Re: [ANNOUNCEMENT] Apache OpenOffice 3.4.1 (incubating) released
On Fri, 24 Aug 2012 14:26:53 -0400 Rob Weir wrote: > On Fri, Aug 24, 2012 at 10:52 AM, Rory O'Farrell wrote: > > On Fri, 24 Aug 2012 10:44:34 -0400 > > Rob Weir wrote: > > > >> On Thu, Aug 23, 2012 at 6:43 PM, Rory O'Farrell wrote: > >> > On Thu, 23 Aug 2012 18:29:57 -0400 > >> > "Maurice Howe" wrote: > >> > > >> >> I use AVG 2012.0.2180 Free Edition > >> >> > >> > I installed AOO 3.4.1 on one of my Windows machines today and AVG didn't > >> > complain. I'll check in detail tomorrow when the machine is awake - > >> > near midnight here and I'm closing down. It is often the case that new > >> > OpenOffice releases trigger false positives from virus scanners. > >> > -- > >> > >> I put AVG free version on an XP VM, updated virus signatures, > >> installed AOO 3.4.1 Windows en-US from the website and did a full > >> scan. No issues reported. > >> > >> So if Maurice was indeed getting an AV hit, that suggests he might > >> actually have something, either preexisting on his machine, or from > >> downloading AOO from another website. If it were really a false > >> positive, wouldn't we be seeing it as well? > >> > >> -Rob > >> > >> > Rory O'Farrell >> > > > > I'm sure we would all be seeing a warning if there was an intrinsic problem > > in the compiled code. Normal reaction from Volunteers on en-Forum is that > > a virus/malware warning on a new release of OpenOffice from the approved > > download sites is a false positive and I think so it has always proved; > > with the transition to Apache special care is needed until the AOO releases > > become well established, lest there be adverse publicity/comment. > > > > It would be helpful if Maurice could tell us the URL of the download site, > > the actual file name and size. > > > > I finally found the image attachment that Maurice sent out originally. > It said of the download, it "is not commonly downloaded and could > harm your computer'". > > So this was not a false negative but part of the "reputation-based" > mechanisms that AV's are starting to use. They look at a variety > factors, including the age of the EXE and how many other users have > installed it. If the program is new and not well known, then you will > get warnings like this. The warnings go away over time. The only way > to prevent them initially is to have your code be signed, or to > whitelist your hashes in advance with the AV vendor. > > -Rob > > > > -- > > Rory O'Farrell > I've just seen on Forum a similar report, originating from an installed McAfee. I reassured the User, who downloaded and installed, with no further gripes reported from McAfee. -- Rory O'Farrell
Re: [ANNOUNCEMENT] Apache OpenOffice 3.4.1 (incubating) released
On Fri, Aug 24, 2012 at 10:52 AM, Rory O'Farrell wrote: > On Fri, 24 Aug 2012 10:44:34 -0400 > Rob Weir wrote: > >> On Thu, Aug 23, 2012 at 6:43 PM, Rory O'Farrell wrote: >> > On Thu, 23 Aug 2012 18:29:57 -0400 >> > "Maurice Howe" wrote: >> > >> >> I use AVG 2012.0.2180 Free Edition >> >> >> > I installed AOO 3.4.1 on one of my Windows machines today and AVG didn't >> > complain. I'll check in detail tomorrow when the machine is awake - near >> > midnight here and I'm closing down. It is often the case that new >> > OpenOffice releases trigger false positives from virus scanners. >> > -- >> >> I put AVG free version on an XP VM, updated virus signatures, >> installed AOO 3.4.1 Windows en-US from the website and did a full >> scan. No issues reported. >> >> So if Maurice was indeed getting an AV hit, that suggests he might >> actually have something, either preexisting on his machine, or from >> downloading AOO from another website. If it were really a false >> positive, wouldn't we be seeing it as well? >> >> -Rob >> >> > Rory O'Farrell > > > I'm sure we would all be seeing a warning if there was an intrinsic problem > in the compiled code. Normal reaction from Volunteers on en-Forum is that a > virus/malware warning on a new release of OpenOffice from the approved > download sites is a false positive and I think so it has always proved; with > the transition to Apache special care is needed until the AOO releases become > well established, lest there be adverse publicity/comment. > > It would be helpful if Maurice could tell us the URL of the download site, > the actual file name and size. > I finally found the image attachment that Maurice sent out originally. It said of the download, it "is not commonly downloaded and could harm your computer'". So this was not a false negative but part of the "reputation-based" mechanisms that AV's are starting to use. They look at a variety factors, including the age of the EXE and how many other users have installed it. If the program is new and not well known, then you will get warnings like this. The warnings go away over time. The only way to prevent them initially is to have your code be signed, or to whitelist your hashes in advance with the AV vendor. -Rob > -- > Rory O'Farrell
Re: [ANNOUNCEMENT] Apache OpenOffice 3.4.1 (incubating) released
On Fri, 24 Aug 2012 10:44:34 -0400 Rob Weir wrote: > On Thu, Aug 23, 2012 at 6:43 PM, Rory O'Farrell wrote: > > On Thu, 23 Aug 2012 18:29:57 -0400 > > "Maurice Howe" wrote: > > > >> I use AVG 2012.0.2180 Free Edition > >> > > I installed AOO 3.4.1 on one of my Windows machines today and AVG didn't > > complain. I'll check in detail tomorrow when the machine is awake - near > > midnight here and I'm closing down. It is often the case that new > > OpenOffice releases trigger false positives from virus scanners. > > -- > > I put AVG free version on an XP VM, updated virus signatures, > installed AOO 3.4.1 Windows en-US from the website and did a full > scan. No issues reported. > > So if Maurice was indeed getting an AV hit, that suggests he might > actually have something, either preexisting on his machine, or from > downloading AOO from another website. If it were really a false > positive, wouldn't we be seeing it as well? > > -Rob > > > Rory O'Farrell I'm sure we would all be seeing a warning if there was an intrinsic problem in the compiled code. Normal reaction from Volunteers on en-Forum is that a virus/malware warning on a new release of OpenOffice from the approved download sites is a false positive and I think so it has always proved; with the transition to Apache special care is needed until the AOO releases become well established, lest there be adverse publicity/comment. It would be helpful if Maurice could tell us the URL of the download site, the actual file name and size. -- Rory O'Farrell
Re: [ANNOUNCEMENT] Apache OpenOffice 3.4.1 (incubating) released
On Thu, Aug 23, 2012 at 6:43 PM, Rory O'Farrell wrote: > On Thu, 23 Aug 2012 18:29:57 -0400 > "Maurice Howe" wrote: > >> I use AVG 2012.0.2180 Free Edition >> > I installed AOO 3.4.1 on one of my Windows machines today and AVG didn't > complain. I'll check in detail tomorrow when the machine is awake - near > midnight here and I'm closing down. It is often the case that new OpenOffice > releases trigger false positives from virus scanners. > -- I put AVG free version on an XP VM, updated virus signatures, installed AOO 3.4.1 Windows en-US from the website and did a full scan. No issues reported. So if Maurice was indeed getting an AV hit, that suggests he might actually have something, either preexisting on his machine, or from downloading AOO from another website. If it were really a false positive, wouldn't we be seeing it as well? -Rob > Rory O'Farrell
Re: [ANNOUNCEMENT] Apache OpenOffice 3.4.1 (incubating) released
