You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openoffice.apache.org by "Dennis E. Hamilton" <de...@acm.org> on 2014/12/14 19:37:09 UTC
Deflecting the Attack of the Clones
I have been watching the arrival of support requests for AOO knock-offs on Android and plain-old PCs with some dismay. Some of this damage is self-inflicted: The Apache OpenOffice source code compiles to binaries that describes themselves and support structures as offered by Apache OpenOffice. That and the permissive license allows cloners to do whatever they want without consequences or support burdens, while extracting support fees (and add-cancellation upgrades), and whatever benefits there are for installing malware/adware alongside.
I ponder this dilemma from time to time and this is how I propose to produce open-source code under permissive licenses. Not that anything I produce will appeal to parasites as valuable to clone. It is the practice that intrigues me along with my interest in having ways to establish trustworthy producer-adopter relationships.
Here's my thinking about how I would manage in the face of parasitic cloning where it is up to me. It would be more difficult for an Apache Top-Level Project, though not impossible. It does mean that convenience binaries are not identical to what can be produced using the source distribution alone, and the difference is apparent.
This does not prevent counterfeiting of a supported binary distribution. It does allow counterfeits to be detected. It doesn't prevent distribution of unaltered binaries within a parasitic installer. It doesn't prevent redistributions for a fee. With regard to end-users, unaltered binaries are of-course supported. Other derivatives are not. Adopters of other derivatives will be treated gently in their searches for support.
- Dennis
PRESERVING DISTRIBUTION PROVENANCE AND AUTHENTICITY
1. The code will compile as a working/reference/developer binary. It will not provide signed binaries or anything that, shared as binaries, will provide identification as some sort of authenticated and supported end-user distribution. It will not come with any support notification or automatic updates, and it is meant for developers and testing, not end-user support of any kind.
2. The source tree will contain placeholder resources that are extracted and then used in a default build. To obtain other than a default build, the extractions of the placeholders can be replaced and the signing and time-stamping build-steps included in a construction. The versions of those resources for "official" distributions are not open-sourced and are introduced privately in a working copy, just as private keys are applied privately. This would be true for me, and for anyone else who wants to make some sort of official distribution of their own, whether the public source code is modified or not.
3. With regard to the "source code is the release" mantra, this is not a problem. Anyone can compile, use, and adapt the source code and produce their own binaries as much as they like. They just won't appear to be mine, unless someone intentionally does that. And it still won't be signed by me (unless there is a signing-key compromise, triggering a disaster-recovery plan).
4. Customizations of resources that are not shared include logos, icons, notices, update-check protocol data, etc. There will be identification of the source-code release that is used and appropriate inclusion of support details. There may have to be supplements to localization, internationalization and accessibility provisions, and that will take some work. There will be enough information in the source code and the documentation of the default resources so anyone can know what steps to take in providing their own customization.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Deflecting the Attack of the Clones
Posted by jonathon <to...@gmail.com>.
On 16/12/14 00:20, Dennis E. Hamilton wrote:
> I'll ask the particular user what led him to users @oo.a.o.
Photographs at
http://libreoffice-environment.blogspot.com/2014/12/when-is-apache-open-office-not-apache.html
to show why Apache Open Office is the expected support site.
For some strange reason, I can't do screen-shots on my Android device.
(I think I need to root it, to install the screen-shot software.)
jonathon
RE: Deflecting the Attack of the Clones
Posted by "Dennis E. Hamilton" <de...@acm.org>.
I think the problem is that at least one purchaser of their ads-free option complained to users @oo.a.o and was convinced that it was ours to support and to fix the crashers he experienced.
It might be good to consult with the trademarks folks about what constitutes confusion and how we would request others to avoid causing it. Consider <http://en.wikipedia.org/wiki/AOO>.
I don't know what contributed to the confusion for that user. I'm not in a position to install it on any device I have in order to see what the issues might be with the app itself and how it is presented.
I'll ask the particular user what led him to users @oo.a.o.
