Hi, On Monday, September 17, 2012, Om wrote:
> ...The source distributions for Windows and Mac are available here: > http://people.apache.org/~bigosmallm/installapacheflex_RC5/ ... The release archive looks good to me, but I have one issue about the installer use case - sorry that I didn't notice that earlier (and if I'm correct I'm surprised that nobody brought that up). IIUC the installer downloads a number of files (listed in installer/src/sdk-installer-config.xml) and installs them on the user's system. Does it make the user aware that that's happening? IMO there should be a confirmation somewhere, where the user is given the option of either a) Reviewing the list of files that are going to be downloaded, and accepting or rejecting the whole thing b) Say "I don't care, go ahead". My concern is that in terms of quality and security, we don't want Apache software to mess with people's systems without letting them know beforehand. Another thing in the README: "This hash is compared with the hash from the Apache Flex SDK release site - If they match, we verify that the downloaded binary file is a valid Apache release...". Binaries are not Apache releases, so you shouldn't say that. I'd change it to something like "the md5 digest of the downloaded file is compared with one obtained from the apache.org website, and the installer aborts if they don't match". -Bertrand
