by http://www.openoffice.org/download/test/analyze.html
> >
> > Ah, thank you for the hint. I will analyze the data what needs to be
> > updated.
> >
> > BTW:
> > Great to have this little test webpage online, isn't it? ;-)
> 
> This should work now with the recent change from Oliver.
> 
> Can you confirm this especially for Chrome?

Howdy

http://www.openoffice.org/download/test/analyze.html
64bit Ubuntu 11.04 - latest Chromium - still thinks I am 32Bit Debs :(

//drew

> 
> Thanks
> 
> Marcus
> 
> 
> 
> >> Variables from the browser Values
> >>
> >> navigator.platform Linux x86_64
> >> navigator.platform.toLowerCase() linux x86_64
> >> navigator.language en-US
> >> navigator.userLanguage undefined
> >> navigator.systemLanguage undefined
> >> navigator.userAgent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.1
> >> (KHTML, like Gecko) Chrome/21.0.1180.81 Safari/537.1
> >> navigator.userAgent.toLowerCase() mozilla/5.0 (x11; linux x86_64)
> >> applewebkit/537.1 (khtml, like gecko) chrome/21.0.1180.81 safari/537.1
> >> navigator.javaEnabled() Yes
> >>
> >>
> >> But the download page is providing 32 bits to download (though the text
> >> says "Click to start downloading the most recent version for Linux
> >> 64-bit (RPM and English (US)"):
> >>
> >>
> >> JavaScript functions from the DL scripts Return values
> >> getLink( VERSION, LANGUAGE, MIRROR, SCHEMA )
> >> http://sourceforge.net/projects/openofficeorg.mirror/files/stable/3.4.1/Apache_OpenOffice_incubating_3.4.1_Linux_x86_install-rpm_en-US.tar.gz/download
> >>
> >> getArray( LANGUAGE ) here,English (US),English
> >> (US),http://www.openoffice.org/download/other.html,y
> >> getPlatform( LANGUAGE, SCHEMA ) Linux 64-bit (RPM)
> >> getLanguage( LANGUAGE ) English (US)
> >> getLanguageISO( LANGUAGE ) en-US
> >> sourceforge_getLink( VERSION, LANGUAGE, SCHEMA )
> >> http://sourceforge.net/projects/openofficeorg.mirror/files/stable/3.4.1/Apache_OpenOffice_incubating_3.4.1_Linux_x86_install-rpm_en-US.tar.gz/download
> >>
> >> apache_getLink( VERSION, LANGUAGE, SCHEMA )
> >> http://www.apache.org/dyn/closer.cgi/incubator/ooo/files/stable/3.4.1/Apache_OpenOffice_incubating_3.4.1_Linux_x86_install-rpm_en-US.tar.gz
> >>
> >> apache_getChecksum( VERSION, LANGUAGE, SCHEMA, HASH )
> >> http://www.apache.org/dist/incubator/ooo/files/stable/3.4.1/Apache_OpenOffice_incubating_3.4.1_Linux_x86_install-rpm_en-US.tar.gz.md5
> >>
> >> mirrorbrain_getPlatformForMirror( LANGUAGE, SCHEMA )
> >> Linux_x86_install-rpm
> >> mirrorbrain_getFilename( VERSION, LANGUAGE, SCHEMA )
> >> Apache_OpenOffice_incubating_3.4.1_Linux_x86_install-rpm_en-US.tar.gz
> >> mirrorbrain_getExtension( LANGUAGE, SCHEMA ) .tar.gz
> >> hasMirrorLink( LANGUAGE ) true
> >>
> >>
> >> Google Chrome Info:
> >>
> >> Name : google-chrome-beta
> >> Arch : x86_64
> >> Version : 21.0.1180.81
> >> Release : 151980
> >> Size : 125 M
> >> Repo : installed
> >> From repo : google-chrome
> >> Summary : Google Chrome
> >> URL : http://chrome.google.com/
> >> License : Multiple, see http://chrome.google.com/
>

Re: AOO and Code Signing

On Mon, Aug 27, 2012 at 2:48 PM, Jim Jagielski  wrote:
>
> On Aug 27, 2012, at 2:13 PM, Rob Weir  wrote:
>>
>>> People trust the Apache brand.
>>> They download Apache "stuff" from somewhere.
>>> That stuff is signed by an entity that is associated
>>> with the Apache brand.
>>>
>>
>> As you know, that last step does not occur today.  If it did, then
>> we'd be closer.  But we really need several things to come together:
>>
>> 1) Trust in the brand == reputation of Apache OpenOffice, partially
>> based on historical reputation of "Apache", partially on historical
>> reputation of "OpenOffice" and partially on the novel and recent
>> combination.  This reputation is one of our most valuable assets, and
>> is what every user comes to the table with.
>
> That is a totally different topic and, IMO, just muddies this
> conversation.
>

I think they are all connected, and should be considered together.
You are free to disagree and ignore the parts that you are not
interested in.

>>
>> 2) Digital signatures confirm the identity of our binaries and allow
>> the user (via their platform) to reject out copies that have been
>> modified or damaged.
>>
>
> Gotcha.
>
>> 3) However, the majority of users would be just as happy to install
>> something that claimed it was OpenOffice, even if it were not signed.
>> (Our 12 million downloads prove that).  So when/if we do start
>> signing, then user education needs to be an essential component of
>> this.   The platform vendors will be pushing this general idea in
>> parallel via their deprecation of unsigned binaries.
>
> Again, this is, IMO at least, moot and inappropriate for the real
> issue of this discussion. Yeah, we need better end-user education.
> Point taken. Move on to actual PMC/PPMC issues...
>

Since this project does directly interact with end users, via support
forums and user lists, user education is directly relevant.  Again,
feel free to ignore the parts that don't interest you.  We have plenty
of volunteers who like help users.

>>
>> 4) Finally is the trademark protections.  Even concerns 1-3 are
>> addressed this doesn't stop someone from getting a signing certificate
>> in the name of "Open Office" or "OpenOffice.com" or any other knock
>> off names.   Many (perhaps most) users would fall for this.  Look at
>> what happens today with knock-off domain names related to OpenOffice.
>> So the trademark protections are a key part of this as well.
>
> tradema...@apache.org... not a pertinent topic for this discussion.
>

PMCs have defined requirements and responsibilities in this area.
Some are defined here:

http://www.apache.org/foundation/marks/pmcs.html

PMCs are also the first-point-of-contact for those who wish to use the
trademarks, as well as for those reporting abuse.  So this is entirely
relevant.  We have volunteers interested in that piece as well.

>>
>> This all works well for the ecosystem as well, since a number of
>> projects historically have taken the core OpenOffice binaries and
>> repackaged them, with added extensions, templates, clipart, etc.  By
>> having the core code already signed, we make it easier for them to do
>> their more surface level bundling and still meet OS vendor signing
>> requirements, provided they sign the installer.
>>
>>
>> How does a downloader of a source tarball know that the process you
>> described above was followed by a PMC?  Aside from trust, they don't.
>> They trust that the PMC follows a process that ensures that these
>> things happen.  There is not requirement today, for example,  that
>> source tarballs must be produced on clean machines run by Infra.  The
>> ASF trusts that PMC's will do what is necessary to ensure that the RM
>> doesn't slip a backdoor into the source before zipping it up.  But I
>> bet if you did a survey you would find that few PMC's do a diff
>> between the tagged SVN  and the source tarball before doing a release.
>> So room for error, room for malice, room for user harm even with
>> source tarballs.
>
> I would say that you are wrong and that the *vast* majority of
> PMCs take the release process as the crucial issue that it is.
> And if they don't't, then the PMCs are not doing what they should be
> and should be corrected...
>

I didn't say they were not taking "the release process as the crucial
issue that it is".  I said that I believe that few PMCs are verifying
that what is signed is exactly what was tagged in SVN.  If your recall
that was the concern that you raised about binaries.  I'm just saying
this is a concern about source tarballs as well and we should aim to
raise the bar here, both for source and binaries.