- Dennis
-----Original Message-----
From: Andrea Pescetti [mailto:pescetti@apache.org]
Sent: Monday, December 15, 2014 13:37
To: dev@openoffice.apache.org
Subject: Re: Deflecting the Attack of the Clones
Dennis E. Hamilton wrote:
> However, there are now apparent forks of AOO, such as AndrOpen Office
> (boldly dubbed "AOO" and which seems to confuse some folks even
> though it is described as a fork and as not associated with the project).
We are in good relationship with the author. The current branding and
wording of "AndrOpen Office" were approved by the OpenOffice PMC. If any
changes are needed, feel free to suggest them. It is an unofficial port,
but it is also as close as possible to OpenOffice.
Regards,
Andrea.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Deflecting the Attack of the Clones
Posted by Graham Lauder <yo...@apache.org>.
On Wed, Dec 24, 2014 at 1:02 PM, jonathon <to...@gmail.com> wrote:
>
>
> On 23/12/14 23:00, Dennis E. Hamilton wrote:
>
> > Here is a typical example of confusion about this product,
> > <
> https://www.marshut.net/pyzxp/aoo-for-android-not-worth-the-download.html
> >.
> > Notice "Apache's Open Office for Android." And folks speak of AOO for
> > Android as if it is the AOO known to us.
>
> That review was written two years ago, when Android OpenOffice was
> littered with Apache branding. Even looking at the small print, it was
> hard to discover that it wasn't an official Apache Foundation port.
>
> I'll grant that the presence of advertising should have tipped off that
> it wasn't an official Apache Foundation port, but back then, it was so
> unobtrusive that it would not have been noticed.
>
> jonathon
>
>
Re: Deflecting the Attack of the Clones
Posted by jonathon <to...@gmail.com>.
On 23/12/14 23:00, Dennis E. Hamilton wrote:
> Here is a typical example of confusion about this product,
> <https://www.marshut.net/pyzxp/aoo-for-android-not-worth-the-download.html>.
> Notice "Apache's Open Office for Android." And folks speak of AOO for
> Android as if it is the AOO known to us.
That review was written two years ago, when Android OpenOffice was
littered with Apache branding. Even looking at the small print, it was
hard to discover that it wasn't an official Apache Foundation port.
I'll grant that the presence of advertising should have tipped off that
it wasn't an official Apache Foundation port, but back then, it was so
unobtrusive that it would not have been noticed.
jonathon
Re: Deflecting the Attack of the Clones
Posted by Kay Schenk <ka...@gmail.com>.
On Tue, Dec 23, 2014 at 3:00 PM, Dennis E. Hamilton <dennis.hamilton@acm.org
> wrote:
>
> [Not cross-posting to private@.]
>
> -- replying to --
> From: Kay Schenk [mailto:kay.schenk@gmail.com]
> Sent: Tuesday, December 23, 2014 10:20
> To: OOo Apache
> Cc: dennis.hamilton@acm.org; privateAOO
> Subject: Re: Deflecting the Attack of the Clones
>
> On Sun, Dec 21, 2014 at 10:17 AM, jan i <ja...@apache.org> wrote:
>
> > On Sunday, December 21, 2014, Dennis E. Hamilton <
> dennis.hamilton@acm.org>
> > wrote:
> >
> > > -- in reply to --
> > > From: Andrea Pescetti [mailto:pescetti@apache.org <javascript:;>]
> > > Sent: Monday, December 15, 2014 13:37
> > > To: dev@openoffice.apache.org <javascript:;>
> > > Subject: Re: Deflecting the Attack of the Clones
> [ ... ]
> > > We are in good relationship with the author. The current branding and
> > > wording of "AndrOpen Office" were approved by the OpenOffice PMC. If
> any
> > > changes are needed, feel free to suggest them. It is an unofficial
> port,
> > > but it is also as close as possible to OpenOffice.
> > >
> > >
> > > <orcnote>
> > > My correspondent notices that there are appropriate disclaimers
> > > on the AndrOpen Office "AOO" web page.
> > >
> > > In a follow-up sent to me, I am told that the installed software
> > > identifies itself as Apache OpenOffice and all of the branding of
> > > Apache OpenOffice is present.
> > >
> > > I think it is important that a fork *not* do that, and that such
> > > identifications, including any links to support addresses and
> > > for pinging updates be corrected. (I don't have an answer for
> > > the on-line help or identification of AndrOpen-specific topics
> > > on the OpenOffice Forums.)
