corinthia-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton (JIRA)" <>
Subject [jira] [Resolved] (COR-19) Security, Safety and Forensics
Date Sun, 11 Jan 2015 19:31:34 GMT


Dennis E. Hamilton resolved COR-19.
    Resolution: Fixed

There is no project action required on this issue.  It was just for watching another project
that might have some relevant considerations.

> Security, Safety and Forensics
> ------------------------------
>                 Key: COR-19
>                 URL:
>             Project: Corinthia
>          Issue Type: New Feature
>         Environment: source
>            Reporter: jan iversen
>            Priority: Minor
> The Secure ODF initiative
> I don't expect to see much on this effort, which I had seen early rumblings about:
> 100,000 Euro in under 30 days is certainly a great Christmas present, but that is a monstrous
reach for a from-zero effort.
> Drive-By Thoughts
> Document security in terms of how to avoid exploits via maliciously-crafted document
files is a big deal. So that is a profile case for safe documents as well as a compliance
case for how processors are resilient about it and don't do anything to produce unsafe documents
or to perpetuate unsafe features from input to output.
> For me, I see an absence of forensic tools, all the way up from the raw/packaged files
into practices around how various matters are dealt with up the levels through XML tricks,
covert content, dangerous Internet references, etc.
> The nice thing about forensic tools is they are not burdened with UI and formatting-fidelity
issues, yet they can reuse (or be sources of) vetted components. I was reminded of that when
I saw other MiniZip-related work of Mathias Svensson that includes tools for extracting the
structure of a Zip in human-readable form,
> It is always nice to build forensic tools as part of working up the layers of reusable
modules for format analysis and related tasks. It goes with unit tests as a valuable way to
confirm library modules and demonstrate their effective use.
> Just some thoughts.
> jan: 
> This is an extremely interesting topic. And might be one that can attract attention.
It is at least a theme that triggers the programmer in me.
> Crowd sourcing is also very interesting, sadly enough ASF does not allow targeted donations.
But it would not be a problem if part of the community tried to do it as persons....I am sure
it could be interesting for some. The proposal would in that case be, that people pay to get
a specific feature developed, there is only little caveat, the proposal cannot promise that
the feature becomes part of corinthia, only the community can decide that (but one can ask
in advance).
> dennis: I don't expect us or anyone to seek crowd-funding for Corinthia in any manner.
My observation is that the proposed effort is interesting. I don't think Tariq will reach
the funding target he has set, so he won't receive any funding at all. One problem is that
the only thing a contributor receives is a thank you, with the loudness of the acknowledgment
dependent on the funding level. (Usually there is bling of some sort, including T shirts,
other goodies.) And his result is very undefined -- there is no commitment to what will be
covered at a minimum, what stretch goals are, etc. I don't think this will work out as a kick-starter.
> I do think that document security and safety will be a consideration in Corinthia, however,
and it applies to profiling and also the idea of preserving unconverted provisions of input
documents. I also see that it matters with regard to the plug-in design and what can be done
to deal with malicious/counterfeit plug-ins.
> (I am thinking that using the ODF 1.2 Package and its provision for digital signatures
is a way of packaging and authenticating plug-ins, if dynamic plug-in integration is offered
for Corinthia. It is overdue for OpenOffice to update their OXT plug-in package which is almost
but not quite an ODF package already.)
> Oh, funny. I just received a notice about this in my inbox:
> I separate crowd-funding from crowd-sourcing (as in searching for comets, cracking hash
functions, operating wireless grids, creating gaming components and accessories, and distributed
hack-a-thons). I didn't realized that crowd-sourcing is used for the funding model too.

This message was sent by Atlassian JIRA

View raw message