>>
>> IMHO, we should aim to create source tarballs that are more securely
>> built than the average ASF project, as well as binaries to that same
>> level.  I'd recommend collecting points of vulnerability in the
>> current process, then define a process that verifies each step, and
>> look at ways to automate as much as possible. (Human error is itself

RE: AOO and Code Signing (was Re: [VOTE] Apache OpenOffice ... )

2012-08-27 Thread Dennis E. Hamilton

Great question, Jim,

1. The first substantial difference is that the operating system that runs the 
binary installer *always* and automatically checks the embedded signature and 
warns users when there is no such signature or when the signature is not from a 
trusted source (in the PKI Certificate Authority sense) or, of course, when the 
signature does not verify.  Download utilities can also verify signatures 
without needing to be party to any special out-of-band signature-checking 
practice.  

This is different than a web of trust that is centered around ASF committers 
who use OpenPGP signatures and that require super-user skills to arrange to 
check independently.  Also, the ASF signature practice applies to the top-level 
container (whether the source package or a binary package) and not to any of 
the interior components, leading to (2):

2. The second substantial difference is that embedded signature(s) remain with 
the individual binary artifact(s) (i.e., the installed .exe, .dll, and other 
artifacts that have provision for embedded signatures).  That is, it is not 
just the wrapper (e.g., the msi installer file) of the binary download that is 
signed, but signable components that are extracted, installed, and registered 
with the system. 

After that, it is possible for an user to ask to check the signature on an 
artifact simply by opening the Properties dialog on a file-system entry.  For 
various security conditions, signatures will also be checked dynamically and 
also by intrusion-detection software. 

3. These signatures also have expirations and there is provision to check for 
certificate revocation.  There are ways that can work with OpenPGP although I 
don't happen know how that is supported with the ASF committer signatures. In 
the case of embedded signatures, certificates can be checked for revocation or 
expiration at any time.  Finally, there is the ability to have time-service 
counter-signatures that tighten the non-repudiation aspects.  These provisions 
are second-order to the key feature, which is automatic artifact-level 
authentication and integrity.

The ASF approach does not fit into these regimes, which apply to Microsoft 
binary artifacts, signed Java jars, Apple OS X installs, Adobe AIR apps, etc., 
etc.

I am not arguing that the ASF should accommodate these arrangements.  If I used 
"requirement" it was not about anything to do with ASF but what platform 
providers are increasingly requiring for certification of installable binaries. 
 (It came up around AOOi when certification for Windows 8 was investigated.)  

I simply want to make it clear what these signing arrangements are and how they 
differ from what ASF uses as an internal control and as a way to manually 
obtain a check on the integrity of a download.  

 - Dennis

Of course, an independent packager could do all of this using a custom build 
chain.  The Sun/Oracle-packaged OpenOffice.org binaries were signed in this 
manner.  My downloads of TortoiseSVN for Windows x86 and x64 configurations are 
all signed in this manner by their creator, Stefan Kueng.  I am pleased to see 
that.  I even send money on occasion. By the way, the accompanying Tortoise SVN 
certificate indicates what is being attested to by the presence of the 
signature.  In the Tortoise SVN case it is to ensure software came from the 
software publisher and to protect the software from alteration after 
publication.  That is all.

-Original Message-
From: Jim Jagielski [mailto:j...@jagunet.com] 
Sent: Monday, August 27, 2012 11:02
To: ooo-dev@incubator.apache.org; orc...@apache.org
Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote

And so I get back to my question... How is this new "requirement" substantially
different from the kind of signing we do today?

And please notice the word "substantially".

On Aug 27, 2012, at 1:52 PM, Dennis E. Hamilton  wrote:

> There is a missing distinction here.
> 
> The discussion about signed binaries is not about external signatures of the 
> kind used by release managers and others, nor about the external digests and 
> signatures that might be obtained in conjunction with a download.
> 
> The signing of code that I am talking about, and that others are talking 
> about (at least in part), has to do with embedded signatures that consumer 
> operating systems notice and check and that are part of the artifact.  These 
> signatures are used (and typically required for application certification) by 
> Microsoft, Apple, Adobe, and others.  The requirement for them is not 
> decreasing.
> 
> The discussion with regard to trust and the presumed reputation of the signer 
> has merit, but it is not satisfied by external signatures in the case of 
> download distributions to modern consumer platforms.
> 
> - Dennis
> 
> PS: I love it that when recognized authorities ask that a discussion be moved 
> off of a particular list and then everyone piles on that list with a 
> vengeance.  Thi

RE: [VOTE] Apache OpenOffice Community Graduation Vote

2012-08-27 Thread Dennis E. Hamilton

I'm not asking for anything.  I am simply attempting to clarify what the 
considerations are.  Also, I did not inject the issue about binaries into the 
discussion on general@ i.a.o.

Why do you find it necessary to put my contributions down rather than let them 
go by if you see no value in them?

 - Dennis

-Original Message-
From: Joe Schaefer [mailto:joe_schae...@yahoo.com] 
Sent: Monday, August 27, 2012 10:58
To: ooo-dev@incubator.apache.org; orc...@apache.org
Cc: j...@jagunet.com
Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote

Why do persist in hijacking this thread Dennis?
Read the Subject again and ask yourself why you
are pursuing this line of inquiry here again-
it's just confusing people because you're asking
for new policy to be written and adopted at the
same time other people are arguing with each other
about current policy and how it applies to AOO.

Just let this discussion die please without further
ado- you need not reply again here to acknowledge
my request.

From: Dennis E. Hamilton 
To: ooo-dev@incubator.apache.org 
Cc: j...@jagunet.com 
Sent: Monday, August 27, 2012 1:52 PM
Subject: RE: [VOTE] Apache OpenOffice Community Graduation Vote

There is a missing distinction here.

The discussion about signed binaries is not about external signatures 
of the kind used by release managers and others, nor about the external digests 
and signatures that might be obtained in conjunction with a download.

The signing of code that I am talking about, and that others are 
talking about (at least in part), has to do with embedded signatures that 
consumer operating systems notice and check and that are part of the artifact.  
These signatures are used (and typically required for application 
certification) by Microsoft, Apple, Adobe, and others.  The requirement for 
them is not decreasing.

The discussion with regard to trust and the presumed reputation of the 
signer has merit, but it is not satisfied by external signatures in the case of 
download distributions to modern consumer platforms.

- Dennis

PS: I love it that when recognized authorities ask that a discussion be 
moved off of a particular list and then everyone piles on that list with a 
vengeance.  This message is *not* being copied to general@ i.a.o.  

-Original Message-
From: Joe Schaefer [mailto:joe_schae...@yahoo.com] 
Sent: Monday, August 27, 2012 10:07
To: gene...@incubator.apache.org
Cc: ooo-dev@incubator.apache.org
Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote

Which better agrees with written policy anyway- the sigs
are part of the release package to be voted on and voted on
by the PMC, so even tho it constitutes individual sigs
those sigs (well at least the RM's sig) are PMC-approved.

