Issue 119019 - Incorrect/Insufficient Binary File Properties on Windows
Summary: Incorrect/Insufficient Binary File Properties on Windows
Status: CONFIRMED
Alias: None
Product: Installation
Classification: Application
Component: code (show other issues)
Version: 3.4.0 Beta (OOo)
Hardware: PC Windows 7
: P3 Major (vote)
Target Milestone: ---
Assignee: AOO issues mailing list
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-05 00:51 UTC by orcmid
Modified: 2012-03-05 01:08 UTC (History)
0 users

See Also:
Issue Type: DEFECT
Latest Confirmation in: ---
Developer Difficulty: ---

Attachments
Example of OO-o dev 3.4 r1293550 binary properties (175.65 KB, image/png)
2012-03-05 00:51 UTC, orcmid 		no flags Details
Comparative Properties with Oracle OO.o 3.3.0 files (109.68 KB, image/png)
2012-03-05 00:57 UTC, orcmid 		no flags Details
Higher-level properties and signatures on binaries (for comparison) (121.99 KB, image/png)
2012-03-05 01:02 UTC, orcmid 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description orcmid 2012-03-05 00:51:36 UTC 
Created attachment 77297 [details]
Example of OO-o dev 3.4 r1293550 binary properties

The individual files installed on Windows for OOo-dev 3.4 r1293550 have inappropriate Copyright entries in the Property Details.  Some say 
"Copyright @ 2009-2010 by Apache Soft..." (too long for the dialog box).  Some others say "Copyright © 2010 by Apache Software F...".

First, the dates are incorrect.

Secondly, it is not clear that "Copyright 2012 Apache Software Foundation," although a sufficient notice, is suitable.  It may be.  It may be more complicated and require specification of additional properties.

Third, the details often specify the Language as "German (Germany)".  I'm not sure what is correct, but this isn't.

Finally, this information and the programs (.EXE and .DLL) can not be authenticated and verified with the presence of a digital signature.
Comment 1 orcmid 2012-03-05 00:57:35 UTC 
Created attachment 77298 [details]
Comparative Properties with Oracle OO.o 3.3.0 files

This shows the comparable properties from the last Oracle distribution.

It appears that the use of German (Germany) for Language has been perpetuated from the practice there.  Also, the Copyright notice seems to have been modified by a simple replacement of "Oracle and/or its affil[iates]" with "Apache Software Foundation."

The binaries (.EXE and .DLL) of OO.o are also not signed, although the binary parts of the setup package (the setup.exe, .msi, and .cab are).
Comment 2 orcmid 2012-03-05 01:02:50 UTC 
Created attachment 77299 [details]
Higher-level properties and signatures on binaries (for comparison)

For comparison, this screen capture illustrates the use of properties on Windows-installed binaries (here, a .DLL) and the verification of authenticity by presence of a digital signature.

The copyright notice is presumably accurate.
Comment 3 orcmid 2012-03-05 01:07:21 UTC 
I notice that I have comingled the concern for signatures on the installed binaries with the concern about other details of the file properties, especially Copyright and accurate version details.  

That might be a separate issue.  However, it relates to determination of authenticity of the file details, integrity of the file, and the verification of both via the digital signature.

This seems to be a reasonable concern for Apache releases of binaries, since these details are easy to counterfeit or simply inadvertently include in a 3rd party build based on the same source codes.