> -----Original Message----- > From: Andrea Pescetti [mailto:pesce...@apache.org] > Sent: Tuesday, September 20, 2016 14:37 > To: dev@openoffice.apache.org > Subject: Re: Tools for building and checking a release candidate > > On 18/09/2016 Marcus wrote: > > Am 09/17/2016 01:00 PM, schrieb Patricia Shanahan: > >> Are there any tools to help put together an AOO release? If so, where > >> are they? > > We don't have any. But I've provided a script that I've just used for a > test 4.1.3 build. It will find packages in a build tree (after the build > has completed), arrange them in the appropriate directories, compute the > hashes and sign. > > It's currently located here: > http://svn.apache.org/viewvc/openoffice/devtools/build-scripts/4.1.3/ > > It only works on Linux-64 but it is trivial to extend it to cover > Linux-32, probably Mac OS X and maybe also Windows (provided one has a > Bash environment). > > > Maybe Andrea can help you as he has more experience, e.g., with > uploads > > to Sourceforge. > > Uploads to SourceForge are trivial (just a rsync); but anyway they > happen after the tree has already been arranged properly, so they are > unrelated to arranging the tree. > > >> Each binary needs to be signed, presumably by the person building it. > > IMHO we haven't done any signing until now - at least not officially. > > We are signing. We always did. Just, we do it in a way that Windows > doesn't like. The "signed installers" discussion comes from this > incompatibility. [orcmid]
A little touch-up on the situation. It is not about Windows not liking the PGP signatures. It never sees them. What Windows sees are Windows-specified signatures embedded in the downloaded software itself (and also on the DLLs and such that are installed. These are part of the file properties. Those properties that can be inspected by users and, even better, operating system software. That is what we don't do (although other producers of OpenOffice-lineage software do). To favorably compare a procedure that requires expert users to perform manually seems odd to me. > But, security-wise, we are already providing a detached > GPG (or PGP) signature for all files. See > https://www.apache.org/dev/release-signing#sign-release > > Regards, > Andrea. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