- Original Message -
> From: Greg Stein 
> To: gene...@incubator.apache.org
> Cc: "ooo-dev@incubator.apache.org" 
> Sent: Monday, August 27, 2012 1:03 PM
> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
> 
> On Aug 27, 2012 9:57 AM, "Jim Jagielski"  
> wrote:
>> ...
>>  But recall in all this that even when the PMC releases code, it is
>>  signed by the individual RM, and not by the PMC itself.
> 
> Apache Subversion releases tend to have a half-dozen signatures. 
Thus, I'd
> say they are signed by the PMC. For example:
> 
> 
https://dist.apache.org/repos/dist/release/subversion/subversion-1.7.6.tar.bz2.asc
> 
> Cheers,
> -g
>

Re: [VOTE] Apache OpenOffice Community Graduation Vote

2012-08-27 Thread Ross Gardler

On 27 August 2012 19:03, drew  wrote:

> So - if I may be so bold. Reading email this morning my gut feeling is
> that there is a lot of violent agreement going on..

I agree. If everyone will just step away from their keyboards for a
couple of days, then come back with a precise statement of what needs
to be done over and above the current binary artefacts then we will be
able to move forward. Give it a couple of days though. Let the points
being made here sink in a little. Stop the gut reaction emails. It's a
waste of everyone's time.

Ross

Re: First Experiance with Testlink

2012-08-27 Thread Francisco Mancardi

Hi everyone:

As Team Leader of TestLink, I'm very happy to read that you found it useful.
Important things:

1. new release 1.9.4 (with improvements in performance) is going to be released
on 20120902

2. You can get important info on several places

2.1 www.teamst.org -> here there is a user forum
2.2 http://mantis.testlink.org => our mantis site to report issues and ask for
features
2.3 our twitter => https://twitter.com/tlopensource

It will be very important for us if (after you have finished your evaluation),
you can do a post on
http://www.teamst.org/forum/viewforum.php?f=7&sid=26d5e2a04a3b4be3fc7f50ef55c236ea

You can also get hints and news on 

http://www.teamst.org/forum/viewforum.php?f=14&sid=26d5e2a04a3b4be3fc7f50ef55c236ea

http://www.teamst.org/forum/viewforum.php?f=25&sid=26d5e2a04a3b4be3fc7f50ef55c236ea

A new version of our official documentation will be published on September,
meanwhile you can get the manual here:

http://gitorious.org/testlink-ga/testlink-documentation


Best Regards

Francisco Mancardi

Re: The translation of AOO3.4.1 release notes and announcement

2012-08-27 Thread Kay Schenk


Hello again, Shenfeng and Eric--

Please see:

http://www.openoffice.org/zh-cn/news/aoo341.html

which was created by "imacat" on 23/08/2012.

I would think you would want to make changes to the existing page 
instead of creating a new one. Yes?


If these notes are not where you'd like them, then, yes, you could 
create a new directory and then maybe move the page to that area.


For example, you can, as Shenfeng's suggests, create a new "releases" 
directory/folder under http://www.openoffice.org/zh-cn and then put the 
release notes information there.


What do you think?




On 08/26/2012 11:34 PM, eric wu wrote:

hi:
I have finished the translation of the release notes,please check the
attachments.thank you!

eric wu
*From:* Shenfeng Liu 
*Date:* 2012-08-27 14:09
*To:* ooo-dev 
*Subject:* Re: Re: The translation of AOO3.4.1 release notes and
announcement
Kay and Eric,
   I suggest to put the release notes translation to:
http://www.openoffice.org/zh-cn/releases/3.4.1.html . (need to create the
folder "releases")
- Simon
2012/8/25 Kay Schenk 
 > On Thu, Aug 23, 2012 at 7:04 PM, eric wu  wrote:
 >
 > > hi :
 > > I have finished my translation of the release notes,but i don't know what
 > > format to save my translation and how to put the translation under:
 > > http://www.openoffice.org/zh-cn/, can you help me ?thank you!
 > >
 > >
 > >
 > >
 > > eric wu
 > >
 >
 > Hi eric --
 >
 > Ok, a bit of a problem.  Your translation, while good work, is set up to
 > actually overwrite the current Release Notes in English where they
 > currently reside, so we will not commit this change.
 >
 > So, I think what will need to happen is you (or someone) needs to determine
 > where in/on this new page, your translated release notes will live. Go
 > there and setup for a new page in an area, and then submit the translation
 > to that NEW area so you don't overwrite the existing English copy.
 >
 > I know how to do this in normal svn but I'm not sure how to go about some
 > of this using the CMS bookmarklet if you want to know the truth.
 >
 > Maybe someone else can weigh in here.
 >
 > First, though, maybe some additional coordination about where to locate
 > this.
 >
 > I hope this helps.
 >
 >
 > > From: Shenfeng Liu
 > > Date: 2012-08-21 14:02
 > > To: ooo-dev; jinjin.wu
 > > Subject: Re: The translation of AOO3.4.1 release notes and announcement
 > > Eric,
 > >   That's great!
 > >   You can find the current AOO 3.4.1 release draft by Kay Schenk in
 > > English here: http://www.openoffice.org/development/releases/3.4.1.html.
 > > I'm not sure if any further editing will be make on it.
 > >
 > >   And I think it will be better to put the translation some where under
 > > http://www.openoffice.org/zh-cn/ . (Any better suggestion?)
 > >
 > >   The way should be copy the English release notes to the folder of
 > zh-cn,
 > > then translate it into a Chinese version. But currently we are freezing
 > the
 > > web waiting for the release, so I guess we can not update the contents
 > > directly now. Maybe you can prepare for your translations, and after the
 > > release, we can publish it immediately.
 > >   Thanks!
 > >
 > > - Simon
 > >
 > >
 > >
 > > 2012/8/21 eric wu 
 > >
 > > Hi all:
 > > I am from China Standard Software Co., Ltd.(cs2c), as a chinese apache
 > > open office user,i am looking forward to assume the task of translation
 > of
 > >  AOO3.4.1 release notes and announcement .
 > >
 > >
 > >
 > >
 > > eric wu
 >
 >
 >
 >
 > --
 >
 > 

 > MzK
 >
 > "As a child my family's menu consisted of two choices:
 > take it or leave it. "
 >-- Buddy Hackett
 >


--

MzK

"As a child my family's menu consisted of two choices:
take it or leave it. "
   -- Buddy Hackett

Re: The translation of AOO3.4.1 release notes and announcement

2012-08-27 Thread Michal Hriň


Hi Kay,

I understand well, I try to explain if I can :)


Hello again, Shenfeng and Eric--

Please see:

http://www.openoffice.org/zh-cn/news/aoo341.html

which was created by "imacat" on 23/08/2012.


This is release anouncement.



I would think you would want to make changes to the existing page  
instead of creating a new one. Yes?


If these notes are not where you'd like them, then, yes, you could  
create a new directory and then maybe move the page to that area.


For example, you can, as Shenfeng's suggests, create a new "releases"  
directory/folder under http://www.openoffice.org/zh-cn and then put the  
release notes information there.


What do you think?




Because I don't know how works directories in anon online CMS, and earlier
there was problem with dirs, Shenfeng and Eric asked for creation of  
directory

releases where 'll be putted "release notes".


In this time they send a new patch for "release notes" which wants to be  
putted into

main zh-cn/ directory.

