diff --git a/doc/Manual.html b/doc/Manual.html index 86a3f188..07de0916 100644 --- a/doc/Manual.html +++ b/doc/Manual.html @@ -449,14 +449,14 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.<

8.2 Q: Can I redistribute the LameXP software?

A: Yes. LameXP is free software. You may modify and/or redistribute it freely, according to the terms of the GNU General Public License. However, be aware that it is strictly forbidden to bundle the LameXP program files and/or the LameXP installation program with any kind of Adware, Spyware or PUP (potentially unwanted program). Usually, no additional permission will be needed. If, however, you wish to redistribute the LameXP software in a way that does not comply with the license terms, a written permission by the author of the LameXP software is required!

8.3 Q: How can I donate to the authors of LameXP?

-

A: At this time, the authors of the LameXP software do not accept any donations, in terms of money. If you wish to support the LameXP project, then you may do so by contributing translations, by improving the LameXP program code or by providing web-server capacity.

+

A: LameXP is a non-profit project. The authors of the LameXP software do not accept any donations, in terms of money. If you wish to support the LameXP project, then you may do so by contributing translations, by improving the LameXP program code or by providing web-servers.

8.4 Q: Why is this software called LameXP?

A: Originally, the LameXP software was created as a very simple GUI front-end to the LAME MP3 command-line encoder. The original version of this software, released some time in 2004, did not support any encoders except for LAME, it did not support any input formats except for Wave Audio, it did not support any audio filters, it did not support multi-threading, it did not support Unicode file names and it did not handle meta information. Because the software was a front-end to LAME, because it was running on the Microsoft Windows operating system and because, back at that time, Windows XP was the most popular Windows version (by far), I decided to call the software "LAME front-end for Windows XP" – or, in short, LameXP. Note the most creative name, I have to admit. Anyway, more and more features have been added to the LameXP software over the years. Also, the software has been re-written from the scratch at least two times. Nonetheless, the original name of the software has been retained. This is partly because people have become used to that name, and partly because I simply haven't been able to come up with a better name…

8.5 Q: Why are the LameXP binaries not digitally signed?

-

A: They are! The official LameXP binaries are digitally signed, by PGP signatures, using the GnuPGhttp://de.wikipedia.org/wiki/GNU_Privacy_Guard software. However, the LameXP binaries are not signed in a way that the Microsoft Windows operating system recognizes. Note that Microsoft Windows does not recognize PGP/GnuPG signatures. For this reason, Microsoft Windows may show a warning when trying to launch or install the LameXP software. Microsoft Windows will also complain that the LameXP software originates from an "unknown publisher".

+

A: They are! The official LameXP binaries are digitally signed by PGP signatures, created using the GnuPG software. However, the LameXP binaries are not signed in a way that the Microsoft Windows operating system recognizes. Please note that Microsoft Windows does not currently recognize PGP (GnuPG) signatures. For this reason, Microsoft Windows may show a warning when trying to launch or install the LameXP software. Microsoft Windows will also complain that the LameXP program files originate from an "unknown publisher", despite they are signed.

So why are the LameXP binaries not signed in the way Microsoft Windows recognizes? This is because Microsoft Windows uses a hierarchical trust model: Windows trusts into a number of Certificate Authorities (CA), which are built into the operating system. These CA's can issue signing certificates, e.g., to software companies. The software company can then use its signing certificate to sign their binaries. Finally, Windows will verify the signature by using the corresponding signing certificate. And the signing certificate is verified using the built-in CA certificate. However, this system is flawed: First of all, CA's do not create signing certificates for free. Also these certificates are only valid for a limited period of time. LameXP is a non-profit project and therefore we can not afford buying new certificates in regular intervals. Secondly, and even more important, the whole system depends on the trustworthiness of the CA's. But, as we all (should) know by now, these CA's can be forced to create "bogus" certificates, e.g. by intelligence services or other governmental organizations. Please also see this blog post by "fefe" for an in-depth explanation.

If you want to verify the LameXP signatures yourself, then you may do so by using the Gpg4win software package, an easy-to-use distribution of the GnuPG software for Microsoft Windows. Of course you will also require the public key of the LameXP developers. The finperprint of the official GnuPG signing key is 3265784425BF2B394F67CE07106A413D6CF3FA22 and the corresponding public key block is provided in the following. If you are not familiar with the GnuPG software yet, please have a look at the Gpg4win compendium or the GnuPG manual.

