2014-12-11 9:17 GMT+01:00 Bernard Marcelly <marce...@club-internet.fr>:
> Hello > > My two cents... > On such download problems, we never have answer to this: > - does the downloaded file have the correct checksum ? > This is not easy to check for an ordinary user, but Elizabeth Morgan > should be able to do it. > > If the checksum is incorrect, then it is indeed a problem. > Since Roberto knows the suspect mirrors, he could verify if these mirrors > do indeed store compromised files, by testing their checksum. > I would not be surprised if the mirror files were found correct. > Files are correct. Of course some mirrors are more popular (download-wise) than others. > > My idea is that Chrome flags a file as suspect, not because of the file > content, but as a result of statistical data about similar file names > retrieved from SourceForge or other sites. We know that SourceForge > advertising contents sometimes provide (or provided) malicious files > pretending to be OpenOffice. > We have been investigating the issue in all possible ways, and while the final word is up to Google. Having said that, Apache OpenOffice is just one of the few projects affected. Projects like FreeCAD are also experiencing the very same problem and I believe those are not a target for malicious variations. If you search for google chrome download problems you'll see this is a pretty big issue. As per my previous mail, we're trying to connect with Google folks using all possible channels, hope to be able to talk to them within this week. Roberto > > Bernard > > > Message de Louis Suárez-Potts date 2014-12-09 23:50 : > > >> On 09 Dec2014, at 17:41, Roberto Galoppini <roberto.galopp...@gmail.com> >>> wrote: >>> >>> >>> >>> 2014-12-09 21:23 GMT+01:00 Rory O'Farrell <ofarr...@iol.ie>: >>> On Tue, 9 Dec 2014 15:14:24 -0500 >>> Louis Suárez-Potts <lui...@gmail.com> wrote: >>> >>> Hi >>>> >>>>> On 09 Dec2014, at 15:11, Rory O'Farrell <ofarr...@iol.ie> wrote: >>>>> >>>>> On Tue, 09 Dec 2014 13:48:44 -0600 >>>>> Elizabeth Morgan <elizabethallynmor...@gmail.com> wrote: >>>>> >>>>> UPDATE: >>>>>> It's my entire development team that's encountering the issue at the >>>>>> moment -- we're having to refit a good number of computers, and all of >>>>>> them are detecting it as malicious after downloading from Sourceforge >>>>>> via official link from openoffice.org >>>>>> >>>>> >>>>> Remember that you can check the download for integrity by the methods >>>>> described in >>>>> http://www.openoffice.org/download/checksums.html >>>>> >>>>> Your team only need one download for each O/S. They can move it about >>>>> on USB key or DVD or network. >>>>> >>>> >>>> I think Elizabeth’s point is that there is something amiss with the >>>> linkage from OpenOffice to SF to users. The problem, reading her post, >>>> could lie with SF. But my guess is that Elizabeth is more than competent to >>>> file an issue describing more precisely the problem so that we can resolve >>>> it. >>>> >>> >>> I can certainly confirm, from many reports on the Forum, that Chrome is >>> identifying SourceForge OO files on the automatic download as malicious. >>> The same reports suggest that the direct download link gives the same files >>> without triggering any malicious file warning from Chrome. >>> >>> >>> We are trying to talk to Google to better understand what's going on, in >>> the meantime we excluded all the blacklisted OpenOffice mirror URLs from >>> the selection used when users download. When downloading OO now, you should >>> get the file without any warning. >>> >>> This is only a short-term solution but should help for the time being. >>> We hope to learn soon more about the actual google chrome policies and why >>> those are tagging as malicious few open source projects out there. >>> >>> Roberto >>> >>> >> Thanks, Roberto, for the explanation. Perhaps an issue that reflects the >> ongoing discussion would help with Elizabeth’s situation and also others? >> (And the parallel discussion on signing downloads is probably not entirely >> irrelevant?) (BTW, I use Google Chrome & Canary on OS X 10.2—a dev. >> editions, for both—and every now and then there are misreadings of a code’s >> legitimacy. Happens.) >> >> louis >> >> >>> >>> >>> >>>> louis >>>> >>>>> >>>>> >>>>>> On 12/9/2014 1:37 PM, Marcus wrote: >>>>>> >>>>>>> Am 12/09/2014 04:29 PM, schrieb Elizabeth Morgan: >>>>>>> >>>>>>>> Not technically "broken" per say in the notion of "won't actually >>>>>>>> connect to the .exe file," but Chrome keeps registering all of the >>>>>>>> Open >>>>>>>> Office downloads as malicious. Even past versions. >>>>>>>> >>>>>>> >>>>>>> please make sure that you download only from the official source: >>>>>>> >>>>>>> http://www.openoffice.org/download/ >>>>>>> >>>>>>> which will offer you the binaries from Sourceforge.net. They are >>>>>>> hosting the installation files for us. >>>>>>> >>>>>>> Currently we haven't heard from other users about this problem. So, I >>>>>>> think for the moment that it's a reason that doesn't lay within the >>>>>>> Apache OpenOffice project. >>>>>>> >>>>>>> E.g., does Chrome search in a public place for malicious domains? If >>>>>>> yes, maybe this place is not up-to-date or not working or something >>>>>>> else. >>>>>>> >>>>>>> Marcus >>>>>>> >>>>>> >>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> >>>>> > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org > >