- Michal Hriň




On 08/26/2012 11:34 PM, eric wu wrote:

hi:
I have finished the translation of the release notes,please check the
attachments.thank you!

eric wu
*From:* Shenfeng Liu 
*Date:* 2012-08-27 14:09
*To:* ooo-dev 
*Subject:* Re: Re: The translation of AOO3.4.1 release notes and
announcement
Kay and Eric,
   I suggest to put the release notes translation to:
http://www.openoffice.org/zh-cn/releases/3.4.1.html . (need to create  
the

folder "releases")
- Simon
2012/8/25 Kay Schenk 
 > On Thu, Aug 23, 2012 at 7:04 PM, eric wu   
wrote:

 >
 > > hi :
 > > I have finished my translation of the release notes,but i don't  
know what

 > > format to save my translation and how to put the translation under:
 > > http://www.openoffice.org/zh-cn/, can you help me ?thank you!
 > >
 > >
 > >
 > >
 > > eric wu
 > >
 >
 > Hi eric --
 >
 > Ok, a bit of a problem.  Your translation, while good work, is set  
up to

 > actually overwrite the current Release Notes in English where they
 > currently reside, so we will not commit this change.
 >
 > So, I think what will need to happen is you (or someone) needs to  
determine
 > where in/on this new page, your translated release notes will live.  
Go
 > there and setup for a new page in an area, and then submit the  
translation

 > to that NEW area so you don't overwrite the existing English copy.
 >
 > I know how to do this in normal svn but I'm not sure how to go about  
some

 > of this using the CMS bookmarklet if you want to know the truth.
 >
 > Maybe someone else can weigh in here.
 >
 > First, though, maybe some additional coordination about where to  
locate

 > this.
 >
 > I hope this helps.
 >
 >
 > > From: Shenfeng Liu
 > > Date: 2012-08-21 14:02
 > > To: ooo-dev; jinjin.wu
 > > Subject: Re: The translation of AOO3.4.1 release notes and  
announcement

 > > Eric,
 > >   That's great!
 > >   You can find the current AOO 3.4.1 release draft by Kay Schenk in
 > > English here:  
http://www.openoffice.org/development/releases/3.4.1.html.

 > > I'm not sure if any further editing will be make on it.
 > >
 > >   And I think it will be better to put the translation some where  
under

 > > http://www.openoffice.org/zh-cn/ . (Any better suggestion?)
 > >
 > >   The way should be copy the English release notes to the folder of
 > zh-cn,
 > > then translate it into a Chinese version. But currently we are  
freezing

 > the
 > > web waiting for the release, so I guess we can not update the  
contents
 > > directly now. Maybe you can prepare for your translations, and  
after the

 > > release, we can publish it immediately.
 > >   Thanks!
 > >
 > > - Simon
 > >
 > >
 > >
 > > 2012/8/21 eric wu 
 > >
 > > Hi all:
 > > I am from China Standard Software Co., Ltd.(cs2c), as a chinese  
apache
 > > open office user,i am looking forward to assume the task of  
translation

 > of
 > >  AOO3.4.1 release notes and announcement .
 > >
 > >
 > >
 > >
 > > eric wu
 >
 >
 >
 >
 > --
 >
 >  


 > MzK
 >
 > "As a child my family's menu consisted of two choices:
 > take it or leave it. "
 >-- Buddy Hackett
 >





--
Táto správa bola vytvorená poštovým klientom v prehliadači Opera:  
http://www.opera.com/mail/

Re: [VOTE] Apache OpenOffice Community Graduation Vote

2012-08-27 Thread Dave Fisher


On Aug 27, 2012, at 10:38 AM, Jim Jagielski wrote:

> The ASF releases code. PMCs vote on a SVN tag and on a release tarball
> (distribution) made from that tag. There is a direct and easily
> followed path between the bits the end-user gets and the bits that
> the PMC has determined as "the release."
> 
> The issue with voting on "just" a binary release is how is the
> providence of the code ensured... If I get a binary how can I,
> as an end-user, ensure that the binary was based on the official bits
> and was built in a way that didn't much around with those bits.
> *THAT* is what the AOO PPMC needs to work thru, since most end-user
> of AOO couldn't care a fig about the bits. But just because end-users
> don't care, or shouldn't care, doesn't mean that the PMC/PPMC
> can just wing it. Nor can it consider the binaries as "more important"
> than the code.
> 
> One possible scenario: The AOO PPMC/PMC is ready for a release
> and someone steps up to RM. He/she does the normal process and
> a release tag is created. At that point, binary RM's step up
> and, using that tag and a well-defined (and trackable) process,
> creates binaries and then sign that binary. In fact, that was/is
> my intent on wanting to be on the AOO PMC is to be the Apple OSX
> RM (that is, take on that responsibility).

Exactly!

And if you are doing this, it would make sense to address the Apple CA 
questions regarding Mountain Lion and digital certs.

Regards,
Dave

CVE-2012-2665 Manifest-processing errors in Apache OpenOffice 3.4.0

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

CVE-2012-2665  Manifest-processing errors in Apache OpenOffice 3.4.0

Reference: http://www.openoffice.org/security/cves/CVE-2012-2665.html

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

Apache OpenOffice 3.4.0, all languages, all platforms.
Earlier versions of OpenOffice.org may be also affected.

Description:

When OpenOffice reads an ODF document, it first loads and processes
an XML stream within the file called the manifest. Apache OpenOffice
3.4.0 has logic errors that allows a carefully crafted manifest to
cause reads and writes beyond allocated buffers.

No specific exploit has been demonstrated in this case, though such
flaws generally are conducive to exploitation, possibly including
denial of service and elevation of privilege.

Mitigation

OpenOffice users are advised to upgrade to Apache OpenOffice 3.4.1:

http://www.openoffice.org/download/

Users who are unable to upgrade immediately should exercise caution
when opening untrusted ODF documents.

Credits

The Apache OpenOffice Security Team acknowledges Timo Warns of
PRESENSE Technologies GmbH as the discoverer of these flaws.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJQO9pNAAoJEGFAoYdHzLzHMTgP/RhtW9cIbb1YgNiQIjZgmhfd
EfTDVsVa/mhSVwCcMF5oyJN1SYrscxK94NlcXOAhWZ/utPwCLev5Pv3BE8Y1gZ8Y
LJoGtFaxbByzbixAOtOqAWR3b84QM2wjDgqd6Cf7Yio00Wgeqs4vrvAkwCCNKroa
7iOZfhw/3kV8spiMIYTESz+OIzZ09NOz9G36hFn3Yn5CHTcbO0sPE9hJGVhE8Y6Q
92plJKcAgXFv8hdjQwGeda8H40jQqv86/FbDtn9muMtJICozlHQyhdk26E3up0Yo
IUnN522h4PJyq3zvs9GRbLPh6RS3zpMt82Sz6MG8lgKkKcGFxmjGHHQeFTh2QLd9
opghFYVtYjHdDnj9g5/iKEPkXxE//DXDtrfk/AP29WOMSupXwh5yq5blvpUmFODB
FdfBxPyefRmYWarA1DN5IhnT17MjyHlrAX/wY6NJjurjsJWCKpbc2jeaNgmLMTDH
IBiKWygALM7E2Qk/a3cRKCfFdsJxAQ15UMFNzTh6k4iXyWZpzDoBg+DPpN6GCHQy
SyH8aOSjufuCyGk/yoS6d+NZcl91g3FSsvnP/8nuCsYex5GKVLR/ffXi4YIcKDQK
6Z2tgGLn6xadmj63hWb91GMvIfw1n9mJ9JXGn0gzhnr5xvix+JOGKKjW9tvV492S
WCdOJJ8o6cV4lJqeIeGm
=xMKS
-END PGP SIGNATURE-

Re: [DL Website] Prototype of an automatic table with download links


Am 08/27/2012 12:38 AM, schrieb Marcus (OOo):

Am 08/27/2012 12:12 AM, schrieb Dave Fisher:


On Aug 26, 2012, at 2:59 PM, Marcus (OOo) wrote:


Am 08/26/2012 11:37 PM, schrieb Marcus (OOo):

Am 08/26/2012 09:38 PM, schrieb Dave Fisher:


On Aug 26, 2012, at 11:05 AM, Marcus (OOo) wrote:


Hi all,

as promized on Friday I've adjusted the existing automatism to the
lastest AOO 3.4.1 parameters.