-

LameXP public GnuPG key:

+

LameXP public PGP (GnuPG) key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v2.0.21 (MingW32)
 
diff --git a/doc/Manual.md b/doc/Manual.md
index 4ddbb7c6..8c30d4e9 100644
--- a/doc/Manual.md
+++ b/doc/Manual.md
@@ -637,7 +637,7 @@ This section tries to answer some of the most frequently asked questions. So if
 
 ## Q: How can I donate to the authors of LameXP? ##
 
-**A:** At this time, the authors of the LameXP software do **not** accept any donations, in terms of money. If you wish to support the LameXP project, then you may do so by contributing translations, by improving the LameXP program code or by providing web-server capacity.
+**A:** LameXP is a *non-profit* project. The authors of the LameXP software do **not** accept any donations, in terms of money. If you wish to support the LameXP project, then you may do so by contributing translations, by improving the LameXP program code or by providing web-servers.
 
 
 ## Q: Why is this software called *LameXP*? ##
@@ -647,14 +647,14 @@ This section tries to answer some of the most frequently asked questions. So if
 
 ## Q: Why are the LameXP binaries *not* digitally signed? ##
 
-**A:** They *are*! The official LameXP binaries *are* digitally signed, by [*PGP*](http://de.wikipedia.org/wiki/Pretty_Good_Privacy) signatures, using the [GnuPG]()http://de.wikipedia.org/wiki/GNU_Privacy_Guard software. However, the LameXP binaries are *not* signed in a way that the Microsoft Windows operating system recognizes. Note that Microsoft Windows does **not** recognize PGP/GnuPG signatures. For this reason, Microsoft Windows may show a warning when trying to launch or install the LameXP software. Microsoft Windows will also complain that the LameXP software originates from an "unknown publisher".
+**A:** They *are*! The official LameXP binaries are digitally signed by [*PGP*](http://de.wikipedia.org/wiki/Pretty_Good_Privacy) signatures, created using the [GnuPG](http://de.wikipedia.org/wiki/GNU_Privacy_Guard) software. However, the LameXP binaries are *not* signed in a way that the Microsoft Windows operating system recognizes. Please note that Microsoft Windows does **not** currently recognize PGP (GnuPG) signatures. For this reason, Microsoft Windows may show a warning when trying to launch or install the LameXP software. Microsoft Windows will also complain that the LameXP program files originate from an "unknown publisher", despite they *are* signed.
 
 So why are the LameXP binaries not signed in the way Microsoft Windows recognizes? This is because Microsoft Windows uses a *hierarchical* trust model: Windows trusts into a number of *Certificate Authorities* (CA), which are built into the operating system. These CA's can issue signing certificates, e.g., to software companies. The software company can then use its signing certificate to sign their binaries. Finally, Windows will verify the signature by using the corresponding signing certificate. And the signing certificate is verified using the *built-in* CA certificate. However, this system is *flawed*: First of all, CA's do *not* create signing certificates for free. Also these certificates  are only valid for a limited period of time. LameXP is a *non-profit* project and therefore we can *not* afford buying new certificates in regular intervals. Secondly, and even more important, the whole system depends on the *trustworthiness of the CA's*. But, as we all (should) know by now, these CA's can be forced to create "bogus" certificates, e.g. by intelligence services or other governmental organizations. Please also see [**this**](http://blog.fefe.de/?ts=b25933c5) blog post by "fefe" for an in-depth explanation.
 
 If you want to verify the LameXP signatures yourself, then you may do so by using the [Gpg4win](http://www.gpg4win.de/) software package, an easy-to-use distribution of the *GnuPG* software for Microsoft Windows. Of course you will also require the *public* key of the LameXP developers. The *finperprint* of the official  GnuPG signing key is ``3265784425BF2B394F67CE07106A413D6CF3FA22`` and the corresponding public key block is provided in the following. If you are *not* familiar with the GnuPG software yet, please have a look at the [Gpg4win compendium](http://www.gpg4win.de/documentation.html) or the [GnuPG manual](https://www.gnupg.org/documentation/manuals.html).
 
 
-**LameXP public GnuPG key:**
+**LameXP public PGP (GnuPG) key:**
 
 	-----BEGIN PGP PUBLIC KEY BLOCK-----
 	Version: GnuPG v2.0.21 (MingW32)