On Fri, Aug 24, 2012 at 7:23 AM, sebb wrote: > On 24 August 2012 11:51, Rory O'Farrell wrote: >> On Fri, 24 Aug 2012 11:31:05 +0100 >> sebb wrote: >> >>> On 24 August 2012 09:20, Rory O'Farrell wrote: >>> > On Thu, 23 Aug 2012 18:01:42 -0400 >>> > "Maurice Howe" wrote: >>> > >>> >> Got a warning msg that your product was unsafe, so I deleted the >>> >> download. >>> >> Here's the msg. >>> > >>> > >>> > I have this morning scanned my Windows XP computer on which is installed >>> > yesterday's release of AOO 3.4.1 using AVG Free edition 2012.0.2197 (this >>> > morning's update) at the most detailed settings and it has received a >>> > clean bill of health. >>> > >>> > The question that might arise in connection with the original post is >>> > that of the filename/download site; if it is from a legitimate (i.e. >>> > Apache controlled site) there should be no worries. >>> > >>> > It was in the past not unusual for new releases of OOo to give false >>> > positives on many virus scanners - the hooks for online updating >>> > registered sometimes as poentialy unwanted programs/possible trojans. >>> > >>> > As another poster (Dan?) pointed out, it is possible to check the Md5Sums >>> > of the downloaded file against the MD5Sum list on the Apache site, to be >>> > certain that it is exactly the file prepared and released by Apache. If >>> > these sums check out then all should be well. >>> >>> AIUI that's not possible to be *certain* that the file is identical [1]. >>> Hashes are fine for checking that a download has not been >>> corrupted/truncated in transit, because the chance of a hash collision >>> in such a case is vanishingly small. >>> >>> But they are not generally considered sufficiently robust to *prove* >>> that the download is what it appears to be. >>> It is theoretically possible to create two different downloads with >>> the same hash. >>> >>> Obviously if the hash check fails, then there is a problem, but a >>> successful check does not provide 100% proof. >>> >>> Checking the detached signature for the download is much more secure, >>> but is of course a bit harder to do. >>> >>> [1] http://www.apache.org/dev/release-signing#secure-hash-algorithms >>> >>> > -- >>> > Rory O'Farrell >>> >> >> I'm not doubting your remarks above about the possibility of duplicate >> hashes, but for most purposes the hash check is probably sufficient. > > Yes. > >> In any event, the timescale involved of some few hours after release would >> make the possibility of a rogue hash matching file quite remote (I hope!). > > Actually there will be at least 3-4 days when the files and hashes are > available during release votes. > But more likely the rogue file would be published later when it would > still catch some downloads. > Ideally we'd have a way for the user to verify this themselves, without getting into command-line tools. For example, a trusted website with an applet that would verify hash and signature for a local file. Or could this conceivably be doe with Javascript? >> >> -- >> Rory O'Farrell
Re: [ANNOUNCEMENT] Apache OpenOffice 3.4.1 (incubating) released
On 24 August 2012 11:51, Rory O'Farrell wrote: > On Fri, 24 Aug 2012 11:31:05 +0100 > sebb wrote: > >> On 24 August 2012 09:20, Rory O'Farrell wrote: >> > On Thu, 23 Aug 2012 18:01:42 -0400 >> > "Maurice Howe" wrote: >> > >> >> Got a warning msg that your product was unsafe, so I deleted the download. >> >> Here's the msg. >> > >> > >> > I have this morning scanned my Windows XP computer on which is installed >> > yesterday's release of AOO 3.4.1 using AVG Free edition 2012.0.2197 (this >> > morning's update) at the most detailed settings and it has received a >> > clean bill of health. >> > >> > The question that might arise in connection with the original post is that >> > of the filename/download site; if it is from a legitimate (i.e. Apache >> > controlled site) there should be no worries. >> > >> > It was in the past not unusual for new releases of OOo to give false >> > positives on many virus scanners - the hooks for online updating >> > registered sometimes as poentialy unwanted programs/possible trojans. >> > >> > As another poster (Dan?) pointed out, it is possible to check the Md5Sums >> > of the downloaded file against the MD5Sum list on the Apache site, to be >> > certain that it is exactly the file prepared and released by Apache. If >> > these sums check out then all should be well. >> >> AIUI that's not possible to be *certain* that the file is identical [1]. >> Hashes are fine