The most recent webpage is here:
http://ooo-site.staging.apache.org/download/test/other_print.html


There is one change needed with the source downloads. Please use the
Apache Mirrors and not dist directly for the packages. See [1].


Only for the source files, not for the hash files, right? Done.


Should the language packs be mixed with the full installation sets? If
so then maybe the language fields should span two rows?


To have all in a single table it's easier to point the user to resp.
the
user has only to remember this.

I'll think about the span thing.


As "fast solution" I've deleted every second language strings and
expanded the row highlighting.

Dave, what do you think?


Much better.

Maybe the go back to the top break in the language group should be
more frequent than every 10?


Ah, right. With the combined table (full install, langpacks, hashes)
it's still after 10 languages but actually a lot of big rows more which
is indeed to much. I'll change it tomorrow.


I've changed it in a way that max. 4 languages are printed and than a 
new sub-table header.


With the most high screen resolutions nowadays this should fit. On my 
screen the visible part begins with "Start of page" and it ends with this.


Marcus




[1] http://incubator.apache.org/openofficeorg/downloads.html


I'm open for opinions. Otherwise I can put it easily to the
production website as the new "other.html".

Re: The translation of AOO3.4.1 release notes and announcement

2012-08-27 Thread Kay Schenk




On 08/27/2012 01:42 PM, Michal Hriň wrote:

Hi Kay,

I understand well, I try to explain if I can :)


OK...




Hello again, Shenfeng and Eric--

Please see:

http://www.openoffice.org/zh-cn/news/aoo341.html

which was created by "imacat" on 23/08/2012.


This is release anouncement.



I would think you would want to make changes to the existing page
instead of creating a new one. Yes?

If these notes are not where you'd like them, then, yes, you could
create a new directory and then maybe move the page to that area.

For example, you can, as Shenfeng's suggests, create a new "releases"
directory/folder under http://www.openoffice.org/zh-cn and then put
the release notes information there.

What do you think?




Because I don't know how works directories in anon online CMS, and earlier
there was problem with dirs, Shenfeng and Eric asked for creation of
directory
releases where 'll be putted "release notes".


OK...I wasn't sure if this was an actual request or just a suggestion. 
Maybe I missed a previous e-mail on this.






In this time they send a new patch for "release notes" which wants to be
putted into
main zh-cn/ directory.


Right, I got that also.



- Michal Hriň


I think we should wait to hear again from Shenfung or Eric.





On 08/26/2012 11:34 PM, eric wu wrote:

hi:
I have finished the translation of the release notes,please check the
attachments.thank you!

eric wu
*From:* Shenfeng Liu 
*Date:* 2012-08-27 14:09
*To:* ooo-dev 
*Subject:* Re: Re: The translation of AOO3.4.1 release notes and
announcement
Kay and Eric,
   I suggest to put the release notes translation to:
http://www.openoffice.org/zh-cn/releases/3.4.1.html . (need to create
the
folder "releases")
- Simon
2012/8/25 Kay Schenk 
 > On Thu, Aug 23, 2012 at 7:04 PM, eric wu 
wrote:
 >
 > > hi :
 > > I have finished my translation of the release notes,but i don't
know what
 > > format to save my translation and how to put the translation under:
 > > http://www.openoffice.org/zh-cn/, can you help me ?thank you!
 > >
 > >
 > >
 > >
 > > eric wu
 > >
 >
 > Hi eric --
 >
 > Ok, a bit of a problem.  Your translation, while good work, is set
up to
 > actually overwrite the current Release Notes in English where they
 > currently reside, so we will not commit this change.
 >
 > So, I think what will need to happen is you (or someone) needs to
determine
 > where in/on this new page, your translated release notes will
live. Go
 > there and setup for a new page in an area, and then submit the
translation
 > to that NEW area so you don't overwrite the existing English copy.
 >
 > I know how to do this in normal svn but I'm not sure how to go
about some
 > of this using the CMS bookmarklet if you want to know the truth.
 >
 > Maybe someone else can weigh in here.
 >
 > First, though, maybe some additional coordination about where to
locate
 > this.
 >
 > I hope this helps.
 >
 >
 > > From: Shenfeng Liu
 > > Date: 2012-08-21 14:02
 > > To: ooo-dev; jinjin.wu
 > > Subject: Re: The translation of AOO3.4.1 release notes and
announcement
 > > Eric,
 > >   That's great!
 > >   You can find the current AOO 3.4.1 release draft by Kay Schenk in
 > > English here:
http://www.openoffice.org/development/releases/3.4.1.html.
 > > I'm not sure if any further editing will be make on it.
 > >
 > >   And I think it will be better to put the translation some
where under
 > > http://www.openoffice.org/zh-cn/ . (Any better suggestion?)
 > >
 > >   The way should be copy the English release notes to the folder of
 > zh-cn,
 > > then translate it into a Chinese version. But currently we are
freezing
 > the
 > > web waiting for the release, so I guess we can not update the
contents
 > > directly now. Maybe you can prepare for your translations, and
after the
 > > release, we can publish it immediately.
 > >   Thanks!
 > >
 > > - Simon
 > >
 > >
 > >
 > > 2012/8/21 eric wu 
 > >
 > > Hi all:
 > > I am from China Standard Software Co., Ltd.(cs2c), as a chinese
apache
 > > open office user,i am looking forward to assume the task of
translation
 > of
 > >  AOO3.4.1 release notes and announcement .
 > >
 > >
 > >
 > >
 > > eric wu
 >
 >
 >
 >
 > --
 >
 >


 > MzK
 >
 > "As a child my family's menu consisted of two choices:
 > take it or leave it. "
 >-- Buddy Hackett
 >







--

MzK

"As a child my family's menu consisted of two choices:
take it or leave it. "
   -- Buddy Hackett

Re: [DL Website] Prototype of an automatic table with download links

2012-08-27 Thread Kay Schenk




On 08/27/2012 02:07 PM, Marcus (OOo) wrote:

Am 08/27/2012 12:38 AM, schrieb Marcus (OOo):

Am 08/27/2012 12:12 AM, schrieb Dave Fisher:


On Aug 26, 2012, at 2:59 PM, Marcus (OOo) wrote:


Am 08/26/2012 11:37 PM, schrieb Marcus (OOo):

Am 08/26/2012 09:38 PM, schrieb Dave Fisher:


On Aug 26, 2012, at 11:05 AM, Marcus (OOo) wrote:


Hi all,

as promized on Friday I've adjusted the existing automatism to the
lastest AOO 3.4.1 parameters.

The most recent webpage is here:
http://ooo-site.staging.apache.org/download/test/other_print.html


There is one change needed with the source downloads. Please use the
Apache Mirrors and not dist directly for the packages. See [1].


Only for the source files, not for the hash files, right? Done.


Should the language packs be mixed with the full installation
sets? If
so then maybe the language fields should span two rows?


To have all in a single table it's easier to point the user to resp.
the
user has only to remember this.

I'll think about the span thing.


As "fast solution" I've deleted every second language strings and
expanded the row highlighting.

Dave, what do you think?


Much better.

Maybe the go back to the top break in the language group should be
more frequent than every 10?


Ah, right. With the combined table (full install, langpacks, hashes)
it's still after 10 languages but actually a lot of big rows more which
is indeed to much. I'll change it tomorrow.


I've changed it in a way that max. 4 languages are printed and than a
new sub-table header.

With the most high screen resolutions nowadays this should fit. On my
screen the visible part begins with "Start of page" and it ends with this.

Marcus




This seems fine to me. Nice job!




[1] http://incubator.apache.org/openofficeorg/downloads.html


I'm open for opinions. Otherwise I can put it easily to the
production website as the new "other.html".


