From bff76873d0cee1cc2d42c585b21789c915d9e681 Mon Sep 17 00:00:00 2001 From: LoRd_MuldeR Date: Sun, 27 Oct 2013 19:43:19 +0100 Subject: [PATCH] Update FAQ document. --- doc/FAQ.html | 100 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 100 insertions(+) diff --git a/doc/FAQ.html b/doc/FAQ.html index e0894e9a..abf5c5bd 100644 --- a/doc/FAQ.html +++ b/doc/FAQ.html @@ -30,6 +30,7 @@ a:visited { color: #0000EE; }
  • What license is LameXP released under?
  • Do I have to pay for LameXP? / How can I donate to the authors of LameXP?
  • Why is the thing called "LameXP" although it does so much more? +
  • Why are the LameXP binaries not digitally signed (seemingly)?
  • MP3, AAC/MP4, Vorbis, FLAC or Opus - What is the best audio format?
  • What is the difference between the CBR, VBR and ABR rate control modes?
  • How do I enable AAC/MP4/M4A output (encoding) in LameXP? @@ -252,6 +253,105 @@ So to make a long story short: The name has historical reasons and probably isn'

    +Why are the LameXP binaries not digitally signed (seemingly)?
    +
    +The official LameXP binaries *are* signed digitally, using GPG/GnuPG. They just are NOT signed in a way that
    +Microsoft Windows recognizes. For this reason, Microsoft Windows may show a fat warning that the program is
    +from an "unknown publisher", when trying to install or update LameXP. But you can ignore this warning safely!
    +
    +So why LameXP binaries are not digitally signed in the way Microsoft Windows recognizes? This is because
    +Microsoft Windows uses a *hierarchical* trust model: Windows trusts into a number of Certificate Authorities
    +(CA's). These CA's issue certificates to, e.g., software developers. Finally, the software developer can use
    +his certificate to create digital signatures. Windows will then verify the software signatures by using the
    +corresponding certificate. The certificate, in turn, will be verified by checking the CA's digital signature.
    +
    +Unfortunately, this process is fundamentally flawed, because it totally depends on the CA's trustworthiness!
    +But, as everybody should know by now, CA's can *not* be trusted at all! That is because intelligence services
    +and other governmental organisations can force CA's to issue "bogus" certificates! Windows would then accept
    +these "bogus" certificates and all software signed by it. In other words: The software will appear to have a
    +valid signature create by the legitimate owner of the certificate - despite it was signed by sombody else!
    +
    +So what can we do? We can use GPG/GnuPG, which is *not* flawed in this way! GPG/GnuPG uses a so-called "web
    +of trust". This means that you *only* trust into keys that you have either verified yourself or that someone,
    +whom you trust already, has verified. Most important, in GPG/GnuPG it's always YOU who decides whom you want
    +to trust or not. There is *no* centralized "authority" required or used. Consequently, intelligence services
    +and other governmental organisations will *not* be able to create "bogus" GPG/GnuPG keys, unless they can
    +break the cryptographic algorithms (DSA, RSA, etc. pp). But in the latter case, we would be doomed anyway ;-)
    +
    +LameXP only trusts into a signle public key, which is the public key of the LameXP developers. This key is
    +built into any LameXP binary. LameXP will use that key to verify the signatures of any updates (downloads)
    +prior to installing them on the computer. Thus, once you have a genuine copy of LameXP installed, you can be
    +sure that only genuine updates of LameXP will be downloaded/installed by the LameXP auto-update utility.
    +
    +
    +Addendum #1:
    +
    +Another important fact to understand is that digital signatures do *not* provide any information about the
    +security or dependability of a software. If a program contains a valid digital signature, it can be verified