> > > </orcnote>
>
> Currently we have AndrOffice listed as a "port" --
> http://www.openoffice.org/porting/
>
> What this means to me is the 3rd party MUST identify itself as Apache
> OpenOffice. This is different than a fork.
>
> So, they SHOULD NOT re-brand. This goes against our trademark policy.
>
> See our distribution page --
>
> http://www.openoffice.org/distribution/
>
> But...they should identify that their product is Apache OpenOffice.
>
> [ ... ]
>
> <orcmid>
> This page,
> <https://play.google.com/store/apps/details?id=com.andropenoffice>
> specifically identifies the product as a *fork* of *Apache OpenOffice*
> and it disavows any association with Apache OpenOffice or LibreOffice
> projects. It claims to be the world's first *port* of *OpenOffice*.
>
> The same confusion arises here:
> <https://sites.google.com/site/andropenoffice/home>. There is a
> separate source code for a few parts, not under ALv2 (MPL or LGPL),
> apparently for some externals. There is a link for a blog.
>
> Although Google Play lists andreopenoffice.com in all of its material,
> <http://andropenoffice.com> doesn't serve up anything at the moment.
>
Right on all counts! This last item was particularly confusing to me, as it
seems that what's in google play is very different from andropenoffice.com.
>
> Here is a typical example of confusion about this product,
> <
> https://www.marshut.net/pyzxp/aoo-for-android-not-worth-the-download.html
> >.
> Notice "Apache's Open Office for Android." And folks speak of AOO for
> Android as if it is the AOO known to us.
>
> I think the distinction between a port and a fork is lost here and too
> fine
> hair-splitting to be useful. If the Apache OpenOffice project is
> willing
> to handle support requests for such a product, so be it. Enjoy the
> reputation.
> </orcmid>
>
Yes, the words "fork" and "port" were used and they are not really the
same. . I think contacting the vendor re the distinction between these two
terms might solve this problem.
We will investigate the support item as well.
--
-------------------------------------------------------------------------------------------------
MzK
"There's a bit of magic in everything,
and some loss to even things out."
-- Lou Reed
RE: Deflecting the Attack of the Clones
Posted by "Dennis E. Hamilton" <de...@acm.org>.
[Not cross-posting to private@.]
-- replying to --
From: Kay Schenk [mailto:kay.schenk@gmail.com]
Sent: Tuesday, December 23, 2014 10:20
To: OOo Apache
Cc: dennis.hamilton@acm.org; privateAOO
Subject: Re: Deflecting the Attack of the Clones
On Sun, Dec 21, 2014 at 10:17 AM, jan i <ja...@apache.org> wrote:
> On Sunday, December 21, 2014, Dennis E. Hamilton <de...@acm.org>
> wrote:
>
> > -- in reply to --
> > From: Andrea Pescetti [mailto:pescetti@apache.org <javascript:;>]
> > Sent: Monday, December 15, 2014 13:37
> > To: dev@openoffice.apache.org <javascript:;>
> > Subject: Re: Deflecting the Attack of the Clones
[ ... ]
> > We are in good relationship with the author. The current branding and
> > wording of "AndrOpen Office" were approved by the OpenOffice PMC. If any
> > changes are needed, feel free to suggest them. It is an unofficial port,
> > but it is also as close as possible to OpenOffice.
> >
> >
> > <orcnote>
> > My correspondent notices that there are appropriate disclaimers
> > on the AndrOpen Office "AOO" web page.
> >
> > In a follow-up sent to me, I am told that the installed software
> > identifies itself as Apache OpenOffice and all of the branding of
> > Apache OpenOffice is present.
> >
> > I think it is important that a fork *not* do that, and that such
> > identifications, including any links to support addresses and
> > for pinging updates be corrected. (I don't have an answer for
> > the on-line help or identification of AndrOpen-specific topics
> > on the OpenOffice Forums.)
> > </orcnote>
Currently we have AndrOffice listed as a "port" --
http://www.openoffice.org/porting/
What this means to me is the 3rd party MUST identify itself as Apache
OpenOffice. This is different than a fork.
So, they SHOULD NOT re-brand. This goes against our trademark policy.