--

MzK

"As a child my family's menu consisted of two choices:
take it or leave it. "
   -- Buddy Hackett

Re: Something wrong in download page for Linux users


Am 08/27/2012 08:52 PM, schrieb drew:

On Sun, 2012-08-26 at 20:18 +0200, Marcus (OOo) wrote:

Am 08/24/2012 11:52 PM, schrieb Marcus (OOo):

Am 08/23/2012 04:24 PM, schrieb Ariel Constenla-Haile:


Hi Marcus,

On Fri, May 18, 2012 at 01:49:19AM +0200, Marcus (OOo) wrote:

Am 05/18/2012 01:29 AM, schrieb Ariel Constenla-Haile:

On Fri, May 18, 2012 at 12:26:41AM +0200, Marcus (OOo) wrote:


The system and the browser are 64 bits, the package is 32 bits.


Interesting. The browser shows that the platform is i686 (= x86) and
the user agents says x86_64. Haven't seen this before.

OK, which value is right when you don't know the truth? ;-)


just blame it on Google :)

http://code.google.com/p/chromium/issues/detail?id=44905


Interesting, even Google software has old bugs. :-P


Duplicated by this one?
http://code.google.com/p/chromium/issues/detail?id=128167


Great. When this is solved somewhen, we can check our DL logic
again. I'll add this to the Wiki page.



FYI this is fixed now in Chrome, according to the browser values shown
by http://www.openoffice.org/download/test/analyze.html


Ah, thank you for the hint. I will analyze the data what needs to be
updated.

BTW:
Great to have this little test webpage online, isn't it? ;-)


This should work now with the recent change from Oliver.

Can you confirm this especially for Chrome?


Howdy

http://www.openoffice.org/download/test/analyze.html
64bit Ubuntu 11.04 - latest Chromium - still thinks I am 32Bit Debs :(


Please can you give me the first part of the data in the table 
("Variables from the browser | Values")?


Thanks

Marcus

Re: Something wrong in download page for Linux users

2012-08-27 Thread Ariel Constenla-Haile

On Mon, Aug 27, 2012 at 11:26:45PM +0200, Marcus (OOo) wrote:
> >>Can you confirm this especially for Chrome?
> >
> >Howdy
> >
> >http://www.openoffice.org/download/test/analyze.html
> >64bit Ubuntu 11.04 - latest Chromium - still thinks I am 32Bit Debs :(
> 
> Please can you give me the first part of the data in the table
> ("Variables from the browser | Values")?

For me it's working with this Chrome version:

Name: google-chrome-beta
Arch: x86_64
Version : 22.0.1229.14
Release : 152690

recognized as

navigator.userAgent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, 
like Gecko) Chrome/22.0.1229.14 Safari/537.4


May be Drew is running a Chrome version without the bug fix.
According to http://code.google.com/p/chromium/issues/detail?id=128167
it fixed upstream in https://bugs.webkit.org/show_bug.cgi?id=86778


Regards
-- 
Ariel Constenla-Haile
La Plata, Argentina


pgp1fazII9vAq.pgp
Description: PGP signature

Re: Something wrong in download page for Linux users



> > Howdy
> >
> > http://www.openoffice.org/download/test/analyze.html
> > 64bit Ubuntu 11.04 - latest Chromium - still thinks I am 32Bit Debs :(
> 
> Please can you give me the first part of the data in the table 
> ("Variables from the browser | Values")?
> 
> Thanks
> 
> Marcus
> 

Copy/paste from the html page just now:
https://docs.google.com/spreadsheet/ccc?key=0Ah7ZNEXlmR0IdGdCRXZVbE5vdmZrdlc2TzhaUV81c3c

Re: Something wrong in download page for Linux users


Am 08/27/2012 11:51 PM, schrieb Ariel Constenla-Haile:

On Mon, Aug 27, 2012 at 11:26:45PM +0200, Marcus (OOo) wrote:

Can you confirm this especially for Chrome?


Howdy

http://www.openoffice.org/download/test/analyze.html
64bit Ubuntu 11.04 - latest Chromium - still thinks I am 32Bit Debs :(


Please can you give me the first part of the data in the table
("Variables from the browser | Values")?


For me it's working with this Chrome version:

Name: google-chrome-beta
Arch: x86_64
Version : 22.0.1229.14
Release : 152690

recognized as

navigator.userAgent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, 
like Gecko) Chrome/22.0.1229.14 Safari/537.4


May be Drew is running a Chrome version without the bug fix.
According to http://code.google.com/p/chromium/issues/detail?id=128167
it fixed upstream in https://bugs.webkit.org/show_bug.cgi?id=86778


Yes, that's my guess, too. You have version "22.0.1229.14" but Drew 
"18.0.1025.151". I don't know how often Chrome is updated but it looks 
reasonable older to justify this difference.


Thanks

Marcus

Re: Something wrong in download page for Linux users


Am 08/27/2012 11:51 PM, schrieb drew:




Howdy

http://www.openoffice.org/download/test/analyze.html
64bit Ubuntu 11.04 - latest Chromium - still thinks I am 32Bit Debs :(


Please can you give me the first part of the data in the table
("Variables from the browser | Values")?

Thanks

Marcus



Copy/paste from the html page just now:
https://docs.google.com/spreadsheet/ccc?key=0Ah7ZNEXlmR0IdGdCRXZVbE5vdmZrdlc2TzhaUV81c3c


Thanks. Please see my answer to Ariel. It seems the difference in both 
versions is the root cause.


Marcus

Re: Something wrong in download page for Linux users

On Mon, 2012-08-27 at 18:51 -0300, Ariel Constenla-Haile wrote:
> On Mon, Aug 27, 2012 at 11:26:45PM +0200, Marcus (OOo) wrote:
> > >>Can you confirm this especially for Chrome?
> > >
> > >Howdy
> > >
> > >http://www.openoffice.org/download/test/analyze.html
> > >64bit Ubuntu 11.04 - latest Chromium - still thinks I am 32Bit Debs :(
> > 
> > Please can you give me the first part of the data in the table
> > ("Variables from the browser | Values")?
> 
> For me it's working with this Chrome version:
> 
> Name: google-chrome-beta
> Arch: x86_64
> Version : 22.0.1229.14
> Release : 152690
> 
> recognized as
> 
> navigator.userAgent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, 
> like Gecko) Chrome/22.0.1229.14 Safari/537.4
> 
> 
> May be Drew is running a Chrome version without the bug fix.
> According to http://code.google.com/p/chromium/issues/detail?id=128167
> it fixed upstream in https://bugs.webkit.org/show_bug.cgi?id=86778

It would appear to be it precisely
-  so it seems that for folks that might still have a problem like mine
the right answer is, let them know that in as much as it bugs them they
need to either update their browser directly or wait on Ubuntu to do so
in the repository.