for checking that a download has not been >> corrupted/truncated in transit, because the chance of a hash collision >> in such a case is vanishingly small. >> >> But they are not generally considered sufficiently robust to *prove* >> that the download is what it appears to be. >> It is theoretically possible to create two different downloads with >> the same hash. >> >> Obviously if the hash check fails, then there is a problem, but a >> successful check does not provide 100% proof. >> >> Checking the detached signature for the download is much more secure, >> but is of course a bit harder to do. >> >> [1] http://www.apache.org/dev/release-signing#secure-hash-algorithms >> >> > -- >> > Rory O'Farrell >> > > I'm not doubting your remarks above about the possibility of duplicate > hashes, but for most purposes the hash check is probably sufficient. Yes. > In any event, the timescale involved of some few hours after release would > make the possibility of a rogue hash matching file quite remote (I hope!). Actually there will be at least 3-4 days when the files and hashes are available during release votes. But more likely the rogue file would be published later when it would still catch some downloads. > > -- > Rory O'Farrell
Re: [ANNOUNCEMENT] Apache OpenOffice 3.4.1 (incubating) released
On Fri, 24 Aug 2012 11:31:05 +0100 sebb wrote: > On 24 August 2012 09:20, Rory O'Farrell wrote: > > On Thu, 23 Aug 2012 18:01:42 -0400 > > "Maurice Howe" wrote: > > > >> Got a warning msg that your product was unsafe, so I deleted the download. > >> Here's the msg. > > > > > > I have this morning scanned my Windows XP computer on which is installed > > yesterday's release of AOO 3.4.1 using AVG Free edition 2012.0.2197 (this > > morning's update) at the most detailed settings and it has received a clean > > bill of health. > > > > The question that might arise in connection with the original post is that > > of the filename/download site; if it is from a legitimate (i.e. Apache > > controlled site) there should be no worries. > > > > It was in the past not unusual for new releases of OOo to give false > > positives on many virus scanners - the hooks for online updating registered > > sometimes as poentialy unwanted programs/possible trojans. > > > > As another poster (Dan?) pointed out, it is possible to check the Md5Sums > > of the downloaded file against the MD5Sum list on the Apache site, to be > > certain that it is exactly the file prepared and released by Apache. If > > these sums check out then all should be well. > > AIUI that's not possible to be *certain* that the file is identical [1]. > Hashes are fine for checking that a download has not been > corrupted/truncated in transit, because the chance of a hash collision > in such a case is vanishingly small. > > But they are not generally considered sufficiently robust to *prove* > that the download is what it appears to be. > It is theoretically possible to create two different downloads with > the same hash. > > Obviously if the hash check fails, then there is a problem, but a > successful check does not provide 100% proof. > > Checking the detached signature for the download is much more secure, > but is of course a bit harder to do. > > [1] http://www.apache.org/dev/release-signing#secure-hash-algorithms > > > -- > > Rory O'Farrell > I'm not doubting your remarks above about the possibility of duplicate hashes, but for most purposes the hash check is probably sufficient. In any event, the timescale involved of some few hours after release would make the possibility of a rogue hash matching file quite remote (I hope!). -- Rory O'Farrell
Re: [ANNOUNCEMENT] Apache OpenOffice 3.4.1 (incubating) released