See our distribution page --
http://www.openoffice.org/distribution/
But...they should identify that their product is Apache OpenOffice.
[ ... ]
<orcmid>
This page,
<https://play.google.com/store/apps/details?id=com.andropenoffice>
specifically identifies the product as a *fork* of *Apache OpenOffice*
and it disavows any association with Apache OpenOffice or LibreOffice
projects. It claims to be the world's first *port* of *OpenOffice*.
The same confusion arises here:
<https://sites.google.com/site/andropenoffice/home>. There is a
separate source code for a few parts, not under ALv2 (MPL or LGPL),
apparently for some externals. There is a link for a blog.
Although Google Play lists andreopenoffice.com in all of its material,
<http://andropenoffice.com> doesn't serve up anything at the moment.
Here is a typical example of confusion about this product,
<https://www.marshut.net/pyzxp/aoo-for-android-not-worth-the-download.html>.
Notice "Apache's Open Office for Android." And folks speak of AOO for
Android as if it is the AOO known to us.
I think the distinction between a port and a fork is lost here and too fine
hair-splitting to be useful. If the Apache OpenOffice project is willing
to handle support requests for such a product, so be it. Enjoy the
reputation.
</orcmid>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Deflecting the Attack of the Clones
Posted by Kay Schenk <ka...@gmail.com>.
On Sun, Dec 21, 2014 at 10:17 AM, jan i <ja...@apache.org> wrote:
> On Sunday, December 21, 2014, Dennis E. Hamilton <de...@acm.org>
> wrote:
>
> > -- in reply to --
> > From: Andrea Pescetti [mailto:pescetti@apache.org <javascript:;>]
> > Sent: Monday, December 15, 2014 13:37
> > To: dev@openoffice.apache.org <javascript:;>
> > Subject: Re: Deflecting the Attack of the Clones
> >
> > Dennis E. Hamilton wrote:
> > > However, there are now apparent forks of AOO, such as AndrOpen
> Office
> > > (boldly dubbed "AOO" and which seems to confuse some folks even
> > > though it is described as a fork and as not associated with the
> > project).
> >
> > We are in good relationship with the author. The current branding and
> > wording of "AndrOpen Office" were approved by the OpenOffice PMC. If any
> > changes are needed, feel free to suggest them. It is an unofficial port,
> > but it is also as close as possible to OpenOffice.
> >
> >
> > <orcnote>
> > My correspondent notices that there are appropriate disclaimers
> > on the AndrOpen Office "AOO" web page.
> >
> > In a follow-up sent to me, I am told that the installed software
> > identifies itself as Apache OpenOffice and all of the branding of
> > Apache OpenOffice is present.
> >
> > I think it is important that a fork *not* do that, and that such
> > identifications, including any links to support addresses and
> > for pinging updates be corrected. (I don't have an answer for
> > the on-line help or identification of AndrOpen-specific topics
> > on the OpenOffice Forums.)
> > </orcnote>
>
>
> I highly agree but the problem is that our official source tar ball contain
> all the branding, so people who fork fork do nothing wrong.
>
> maybe the right way to go is to remove the branding from the source tree
> and only add them in the build process.
>
> rgds
> jan it
>
Currently we have AndrOffice listed as a "port" --
http://www.openoffice.org/porting/
What this means to me is the 3rd party MUST identify itself as Apache
OpenOffice. This is different than a fork.
So, they SHOULD NOT re-brand. This goes against our trademark policy.
See our distribution page --
http://www.openoffice.org/distribution/
But...they should identify that their product is Apache OpenOffice.
I've copied "private" on this reply so we can investigate and discuss
further.
>
> >
> > Regards,
> > Andrea.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> > <javascript:;>
> > For additional commands, e-mail: dev-help@openoffice.apache.org
> > <javascript:;>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> > <javascript:;>
> > For additional commands, e-mail: dev-help@openoffice.apache.org
> > <javascript:;>
> >
> >
>
> --
> Sent from My iPad, sorry for any misspellings.
>
--
-------------------------------------------------------------------------------------------------
MzK
"There's a bit of magic in everything,
and some loss to even things out."
-- Lou Reed
Re: Deflecting the Attack of the Clones
Posted by jan i <ja...@apache.org>.