    +that this program really originates from the person/organization who has signed the binary. But that's it!
    +There can be bugs and security vulnerabilities in a signed piece of software, just like in any unsigned piece
    +of software. There even is nothing that would prevent an attacker from digitally signing malware programs!
    +Though, the certificate (public key) of a malware author would hopefully(!) be revoked sooner or later.
    +
    +
    +Addendum #2:
    +
    +In theory it would be possibe to add a digital signature that Windows recognizes to LameXP, just to get rid
    +of the warning message. However, this would require a code signing certificate from one of the CA's that
    +Windows accepts. But CA's don't issue certificates for free! They sell at approx. 150€ per year. But, because
    +LameXP is a non-profit OpenSource project, the developers can NOT afford buying a code signing certificate.
    +
    +If anybody is willing to contribute a code signing certificate to the LameXP project, please contact us! ;-)
    +
    +
    +The finperprint of the LameXP GPG/GnuPG signing key:
    +3265784425BF2B394F67CE07106A413D6CF3FA22
    +
    +The complete LameXP GPG/GnuPG public signing key:
    +
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    +Version: GnuPG v2.0.21 (MingW32)
    +
    +mQGiBEp0LDgRBACbZhtVHbb4tWlJCCxQ3eH9TQ3zUYrI2UHN94Yk8MJGEO1Fxigg
    +smUAeGRmHKpH24VCB/MaHef83fd3bu2yHSf8xgWe90hZR1pLLfmtxqN1SZu/YlJx
    +y4LOcxEwSc3P09cDL112fEFKs36d7OPYR6DXk75hWRwsnd0snJEnDHMVKwCgqCsn
    +9y5rxTeH32sNytkdMMijkD0D/RrNZiCr/uQcT695oLsYkemNQzbN+hd5bmkkXnRi
    +H27kHeeY1G1zLLFfTk7yKm7UZrTpMYxCXS80ORs9RF9rL8bnzzSiBAIHEz4uc5SD
    +oH7K3Y526SZ4m4GOLnlVTisd9FXpm0YHB/MXMRrNLZbSzveS3pOEmRny0yeI13cU
    +y8tqA/4xjW2DPlwB7lIUOcPyXa9pmAkLApCYF4CwUwKw4df6s+4txWkvuD0cJlli
    +nPK7B7SrMv5c2Eg2UQWpF0WN+s8IqX3eoJ1CI+oBVZVWZMhC+Vojz8K0tIkHWZh7
    +sy/gUk6XApTN8Ce/xbuMgDhfqxUXzkGzpvR9FJ0Y0R7kNgReUbQzTG9SZF9NdWxk
    +ZVIgKGh0dHA6Ly9tdWxkZXIuYXQuZ2cvKSA8bXVsZGVyMkBnbXguZGU+iGAEExEC
    +ACAFAkp0LDgCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAQakE9bPP6IqKr
    +AJ4541p84C0jD/MdL1akNsUtAQOBrwCcDAumPHDCj7wfmmeY/KN+jOmrp8G5BA0E
    +SnQsOBAQAIy8TJYBYPxVtq8ENPs5qpLv+g3RRc/0TLaimaZGGdbsvANCswgNlxrK
    +spAb2IFC8Y85jl7PusdXhC89q1gP5cfb6WLzFggRZt6UEE3dJ+aBuKSu+k+y1n/v
    +R8oHpptIq3leonG5dXte5ZAYg+ID7DZz2QWgu4oWeDnUl945DLSCGj4vuT5sY/wi
    +zNv6PV2E0Bl+HIwkzlwHa9vYRPx84FL9eFM7llJdH5TYQZ+VkdqKIfAUWwXsDeqD
    +7YviIWLBbDxCtgfVB7sGYRZltMO9Nir7igO8SxOawkuBtLzU2ZbevBOSZmxami33
    +E2oAGWtcXGhKHMy7vPOQKfShcf2N0QMhNDSR54nxuu3/BW9diwYubJCkbkP/gv7g
    +GU/0eVWp19LeQN92zcmRN0JcJtu71T6Pcel9ZttEy/xyNyOrqhMP7vDd2sExwsYZ
    +VUqlOg7hA++TMCmNcxLQgWlb7tJxhNr4pBkJiX6Guu8/3fhQ0If99ZlpeCpmMJFN
    +kvhgFMWtCVPk5u1i/lwXsSoRcRXIfbRAcBqVEe5mgcyBBQZCoK2kQ8qt7Zol6/Lu
    +9GsY/ag4elArck1EtlK0fxpVUsEskTR2Yw7hY/upPGfI22Wzzfg6WlwaYysyONfF
    +ecoKS+ZaXVQ9BDAtRDKSD2yXkYDngJLDcbOTOPLxfDP/dKthqzkXAAMFD/0W/s64
    +tsIju1IGE8uQt1fIZECV8M8HJeVatNEVJyPDrS/WIO0vqedxhod6qpF1UwPBG1gw
    +WKe7nPhFoBzDayK92umEXUng0nQYmFUJWk7PXI751R1VFVgrbVw+LM2zy0/WRClh
    +2qUWv+q6JuK56NooPx3sgAE4uuGoiRi8qt8eNuu6FP90LUKo0t9mMEyVAHJdQbcm
    +tMFFU5K3+UehVYgosfplmLt5wpAs5GjqQSmeXA1DhvXNlPBBVn/tTSqGTw5+boqv
    +lfwHgLJOqae3GH+HZ1ega2/qb5PFVZRpV9PrRh38IRe0ZM0Y0yQtlhUPywksD8UM
    +KttadTHcBW4O/EZCEAOg69fc52mDs5GykJoXCOLsEc3/x2YJk8hvID3gR+qX/wxX
    +WDTVY0KL1IC+xo4Y3BxKXHd8EPhOyR52mHm6BvVE/bbMeQjTF0pPjqIL1iM23crA
    +Z9oYAtzYTOYyjtzx7SzY0SU+0jB7k7akr70vlbNR+Hk5iAR43MFoE5LyQpsmaUob
    +W8WwGwTUabrs0KXXNC6OotfZqylL+cgn+STDdmGLiW0rw7Yv6CxR+ZW77yiWHYam
    +TXY0hzq4U/9NnWwgCJErG5qausG8YidfDHenKIwZfc36d/bm6FSv5XGxShM7J4aO
    +uhZnmF9iIfovqAe60soJ+uH6UOnxEB6LHZNhiohJBBgRAgAJBQJKdCw4AhsMAAoJ
    +EBBqQT1s8/oi0RsAniNAOQRb8roflIOXVmeW3uB50RVtAJwLS5O19VD1W0HxjNZ6
    +sE7XdEZn+w==
    +=WDwE
    +-----END PGP PUBLIC KEY BLOCK-----

    + +

    + MP3, AAC/MP4, Vorbis, FLAC or Opus - What is the best audio format?

    This question can NOT be answered in general. The best audio format is the format that works best for you!