On 24 August 2012 09:20, Rory O'Farrell wrote: > On Thu, 23 Aug 2012 18:01:42 -0400 > "Maurice Howe" wrote: > >> Got a warning msg that your product was unsafe, so I deleted the download. >> Here's the msg. > > > I have this morning scanned my Windows XP computer on which is installed > yesterday's release of AOO 3.4.1 using AVG Free edition 2012.0.2197 (this > morning's update) at the most detailed settings and it has received a clean > bill of health. > > The question that might arise in connection with the original post is that of > the filename/download site; if it is from a legitimate (i.e. Apache > controlled site) there should be no worries. > > It was in the past not unusual for new releases of OOo to give false > positives on many virus scanners - the hooks for online updating registered > sometimes as poentialy unwanted programs/possible trojans. > > As another poster (Dan?) pointed out, it is possible to check the Md5Sums of > the downloaded file against the MD5Sum list on the Apache site, to be certain > that it is exactly the file prepared and released by Apache. If these sums > check out then all should be well. AIUI that's not possible to be *certain* that the file is identical [1]. Hashes are fine for checking that a download has not been corrupted/truncated in transit, because the chance of a hash collision in such a case is vanishingly small. But they are not generally considered sufficiently robust to *prove* that the download is what it appears to be. It is theoretically possible to create two different downloads with the same hash. Obviously if the hash check fails, then there is a problem, but a successful check does not provide 100% proof. Checking the detached signature for the download is much more secure, but is of course a bit harder to do. [1] http://www.apache.org/dev/release-signing#secure-hash-algorithms > -- > Rory O'Farrell
Re: [ANNOUNCEMENT] Apache OpenOffice 3.4.1 (incubating) released
On Thu, 23 Aug 2012 18:01:42 -0400 "Maurice Howe" wrote: > Got a warning msg that your product was unsafe, so I deleted the download. > Here's the msg. I have this morning scanned my Windows XP computer on which is installed yesterday's release of AOO 3.4.1 using AVG Free edition 2012.0.2197 (this morning's update) at the most detailed settings and it has received a clean bill of health. The question that might arise in connection with the original post is that of the filename/download site; if it is from a legitimate (i.e. Apache controlled site) there should be no worries. It was in the past not unusual for new releases of OOo to give false positives on many virus scanners - the hooks for online updating registered sometimes as poentialy unwanted programs/possible trojans. As another poster (Dan?) pointed out, it is possible to check the Md5Sums of the downloaded file against the MD5Sum list on the Apache site, to be certain that it is exactly the file prepared and released by Apache. If these sums check out then all should be well. -- Rory O'Farrell
Re: [ANNOUNCEMENT] Apache OpenOffice 3.4.1 (incubating) released
Congratulations to us all! ^_*' On 2012/08/24 10:51, Shenfeng Liu said: > I just found it was updated to 3.4.1! Thanks! :) > > - Simon > > > > 2012/8/24 Shenfeng Liu > >> Rob, >> http://www.openoffice.org/download/ is still pointing to 3.4.0... Is >> the new page still in staging server? >> >> - Simon >> >> >> >> 2012/8/23 Rob Weir >> >>> The Apache OpenOffice project is pleased to announce the immediate >>> availability of Apache OpenOffice 3.4.1, the latest release of the >>> free and open community-developed productivity suite. This >>> maintenance release builds upon the success of Apache OpenOffice >>> 3.4.0, which has been downloaded over 12 million times by users in 228 >>> countries, and adds further language support, platform compatibility, >>> performance enhancements and bug fixes. OpenOffice 3.4.1 can be >>> downloaded now from http://www.openoffice.org/download/ or by going to >>> the the Help/Check for Updates dialog within OpenOffice 3.4 or 3.3. >>> >>> Further details can be found in our announcement blog post: >>> >>> http://blogs.apache.org/OOo/entry/announcing_apache_openoffice_3_41 >>> >>> Regards, >>> >>> -Rob >>> >> >> > -- Best regards, imacat ^_*' PGP Key http://www.imacat.idv.tw/me/pgpkey.asc <> News: http://www.wov.idv.tw/ Tavern IMACAT's http://www.imacat.idv.tw/ Woman in FOSS in Taiwan http://wofoss.blogspot.com/ Apache OpenOffice http://www.openoffice.org/ EducOO/OOo4Kids Taiwan http://www.educoo.tw/ signature.asc Description: OpenPGP digital signature