Thanks

> 
> 
> Regards

Re: [UX] DISCUSS - Survey Tool Recommendation

2012-08-27 Thread Graham Lauder

> KG01 - see comments inline
> 
> On Aug 18, 2012, at 9:34 AM, Graham Lauder  wrote:
> >>> On 16/08/2012 Rob Weir wrote:
>  On Thu, Aug 16, 2012 at 12:47 AM, Kevin Grignon wrote:
> > I've been looking at various survey tools and would like to recommend
> > that we deploy the open source survey tool, *LimeSurvey.*
> >>> 
> >>> Perfect. It is a good tool and it is in continuity with what the
> >>> project used to use, see my old e-mail at
> >>> http://mail-archives.apache.org/mod_mbox/incubator-ooo-dev/201206.mbox/
> >>> %3 C4 feecc9a.3020...@apache.org%3E
> 
> KG01 - Great news. Most gracious.
> 
>  1) A volunteer hosts the survey outside of Apache at their existing
>  domain name
>  
>  2) A volunteer hosts the survey outside of Apache and some pays $15 or
>  so to get a better domain name for it, like www.oosurvey.net
>  
>  3) A volunteer hosts the survey outside of Apache but we redirect the
>  subdomain "survey.openoffice.org" to point to the external server
> >>> 
> >>> As I wrote in the same e-mail, Graham had written he had a working
> >>> LimeSurvey installation that he could make available to the project:
> >>> http://s.apache.org/wZ . So I'd try with that first, and I'd probably
> >>> prefer option 3 to keep all services under one namespace.
> 
> KG01 - yes, a natural language oriented name such as
> "survey.openoffice.org" would be great.
> 
> >>> Regards,
> >>> 
> >>>   Andrea.
> >> 
> >> Just having long loud discussions with the host at the moment because
> >> the site is broken, looks like an update has gone bad.  As soon as it's
> >> sorted we can be in to it.
> >> 
> >> We should probably still do the survey design on the wiki however.
> 
> KG01 - Indeed, I have been capturing the survey questions on the wiki. I
> will also start to build the survey groups (question collections) in
> LimeSurvey to be ready to import into our hosted instance, when available.
> 
> >> Cheers
> >> G
> > 
> > Good grief, server meltdown and they're talking about 72 hours before
> > it's up again.
> 
> KG01 - No worries, as long as we can get cracking by the end of the week.
> 
> KG01 - Please share server details and user credentials when available.

Hi Kevin,
 
You should have had an email with access details and password for admin rights 
by now.  Let's have at it.


Cheers
GL

Re: [Realease Notes] Proposed template for creation o Release Notes

2012-08-27 Thread Keith N. McKenna


Keith N. McKenna wrote:

Hello All;

   I have a proposed draft of a template for use in creating Release
Notes at:
https://cwiki.apache.org/confluence/display/OOOUSERS/Release+Notes+Template.
All comments and changes are welcome. I believe that there is a way to
generate actual templates for the Confluence wiki and I will be digging
through the documentation for it to try and figure out how to do so.

Regards
Keith


Since I have seen no negative feedback on this, I will start adding this 
material to the existing 3.5 and 4.0 release notes.


Keith

Re: The translation of AOO3.4.1 release notes and announcement

Kay,
  Yes, what imacat posted was the *3.4.1 announcement*. And what Eric
translated and I submitted is the *3.4.1 release notes* in Chinese version.
  Originally, I hope to put the translated release notes to
zh-cn/releases/3.4.1.html . But I found I can not create a new directory,
so I just submit it to zh-cn/3.4.1.html.
  (I wonder if you can help to create the new folder "releases" and move
3.4.1.html into it? I didn't find the way as anon...)

  After the Chinese release notes published, I will update the announcement
imacat created, and let the url of the release notes in the page point to
the new Chinese version.

  Hope I made it clear to you. Thanks!

- Shenfeng


2012/8/28 Kay Schenk 

>
>
> On 08/27/2012 01:42 PM, Michal Hri�� wrote:
>
>> Hi Kay,
>>
>> I understand well, I try to explain if I can :)
>>
>
> OK...
>
>
>
>>  Hello again, Shenfeng and Eric--
>>>
>>> Please see:
>>>
>>> http://www.openoffice.org/zh-**cn/news/aoo341.html
>>>
>>> which was created by "imacat" on 23/08/2012.
>>>
>>
>> This is release anouncement.
>>
>>
>>> I would think you would want to make changes to the existing page
>>> instead of creating a new one. Yes?
>>>
>>> If these notes are not where you'd like them, then, yes, you could
>>> create a new directory and then maybe move the page to that area.
>>>
>>> For example, you can, as Shenfeng's suggests, create a new "releases"
>>> directory/folder under 
>>> http://www.openoffice.org/zh-**cnand then 
>>> put
>>> the release notes information there.
>>>
>>> What do you think?
>>>
>>>
>>>
>> Because I don't know how works directories in anon online CMS, and earlier
>> there was problem with dirs, Shenfeng and Eric asked for creation of
>> directory
>> releases where 'll be putted "release notes".
>>
>
> OK...I wasn't sure if this was an actual request or just a suggestion.
> Maybe I missed a previous e-mail on this.
>
>
>
>
>>
>> In this time they send a new patch for "release notes" which wants to be
>> putted into
>> main zh-cn/ directory.
>>
>
> Right, I got that also.
>
>
>> - Michal Hri��
>>
>
> I think we should wait to hear again from Shenfung or Eric.
>
>
>>
>>>
>>> On 08/26/2012 11:34 PM, eric wu wrote:
>>>
 hi:
 I have finished the translation of the release notes,please check the
 attachments.thank you!
 --**--**
 
 eric wu
 *From:* Shenfeng Liu 
 *Date:* 2012-08-27 14:09
 *To:* ooo-dev 
 
 *Subject:* Re: Re: The translation of AOO3.4.1 release notes and
 announcement
 Kay and Eric,
I suggest to put the release notes translation to:
 http://www.openoffice.org/zh-**cn/releases/3.4.1.html.
  (need to create
 the
 folder "releases")
 - Simon
 2012/8/25 Kay Schenk 
  > On Thu, Aug 23, 2012 at 7:04 PM, eric wu 
 wrote:
  >
  > > hi :
  > > I have finished my translation of the release notes,but i don't
 know what
  > > format to save my translation and how to put the translation under:
  > > http://www.openoffice.org/zh-**cn/,
 can you help me ?thank you!
  > >
  > >
  > >
  > >
  > > eric wu
  > >
  >
  > Hi eric --
  >
  > Ok, a bit of a problem.  Your translation, while good work, is set
 up to
  > actually overwrite the current Release Notes in English where they
  > currently reside, so we will not commit this change.
  >
  > So, I think what will need to happen is you (or someone) needs to
 determine
  > where in/on this new page, your translated release notes will
 live. Go
  > there and setup for a new page in an area, and then submit the
 translation
  > to that NEW area so you don't overwrite the existing English copy.
  >
  > I know how to do this in normal svn but I'm not sure how to go
 about some
  > of this using the CMS bookmarklet if you want to know the truth.
  >
  > Maybe someone else can weigh in here.
  >
  > First, though, maybe some additional coordination about where to
 locate
  > this.
  >
  > I hope this helps.
  >
  >
  > > From: Shenfeng Liu
  > > Date: 2012-08-21 14:02
  > > To: ooo-dev; jinjin.wu
  > > Subject: Re: The translation of AOO3.4.1 release notes and
 announcement
  > > Eric,
  > >   That's great!
  > >   You can find the current AOO 3.4.1 release draft by Kay Schenk in
  > > English here:
 http://www.openoffice.org/**development/releases/3.4.1.**html
 .
  > > I'm not sure if any further editing will be make on it.
  > >
  > >   And I think it will b

CMS diff: 3.4.1_rn.html

2012-08-27 Thread Shenfeng Liu & eric wu

Clone URL (Committers only):
https://cms.apache.org/redirect?new=anonymous;action=diff;uri=http://ooo-site.apache.org/zh-cn%2F3.4.1_rn.html