On Sunday, December 21, 2014, Dennis E. Hamilton <de...@acm.org>
wrote:
> -- in reply to --
> From: Andrea Pescetti [mailto:pescetti@apache.org <javascript:;>]
> Sent: Monday, December 15, 2014 13:37
> To: dev@openoffice.apache.org <javascript:;>
> Subject: Re: Deflecting the Attack of the Clones
>
> Dennis E. Hamilton wrote:
> > However, there are now apparent forks of AOO, such as AndrOpen Office
> > (boldly dubbed "AOO" and which seems to confuse some folks even
> > though it is described as a fork and as not associated with the
> project).
>
> We are in good relationship with the author. The current branding and
> wording of "AndrOpen Office" were approved by the OpenOffice PMC. If any
> changes are needed, feel free to suggest them. It is an unofficial port,
> but it is also as close as possible to OpenOffice.
>
>
> <orcnote>
> My correspondent notices that there are appropriate disclaimers
> on the AndrOpen Office "AOO" web page.
>
> In a follow-up sent to me, I am told that the installed software
> identifies itself as Apache OpenOffice and all of the branding of
> Apache OpenOffice is present.
>
> I think it is important that a fork *not* do that, and that such
> identifications, including any links to support addresses and
> for pinging updates be corrected. (I don't have an answer for
> the on-line help or identification of AndrOpen-specific topics
> on the OpenOffice Forums.)
> </orcnote>
I highly agree but the problem is that our official source tar ball contain
all the branding, so people who fork fork do nothing wrong.
maybe the right way to go is to remove the branding from the source tree
and only add them in the build process.
rgds
jan it
>
> Regards,
> Andrea.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> <javascript:;>
> For additional commands, e-mail: dev-help@openoffice.apache.org
> <javascript:;>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> <javascript:;>
> For additional commands, e-mail: dev-help@openoffice.apache.org
> <javascript:;>
>
>
--
Sent from My iPad, sorry for any misspellings.
RE: Deflecting the Attack of the Clones
Posted by "Dennis E. Hamilton" <de...@acm.org>.
-- in reply to --
From: Andrea Pescetti [mailto:pescetti@apache.org]
Sent: Monday, December 15, 2014 13:37
To: dev@openoffice.apache.org
Subject: Re: Deflecting the Attack of the Clones
Dennis E. Hamilton wrote:
> However, there are now apparent forks of AOO, such as AndrOpen Office
> (boldly dubbed "AOO" and which seems to confuse some folks even
> though it is described as a fork and as not associated with the project).
We are in good relationship with the author. The current branding and
wording of "AndrOpen Office" were approved by the OpenOffice PMC. If any
changes are needed, feel free to suggest them. It is an unofficial port,
but it is also as close as possible to OpenOffice.
<orcnote>
My correspondent notices that there are appropriate disclaimers
on the AndrOpen Office "AOO" web page.
In a follow-up sent to me, I am told that the installed software
identifies itself as Apache OpenOffice and all of the branding of
Apache OpenOffice is present.
I think it is important that a fork *not* do that, and that such
identifications, including any links to support addresses and
for pinging updates be corrected. (I don't have an answer for
the on-line help or identification of AndrOpen-specific topics
on the OpenOffice Forums.)
</orcnote>
Regards,
Andrea.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Deflecting the Attack of the Clones
Posted by Andrea Pescetti <pe...@apache.org>.
Dennis E. Hamilton wrote:
> However, there are now apparent forks of AOO, such as AndrOpen Office
> (boldly dubbed "AOO" and which seems to confuse some folks even
> though it is described as a fork and as not associated with the project).
We are in good relationship with the author. The current branding and
wording of "AndrOpen Office" were approved by the OpenOffice PMC. If any
changes are needed, feel free to suggest them. It is an unofficial port,
but it is also as close as possible to OpenOffice.
Regards,
Andrea.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Deflecting the Attack of the Clones
Posted by Graham Lauder <yo...@apache.org>.