Re: [ANNOUNCEMENT] Apache OpenOffice 3.4.1 (incubating) released
I just found it was updated to 3.4.1! Thanks! :) - Simon 2012/8/24 Shenfeng Liu > Rob, > http://www.openoffice.org/download/ is still pointing to 3.4.0... Is > the new page still in staging server? > > - Simon > > > > 2012/8/23 Rob Weir > >> The Apache OpenOffice project is pleased to announce the immediate >> availability of Apache OpenOffice 3.4.1, the latest release of the >> free and open community-developed productivity suite. This >> maintenance release builds upon the success of Apache OpenOffice >> 3.4.0, which has been downloaded over 12 million times by users in 228 >> countries, and adds further language support, platform compatibility, >> performance enhancements and bug fixes. OpenOffice 3.4.1 can be >> downloaded now from http://www.openoffice.org/download/ or by going to >> the the Help/Check for Updates dialog within OpenOffice 3.4 or 3.3. >> >> Further details can be found in our announcement blog post: >> >> http://blogs.apache.org/OOo/entry/announcing_apache_openoffice_3_41 >> >> Regards, >> >> -Rob >> > >
Re: [ANNOUNCEMENT] Apache OpenOffice 3.4.1 (incubating) released
Rob, http://www.openoffice.org/download/ is still pointing to 3.4.0... Is the new page still in staging server? - Simon 2012/8/23 Rob Weir > The Apache OpenOffice project is pleased to announce the immediate > availability of Apache OpenOffice 3.4.1, the latest release of the > free and open community-developed productivity suite. This > maintenance release builds upon the success of Apache OpenOffice > 3.4.0, which has been downloaded over 12 million times by users in 228 > countries, and adds further language support, platform compatibility, > performance enhancements and bug fixes. OpenOffice 3.4.1 can be > downloaded now from http://www.openoffice.org/download/ or by going to > the the Help/Check for Updates dialog within OpenOffice 3.4 or 3.3. > > Further details can be found in our announcement blog post: > > http://blogs.apache.org/OOo/entry/announcing_apache_openoffice_3_41 > > Regards, > > -Rob >
Re: [ANNOUNCEMENT] Apache OpenOffice 3.4.1 (incubating) released
I have tried several times to install OpenOffice on System 7. each time I get a message to close the QuickStarter, and the installer terminates, notifying me that the installation is incomplete and the program has not been modified. Jim Easton 858-527-0240 On Aug 23, 2012, at 7:22, Rob Weir wrote: > The Apache OpenOffice project is pleased to announce the immediate > availability of Apache OpenOffice 3.4.1, the latest release of the > free and open community-developed productivity suite. This > maintenance release builds upon the success of Apache OpenOffice > 3.4.0, which has been downloaded over 12 million times by users in 228 > countries, and adds further language support, platform compatibility, > performance enhancements and bug fixes. OpenOffice 3.4.1 can be > downloaded now from http://www.openoffice.org/download/ or by going to > the the Help/Check for Updates dialog within OpenOffice 3.4 or 3.3. > > Further details can be found in our announcement blog post: > > http://blogs.apache.org/OOo/entry/announcing_apache_openoffice_3_41 > > Regards, > > -Rob > > - > To unsubscribe, e-mail: ooo-users-unsubscr...@incubator.apache.org > For additional commands, e-mail: ooo-users-h...@incubator.apache.org >
Re: [ANNOUNCEMENT] Apache OpenOffice 3.4.1 (incubating) released
On Thu, 23 Aug 2012 18:29:57 -0400 "Maurice Howe" wrote: > I use AVG 2012.0.2180 Free Edition > I installed AOO 3.4.1 on one of my Windows machines today and AVG didn't complain. I'll check in detail tomorrow when the machine is awake - near midnight here and I'm closing down. It is often the case that new OpenOffice releases trigger false positives from virus scanners. -- Rory O'Farrell