Shenfeng Liu & eric wu

Index: trunk/content/zh-cn/3.4.1_rn.html
===
--- trunk/content/zh-cn/3.4.1_rn.html   (revision 0)
+++ trunk/content/zh-cn/3.4.1_rn.html   (working copy)
@@ -0,0 +1,133 @@
+http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+http://www.w3.org/1999/xhtml";>
+
+
+Apache OpenOffice 3.4.1 发行说明
+
+
+
+AOO 3.4.1 (build 1372282) 发行说明
+
+
+  Translations:
+http://www.openoffice.org/development/releases/3.4.1.html";>English |
+https://cwiki.apache.org/OOOUSERS/aoo-341-notas-de-la-versin.html";>Español
 |
+http://www.openoffice.org/it/stampa/comunicati/aoo341-rn.html";>Italiano
+  
+
+
+概述
+
+Apache OpenOffice 3.4.1是一个维护版本，主要是用于修复几个关键性的问题和提高软件的整体质量。
+
+主要的改善包括以下几个方面: 额外的语言支持、 bug的修复、性能的改进和Windows 8 兼容性的增强。每个方面的细节将在下面进行描述。
+
+如果你需要一个更加全面的自从OpenOffice 3.3.X或者更早的版本所作出的修改的总结，请参照3.4.0版本的发行说明 http://www.openoffice.org/development/releases/3.4.0.html";>Apache 
OpenOffice 3.4.0 
+
+额外的语言支持
+
+在Apache
 OpenOffice 3.4.1新增可用的翻译包括:
+
+
+   芬兰语
+   英式英语
+   高棉语
+   斯洛伐克语
+   斯洛文尼亚语
+
+
+
+
+在Apache
 OpenOffice 3.4.1更新的可用翻译包括:
+
+
+   荷兰语
+   西班牙语
+   意大利语
+   匈牙利语
+
+
+
+
+如果需要一个完整的可用语言和语言包列表，请查看: http://www.openoffice.org/download/other.html";>http://www.openoffice.org/download/other.html
+
+平台支持
+以下的几个平台将继续的成为Apache OpenOffice 的正式版本的发布平台：Microsoft Windows, MacOS 
(Intel), Linux (32 bit), Linux (64 bit)。  
+
+此外，也有相当多的社区成员在Solaris、FreeBSD、OS/2和 live/portable 的各个版本下工作。
+你可以在我们的移植和分发页面学到更多的东西: http://www.openoffice.org/porting/";>http://www.openoffice.org/porting/ 
。
+
+
+
+
+漏洞修复
+
+截止到2012年8月16日，已经有69个已经通过验证的问题得到解决。
+
+详细的列表参见: http://s.apache.org/Huv";>http://s.apache.org/Huv。
+
+你需要一个OpenOffice Bugzilla的登录账号才能去查看这些问题。
+
+(可能使你感兴趣的是一个 https://issues.apache.org/ooo/";>OpenOffice 
Bugzilla 的登录账号可以使你搜索任何的漏洞。)
+
+重要的漏洞修复主要包含以下几个方面:
+
+
+快速启动器的问题
+扩展程序清理
+重新默认开启自动升级检测
+电子表格中撤销的问题
+电子表格中恢复的问题
+电子表格和文字处理中安装了语言工具之后假死的问题
+无法检测的java。Oracle 作为java的提供商，已经加入进来为JVM的识别提供帮助。在以前，提供商是SUN公司。
+
+
+QE团队此外也跟进了一些额外的修复，具体的报告见:
+
+http://wiki.services.openoffice.org/wiki/QA/Report/WeeklyReport";>http://wiki.services.openoffice.org/wiki/QA/Report/WeeklyReport。
+
+此外，从版本3.4.1开始，Apache OpenOffice将会收到静态分析带来的好处，这个工具由http://www.coverity.com/";>Coverity公司提供，主要是用来在代码即将发布之前检测软件的缺陷。在此要特别感谢Coverity公司提供其屡获殊荣的工具！
+
+
+性能的提升/加强
+
+
+扩展程序安装使用的临时空间的清理。 当存在多用户安装时这就会减低单用户的磁盘占用空间。
+
在安装US-en版本的时候只会保留一个英文词典而不是之前的5个。这样就会节省用户空间。用户可以在自己需要的时候去添加其他的英文词典（如加拿大，澳大利亚，新西兰）。
+拼写检查库从1.2.9升级到1.3.2版本。这个版本包含了一些扩展的复合词用法的改进，特别是在荷兰语、德语和日耳曼语言方面。
+
+
+
+Microsoft 
Windows 8的兼容性
+
+我们已经在Windows 8上测试过该版本。到目前为止，它的表现很好。我们现在正在通过正式的Windows 8 
的认证列表的流程中，还存在一些比较次要的问题。请看Wiki上的文档：
+
+http://wiki.services.openoffice.org/wiki/Documentation/Windows_App_Certification_Kit_-_Test_Results_for_Apache_OpenOffice_3.4";>http://wiki.services.openoffice.org/wiki/Documentation/Windows_App_Certification_Kit_-_Test_Results_for_Apache_OpenOffice_3.4。
+
+说明：在Apache OpenOffice 3.4.1中为了更好的支持Windows 8而做的改进同样也会给Windows 7用户带来好处。
+
+
+已知的问题
+
+
+
+Apache OpenOffice 3.4.0 and 
3.4.1版本在管理用户配置文件方面和以前的版本不同。旧的用户配置文件会被自动的转换所以用户可以保留他们的扩展程序和设置。在少数情况下，特别是存在高度定制的配置文件（很多扩展程序和用户定制）的时候转换会不成功。常见的情况有：频繁地程序崩溃、字典或者辞典的问题、OpenOffice在开启之后几秒后会崩溃。为了解决这些问题，只需要像OpenOffice官方论坛上解释的一样重置或者重命名你的用户配置文件就可以了：
+http://user.services.openoffice.org/en/forum/viewtopic.php?t=12426";>http://user.services.openoffice.org/en/forum/viewtopic.php?t=12426。
+
+Apache OpenOfice 3.4.0 and 3.4.1在OS X Mountain 
Lion操作系统中将会被新的守护设备标记。这个一个Mac操作系统用来防止恶意软件的新特性。下面的链接列出了怎么使一个不是从Mac应用商店安装的程序在Mac上运行的步骤。可以参见Apple技术支持上的文章：http://support.apple.com/kb/HT5290";>http://support.apple.com/kb/HT5290。
+
+Apache OpenOffice 3.4.0和3.4.1支持Java 7，并且这是推荐的配置; 但是(特别是在64位的Windows上) 
你可能会收到关于Java版本的警告信息。在这种情况下，你可以下载和安装http://www.oracle.com/technetwork/java/javase/downloads/jre-6u32-downloads-1594646.html";>jre-6u32-windows-i586.exe
 并且配置OpenOffice去使用它，操作方法为：工具- 选项- OpenOffice.org - Java。具体参见：http://user.services.openoffice.org/en/forum/viewtopic.php?f=15&t=54974";>http://user.services.openoffice.org/en/forum/viewtopic.php?f=15&t=54974
 可以得到更多的信息。
+
+Apache OpenOffice 
3.4.1的Windows安装包在展开安装文件之后会立即启动安装向导。在极少数的情况下，安装向导不会自动的启动，这可能是由于和其他已经安装的软件不兼容所造成的。在这种情况下，只需要找到“OpenOffice
 Installation Files ”这个文件夹，打开它然后双击“steup.exe”启动安装流程即可。
+
+
+
+持续关注Apache 
OpenOffice
+
+我们鼓励您订阅Apache 
OpenOffice的公告邮件列表，这样你就可以收到重要的通知比如产品升级和安全补丁。 如果您想订阅的话可以发送一封邮件至： mailto:ooo-announce-subscr...@incubator.apache.org";>ooo-announce-subscr...@incubator.apache.org。
+
+您也可以在https://twitter.com/#!/apacheoo";>Twitter，http://www.facebook.com/ApacheOO";>Facebook 和 https://plus.google.com/u/0/114598373874764163668/posts";>Google+上关注我们的项目。
+
+
+
\ No newline at end of file

Property changes on: trunk/content/zh-cn/3.4.1_rn.html
___

Re: The translation of AOO3.4.1 release notes and announcement