Working on an archive site/pages for LO and the DVD[s] I have been working with

webmaster for Kracked Press Productions wrote (09-10-11 15:55)

Each line ends. If someone is still using 3.3.5 in December 2013 [13
months after it was released], they should be encouraged to upgrade to a
newer line. I do not think there will be an end of support for an old
product line, but to be honest, how long will we support the older
lines? 2 years, 3 years?

I think indeed that is the practical situation. How can we, as support for users, try to help with user questions as good as possible, without giving the idea that there is some drive to let them do an upgrade - unless there are of course clear technical reasons.
I think at that moment valid is what you wrote earlier in this thread - what do we have on practical information about features in version A or B (feature pages, release notes), and what are differences / fixes (Bugzilla , ...). That will help in this task.

Regards,

Right now, updating to 3.3.4 or 3.4.3 should be done due to the security issues addressed in those two that the previous versions did not have.

[quote from email by Italo Vignol]
The Internet, October 4, 2011 - The Document Foundation (TDF) publishes some details of the security fixes included with the recently released LibreOffice 3.4.3, and included in the older 3.3.4 version. Following industry best practice, details of security fixes are withheld until users have been given time to migrate to the new version.
[unquote]

So unless there is a need to go to a newer version of LO, to fix issues/bugs/etc., then I have no problem if someone wants to stick to 3.3.4 or 3.4.3 for another year or more. I used 3.4.1 till about a month after 3.4.3 came out. Then I installed on my Ubuntu 10.04 LTS desktop. [Actually the only reason I have not gone to 11.04 was due to a default video/monitor issue during booting. It set my default resolution to one that my monitor cannot handle, but my MoB graphics card could do.]

But we do need to have some "guideline" or "policy" on dealing with people wanting help with older version. The blaming the older version for your troubles may come up when it was not the problem. I know some people must have the latest versions and do not like to deal [think support besides run] with the older ones. Some people might get turned off LO if the "helper" insists that the person install the newest version of LO if they want to get help. We all do not want to lose any new users to LO just because of issues with the lists.

One reason I set up the archive site was the need for users wanting to go back to previous versions of LO since that one worked for their needs without the problems they have with the newest versions.

.

OT from LO, but I have concerns that you are providing applications with
considerable security concerns on your site:

http://libreoffice-na.us/multi-version/extras.html
SeaMonkey 2.0.11 en-US
(no longer supported and has severe security issues)
ditto for most all of the rest.

Further, how can one determine even if your images are safe? You provide
no md5sum or any other type of file check.

Why do you do this (nevermind I forgot your willingness to host insecure
versions of Java) rather than simple link to:
http://www.seamonkey-project.org/releases/#old
where the user can obtain older versions directly from a *reliable*
source? Example:
http://www.seamonkey-project.org/releases/2.0.11

Nevermind that there are *NO* further security fixes for SeaMonkey
2.0.x, but you just happily seem to ignore the security fixes that were
added in the 2.0 releases following 2.0.11:

http://www.mozilla.org/security/known-vulnerabilities/seamonkey20.html

Fixed in SeaMonkey 2.0.14
MFSA 2011-18 XSLT generate-id() function heap address leak
MFSA 2011-16 Directory traversal in resource: protocol
MFSA 2011-15 Escalation of privilege through Java Embedding Plugin
MFSA 2011-14 Information stealing via form history
MFSA 2011-13 Multiple dangling pointer vulnerabilities
MFSA 2011-12 Miscellaneous memory safety hazards (rv:2.0.1/ 1.9.2.17/
1.9.1.19)
Fixed in SeaMonkey 2.0.13
MFSA 2011-11 Update to HTTPS certificate blacklist
Fixed in SeaMonkey 2.0.12
MFSA 2011-10 CSRF risk with plugins and 307 redirects
MFSA 2011-08 ParanoidFragmentSink allows javascript: URLs in chrome
documents
MFSA 2011-07 Memory corruption during text run construction (Windows)
MFSA 2011-06 Use-after-free error using Web Workers
MFSA 2011-05 Buffer overflow in JavaScript atom map
MFSA 2011-04 Buffer overflow in JavaScript upvarMap
MFSA 2011-03 Use-after-free error in JSON.stringify
MFSA 2011-02 Recursive eval call causes confirm dialogs to evaluate to true
MFSA 2011-01 Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17)

In the end I guess it may not matter as I tried to download the linux
version of SeaMonkey 2.0.11 from your site and recevied:

Well, the list of "extras" like SeaMonkey came directly from the list used in the first German language DVD created by the TDF/LO people. I do not use SeaMonkey, but since the LO people listed it, I did as well. As for md5sum filse, I never created them before. If you check the LibreOffice.org download page, you will find that they do not have md5sum files listed either.

As for the Not Found issues, I will look into that as soon as I have time. But as you stated, I should remove Seamonkey from the list.