On Tue, Dec 16, 2014 at 6:29 AM, Dennis E. Hamilton <dennis.hamilton@acm.org
> wrote:
> -- Replying to below --
> From: Rob Weir [mailto:rob@robweir.com]
> Sent: Monday, December 15, 2014 06:26
> To: dev@openoffice.apache.org; Dennis Hamilton
> Subject: Re: Deflecting the Attack of the Clones
>
> [ ... ]
>
> My impression is that Firefox does something similar. I think I read
> someplace that their source code distribution lacks the Firefox
> branding. It is more of a "white label" product, functionally the
> same as Firefox, but without the branding.
>
> But still, I don't think that really solves the problems that we face.
> Correct be if I'm wrong, but we're not really seeing someone doing
> their own compile of AOO from source code and using that to spread
> malware, right? We're seeing people take our binaries directly and
> bundle that with installers that spread the malware, or put up
> websites that charge and then point to AOO's binaries directly.
>
> In the end, the real harm here is done to the users. So I wonder
> whether the best we can do is make it easy for them to raise
> complaints with those who can take action, e.g, payment processors
> associated with credit cards or telephone networks, or even consumer
> authorities.
>
> <orcnote>
> I agree that this does nothing about folks charging for a link to the
> AOO download or the more-tolerable convenience CD.
>
> Certainly cultivating consumer awareness is the most important action
> we can take, along with finding some way to deal with the fact that
> SEO is not our friend, particularly on SourceForge (and apparently
> amazon if they are still providing downloads).
>
The solution is comparatively simple: a strong, well funded, community
supported marketing "project". A brand is only as good as the marketing
behind it and "consumer awareness" is simply a product of good marketing.
The enduser downloading clones is only aware of the brand under her cursor
if the primary brand is not out there for them to see.
>
> However, there are now apparent forks of AOO, such as AndrOpen Office
> (boldly dubbed "AOO" and which seems to confuse some folks even
> though it is described as a fork and as not associated with the
> project).
>
> So, establishing careful provenance (which signing will help) and
> encouraging users to be aware of it and of responsible sources go
> together.
>
> I also agree that assisting users in obtaining redress or at least
> Registering complaints is valuable. It is just more externality that
> the perpetrators are subjecting the project to, though.
>
> The advantage of a white box source release is that any counterfeit is
> clearly willful, as opposed to plausibly accidental/careless. I imagine
> that is not much deterrent to the determined.
>
> For some sort of stronger arrangement, it is probably necessary to get
> into various controlled "app" stores. Linux distributions apparently do
> their own builds for inclusion in their supported package libraries,
> so that might be in the "plus" column.
> </orcnote>
>
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: dev-help@openoffice.apache.org
>
>
RE: Deflecting the Attack of the Clones
Posted by "Dennis E. Hamilton" <de...@acm.org>.
-- Replying to below --
From: Rob Weir [mailto:rob@robweir.com]
Sent: Monday, December 15, 2014 06:26
To: dev@openoffice.apache.org; Dennis Hamilton
Subject: Re: Deflecting the Attack of the Clones
[ ... ]
My impression is that Firefox does something similar. I think I read
someplace that their source code distribution lacks the Firefox
branding. It is more of a "white label" product, functionally the
same as Firefox, but without the branding.
But still, I don't think that really solves the problems that we face.
Correct be if I'm wrong, but we're not really seeing someone doing
their own compile of AOO from source code and using that to spread
malware, right? We're seeing people take our binaries directly and
bundle that with installers that spread the malware, or put up
websites that charge and then point to AOO's binaries directly.
In the end, the real harm here is done to the users. So I wonder
whether the best we can do is make it easy for them to raise
complaints with those who can take action, e.g, payment processors
associated with credit cards or telephone networks, or even consumer
authorities.
<orcnote>
I agree that this does nothing about folks charging for a link to the
AOO download or the more-tolerable convenience CD.
Certainly cultivating consumer awareness is the most important action
we can take, along with finding some way to deal with the fact that
SEO is not our friend, particularly on SourceForge (and apparently
amazon if they are still providing downloads).
However, there are now apparent forks of AOO, such as AndrOpen Office
(boldly dubbed "AOO" and which seems to confuse some folks even
though it is described as a fork and as not associated with the project).
So, establishing careful provenance (which signing will help) and
encouraging users to be aware of it and of responsible sources go together.
