On 24 Jul, Dennis E. Hamilton wrote: > The patched DLL is shipped with an external digital signature. I > guess we could ask that to be installed alongside it. That would be a > good tell-tale. > > The web site where the patch is downloadable from will have hashes for > the archive containing the patched library and will also have an > external signature for that. These are on a secure AOO infrastructure > site, the best place to retrieve hashes and signature files. There is > no reason not to have a hash of the library inside the downloadable > archive for those who, for some reason, cannot check the signature but > can verify the hash. > > In the manual procedure, we will ask users to rename the existing > shared-library before copying in the replacement. This will provide a > means to revert to the patched library if a regression results. > > There is a difference in file-creation dates and in the size of the > files as well. The procedure for hotfixing with the patched library > should provide that information to discourage attempting to patch a > different release and also make it easier to tell the patch is there. > > You're right that different builds by others who look to just extract > the shared library will likely end up with a different binary of that > library. For a binary distribution from any origin that has the patch > compiled-in, I would think something like the static string might be > helpful. If we do that in the AOO4121 tag, we'll have to redo the > patched libraries we've already built. I was hoping we could avoid > that and stick with ones we have done some testing on already. > > Is what we're planning enough?
I think that should be OK. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