ALSO, for security sake, ALL files that are downloaded [Windows users should always do this] should be run though your virus scanners before you run them. Some scanners actually check all downloaded files right after they have completed their download. When I ran Windows as my default OS, I always virus scanned downloaded files, EVEN from trusted sites. I had too many support calls from people who downloaded and ran software without scanning it and got infected. I just dealt with a lady who main partition got wiped by a nasty that was downloaded from one of the sites she went to. Linux users are a little safer, but I have a virus checker run every few days on my 3TB of files, many are Win installs being archived on my data drive for later use on Windows systems I work on from time to time.

As for md5sum filse, I never created them before. If you check the
LibreOffice.org download page, you will find that they do not have
md5sum files listed either.

Actually, the Libre Office offers them as a check-box option. They've always been there.

ALSO, for security sake, ALL files that are downloaded [Windows users
should always do this] should be run though your virus scanners before
you run them. Some scanners actually check all downloaded files right
after they have completed their download. ...

Very true, but a far more important security step IS to obtain valid signature/hash value
from the publisher of the file, and then to calculate the signature/hash of the downloaded file.
Doing so reveals both that you have the original file, and that your download was
complete. It helps ensure that you do not have malware but also that your installation
attempts are problem free.

...

It appears to me that you are not concerned with security *at all*& for
that reason I'd recommend that others avoid downloading anything from
your site.

Well, the list of "extras" like SeaMonkey came directly from the list
used in the first German language DVD created by the TDF/LO people. I
do not use SeaMonkey, but since the LO people listed it, I did as well.
As for md5sum filse, I never created them before. If you check the
LibreOffice.org download page, you will find that they do not have
md5sum files listed either.

Really?

Apparently you've not bothered to tick the box to the right of the download:
http://www.libreoffice.org/download/
Get details (md5sum,…)
So, let's see what that entails if I check that box for the Windows US
English version:
LibO_3.4.3_Win_x86_install_multi.exe 189 MB md5sum,…
and then click the 'md5sum,…' & that leads to:
<http://download.documentfoundation.org/libreoffice/stable/3.4.3/win/x86/LibO_3.4.3_Win_x86_install_multi.exe.mirrorlist>

Well... what do you know <sc>:
    Size: 189M (197842724 bytes)
    Last modified: Thu, 25 Aug 2011 12:00:29 GMT (Unix time: 1314273629)
    SHA-256 Hash:
e5eb44a24b848b275682aa40ec771dcf6a1000285080f405440362294b808d72
    SHA-1 Hash: 697b9e796e8955658e360fd32f16177ee17fe7e8
    MD5 Hash: e6e5486e502f2928e0943f1eed3f9609
    BitTorrent Information Hash: 8415bae5ef78da9fa59d901d9217111105b0275d
    PGP signature available

and even a PGP signature:
<http://download.documentfoundation.org/libreoffice/stable/3.4.3/win/x86/LibO_3.4.3_Win_x86_install_multi.exe.asc>

As for the Not Found issues, I will look into that as soon as I have
time. But as you stated, I should remove Seamonkey from the list.

And everything else you have there that is insecure.
...

OK, I never really saw that check box before. And what is that "..." after the md5sum mean?

If you check the box and then use the "Other way to download LibreOffice, the productivity suite", how do you use the md5sum files? How do you deal with these md5sum files to determine if your download file is "proper"? What is the process? If I knew about that, I may have looked into those files before.

The problem for me is I never have seen a way to generate a md5sum file for files I created. I never downloaded those files before either. It is just one more thing to download, if I had that option.

To be honest, most people I know would not know anything about the md5sum files and would be confused by them if they see them listed next to the downloads for the installs. They might think that it was a mirror. In fact, when I mouse-over that file, it shows the install file with a ".mirrorlist" added to the end of the install file name. If I did not know better, I would assume it was the install file in a mirrored location.

So, once I download the install and the md5sum file, what do I do next to determine if the files match and are proper?

Can I download both for each install and list them on my site? I would need simple, easy, and detailed instructions for users to follow, if they choose to. I would need it for Windows, Linux [DEB and RPM], and MacOSX [Intel and PPC], since that is what the full DVD would have for it. Then there is the fact that I do not have access to these md5sum files for the previous versions to use for my archive pages. I have not seen a LO archive page yet, so I put mine up now instead of later.

Oh, and lest you think that the old versions of don't have md5sum's etc
either:

http://download.documentfoundation.org/libreoffice/old/3.3.0.1/win/x86/
click on 'details':
<http://download.documentfoundation.org/libreoffice/old/3.3.0.1/win/x86/LibO_3.3.0rc1_Win_x86_install_all_lang.exe.mirrorlist>

Well you tell me, since you seem to know better than the LO people that provided me the list.

My list of software came from the first LibreOfficeBox DVD developed by TDF/LO people. My install files came directly from the publisher's sites.