I also agree that assisting users in obtaining redress or at least
Registering complaints is valuable. It is just more externality that
the perpetrators are subjecting the project to, though.
The advantage of a white box source release is that any counterfeit is
clearly willful, as opposed to plausibly accidental/careless. I imagine
that is not much deterrent to the determined.
For some sort of stronger arrangement, it is probably necessary to get
into various controlled "app" stores. Linux distributions apparently do
their own builds for inclusion in their supported package libraries,
so that might be in the "plus" column.
</orcnote>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Deflecting the Attack of the Clones
Posted by Rob Weir <ro...@robweir.com>.
On Sun, Dec 14, 2014 at 1:37 PM, Dennis E. Hamilton
<de...@acm.org> wrote:
> I have been watching the arrival of support requests for AOO knock-offs on Android and plain-old PCs with some dismay. Some of this damage is self-inflicted: The Apache OpenOffice source code compiles to binaries that describes themselves and support structures as offered by Apache OpenOffice. That and the permissive license allows cloners to do whatever they want without consequences or support burdens, while extracting support fees (and add-cancellation upgrades), and whatever benefits there are for installing malware/adware alongside.
>
> I ponder this dilemma from time to time and this is how I propose to produce open-source code under permissive licenses. Not that anything I produce will appeal to parasites as valuable to clone. It is the practice that intrigues me along with my interest in having ways to establish trustworthy producer-adopter relationships.
>
> Here's my thinking about how I would manage in the face of parasitic cloning where it is up to me. It would be more difficult for an Apache Top-Level Project, though not impossible. It does mean that convenience binaries are not identical to what can be produced using the source distribution alone, and the difference is apparent.
>
> This does not prevent counterfeiting of a supported binary distribution. It does allow counterfeits to be detected. It doesn't prevent distribution of unaltered binaries within a parasitic installer. It doesn't prevent redistributions for a fee. With regard to end-users, unaltered binaries are of-course supported. Other derivatives are not. Adopters of other derivatives will be treated gently in their searches for support.
>
> - Dennis
>
> PRESERVING DISTRIBUTION PROVENANCE AND AUTHENTICITY
>
> 1. The code will compile as a working/reference/developer binary. It will not provide signed binaries or anything that, shared as binaries, will provide identification as some sort of authenticated and supported end-user distribution. It will not come with any support notification or automatic updates, and it is meant for developers and testing, not end-user support of any kind.
>
> 2. The source tree will contain placeholder resources that are extracted and then used in a default build. To obtain other than a default build, the extractions of the placeholders can be replaced and the signing and time-stamping build-steps included in a construction. The versions of those resources for "official" distributions are not open-sourced and are introduced privately in a working copy, just as private keys are applied privately. This would be true for me, and for anyone else who wants to make some sort of official distribution of their own, whether the public source code is modified or not.
>
> 3. With regard to the "source code is the release" mantra, this is not a problem. Anyone can compile, use, and adapt the source code and produce their own binaries as much as they like. They just won't appear to be mine, unless someone intentionally does that. And it still won't be signed by me (unless there is a signing-key compromise, triggering a disaster-recovery plan).
>
> 4. Customizations of resources that are not shared include logos, icons, notices, update-check protocol data, etc. There will be identification of the source-code release that is used and appropriate inclusion of support details. There may have to be supplements to localization, internationalization and accessibility provisions, and that will take some work. There will be enough information in the source code and the documentation of the default resources so anyone can know what steps to take in providing their own customization.
>
>
My impression is that Firefox does something similar. I think I read
someplace that their source code distribution lacks the Firefox
branding. It is more of a "white label" product, functionally the
same as Firefox, but without the branding.
But still, I don't think that really solves the problems that we face.
Correct be if I'm wrong, but we're not really seeing someone doing
their own compile of AOO from source code and using that to spread
malware, right? We're seeing people take our binaries directly and
bundle that with installers that spread the malware, or put up
websites that charge and then point to AOO's binaries directly.
In the end, the real harm here is done to the users. So I wonder
whether the best we can do is make it easy for them to raise
complaints with those who can take action, e.g, payment processors
associated with credit cards or telephone networks, or even consumer
authorities.
-Rob
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: dev-help@openoffice.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org