Apache OpenOffice (AOO) Bugzilla – Issue 119019
Incorrect/Insufficient Binary File Properties on Windows
Last modified: 2012-03-05 01:08:37 UTC
Created attachment 77297 [details] Example of OO-o dev 3.4 r1293550 binary properties The individual files installed on Windows for OOo-dev 3.4 r1293550 have inappropriate Copyright entries in the Property Details. Some say "Copyright @ 2009-2010 by Apache Soft..." (too long for the dialog box). Some others say "Copyright © 2010 by Apache Software F...". First, the dates are incorrect. Secondly, it is not clear that "Copyright 2012 Apache Software Foundation," although a sufficient notice, is suitable. It may be. It may be more complicated and require specification of additional properties. Third, the details often specify the Language as "German (Germany)". I'm not sure what is correct, but this isn't. Finally, this information and the programs (.EXE and .DLL) can not be authenticated and verified with the presence of a digital signature.
Created attachment 77298 [details] Comparative Properties with Oracle OO.o 3.3.0 files This shows the comparable properties from the last Oracle distribution. It appears that the use of German (Germany) for Language has been perpetuated from the practice there. Also, the Copyright notice seems to have been modified by a simple replacement of "Oracle and/or its affil[iates]" with "Apache Software Foundation." The binaries (.EXE and .DLL) of OO.o are also not signed, although the binary parts of the setup package (the setup.exe, .msi, and .cab are).
Created attachment 77299 [details] Higher-level properties and signatures on binaries (for comparison) For comparison, this screen capture illustrates the use of properties on Windows-installed binaries (here, a .DLL) and the verification of authenticity by presence of a digital signature. The copyright notice is presumably accurate.
I notice that I have comingled the concern for signatures on the installed binaries with the concern about other details of the file properties, especially Copyright and accurate version details. That might be a separate issue. However, it relates to determination of authenticity of the file details, integrity of the file, and the verification of both via the digital signature. This seems to be a reasonable concern for Apache releases of binaries, since these details are easy to counterfeit or simply inadvertently include in a 3rd party build based on the same source codes.