If you want to nick-pick, everything you download from web sites are potentially insecure or have nasties hidden in them. That is way you have security software to filter out the problems. I found a issue with several of the extension from OOo's own site, according to my Linux virus protection software. Looks like they did not check their own site for security issues. So, if you do not want to run the risk of downloading a file that might have a security problem, then you should never browse the Internet or get your email. Both can let nasties in if you do not have your security setup in advanced. Every web page and email could potentially harbor some nasty thing, so if you want to keep your computer safe and secure, do not connect it to the Net. Most business keep their systems offline for that very reason.

...

As for the Not Found issues, I will look into that as soon as I have
time. But as you stated, I should remove Seamonkey from the list.

And everything else you have there that is insecure.
...

Well you tell me, since you seem to know better than the LO people that
provided me the list.

Right... The LO people provided you with the versions on
http://libreoffice-na.us/multi-version/extras.html ?

I'll not bother to go through each but I will comment regarding the
Mozilla ones that you list:

Mozilla Firefox 3.6.13

http://www.mozilla.org/security/known-vulnerabilities/firefox36.html
Note the security issues addressed since 3.6.13.

Thunderbird 3.1.7

http://www.mozilla.org/security/known-vulnerabilities/thunderbird31.html
Note the security issues addressed since 3.1.7

Sunbird is EOL and no longer supported.

My list of software came from the first LibreOfficeBox DVD developed by
TDF/LO people. My install files came directly from the publisher's sites.

So why not just provide a link to the publishers site?

If you want to nick-pick, everything you download from web sites are
potentially insecure or have nasties hidden in them. That is way you
have security software to filter out the problems. I found a issue with
several of the extension from OOo's own site, according to my Linux
virus protection software. Looks like they did not check their own site
for security issues.

Right... and you reported that, right?

So, if you do not want to run the risk of
downloading a file that might have a security problem, then you should
never browse the Internet or get your email. Both can let nasties in if
you do not have your security setup in advanced. Every web page and
email could potentially harbor some nasty thing, so if you want to keep
your computer safe and secure, do not connect it to the Net. Most
business keep their systems offline for that very reason.

OK. Good luck.

On Monday, October 10, 2011 10:57 AM webmaster for Kracked Press
Productions [mailto:webmaster@krackedpress.com] responded:

OK, I never really saw that check box before. And what is that "..."
after the md5sum mean?

There are other formats, MD5 (Message Digest v5) is just one of numerous
cryptographic hash functions ( see
http://en.wikipedia.org/wiki/Cryptographic_hash_function ) that can be
used to calculate a unique "signature" for a file. The Document
Foundation uses the MirrorBrain FOSS Download Director to manage
download content including provision of several common cryptographic
hash values (MD5, SHA-1, SHA-256) for each datafile.

If you check the box and then use the "Other way to download
LibreOffice, the productivity suite", how do you use the md5sum files?

How do you deal with these md5sum files to determine if your download
file is "proper"? What is the process? If I knew about that, I may
have looked into those files before.

Usage is pretty simple, you don't need to install anything--you just
compare the HASH value listed against the calculated HASH value of the
file downloaded.

Unix and Linux have built in commands either "digest -a
md5|sha1|sha256", "md5sum", "sha1sum" or "sha256sum"--one of them will
be there as needed.

There are similar utilities for windows command line, but Microsoft
doesn't provide one with the OS. Simple web search will give you
multiple choices.

But, I actually prefer to install a GUI helper utility for working with
the HASH values, and I find the Hash & CRC freeware from febooti meets
our needs found here (
http://www.febooti.com/products/filetweak/members/hash-and-crc/ ).

Once installed, the utility extends the Windows shell and provides a
"Hash / CRC" on the file properties tab. You check the Hash type you
need to calculate and apply. The resulting Hash is then compared against
the Hash you made note of--or have open in the download Web page.

The problem for me is I never have seen a way to generate a md5sum file

for files I created. I never downloaded those files before either. It

is just one more thing to download, if I had that option.

Use the Unix/Linux command line or one of the Windows utilities allows
to calculate the HASH value, then post it with a label as to which HASH
it is, be used when distributing the datafile.

Can I download both for each install and list them on my site? ...

Each datafile being served for download (or simply being exchanged)
should be provided with its unique HASH value in one of the common
formats. Doing so is just good security and distribution practice.

Regards,

Stuart

The whole *point* of LTS is 'bugfixes only'. If you want new features, upgrade to the latest version that has the features you want/need.

Hi
I agree that's the way Ubuntu do it but as Jay was pointing out we don't always need to follow their way.  Ubuntu and Firefox have had huge successes in getting into mainstream markets so it might be worth noticing what they do but we might be able to improve on their ideas.  Personnally i agree that back-porting bug-fixes is as far as we need to take it but that's really something for the devs to decide.

I think that this list's function in terms of support is just being able to directly help or sign-post people to help for supported releases (such as LTSes). 
Regards from
Tom

No, I never downloaded the old ones. So if I downloaded the new ones now, I would not have the older ones.

You are the first to give a URL at TDF for older files.
I have not seen any listing for these old files anywhere I read.