incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of "April2012" by robweir)
Date Thu, 12 Apr 2012 19:38:02 GMT
On Thu, Apr 12, 2012 at 2:54 PM, Dennis E. Hamilton
<dennis.hamilton@acm.org> wrote:
> @Rob,
>
> In fact, I posted to ooo-dev and ooo-users information on the significance of the vulnerability
and ways to mitigate it.
>

Yes, after the official security bulletin went out to those same lists.  Thanks.

> I was unsuccessful in posting instructions, after several failed attempts, for applying
the patch on Windows XP where the dialogs are different and have different consequences than
described in the Windows-patch PDF, which gives instructions for Windows 7.  (This has to
do with an over-zealous spam filter on our lists and I could not get around it.)  I have
however put what I could on the Media Wiki as the basis for a possible FAQ, using
> <http://wiki.services.openoffice.org/wiki/Talk:Documentation/FAQ/Installation/How_Can_I_Install_the_Security_Patch_(CVE-2012-0037)>.
>

The security bulletin is in SVN.  You can use the CMS or check in the
fix directly.  Or post to BZ as a patch.  There is no need for a spam
filter on the lists to get in your way.


> I can't do anything about the fact that the need for a Linux patch has not been resolved.
 I can't do anything about the fact that the patch requires the confidence and experience
of a power user to apply on any platform.  I understand why that is; I can't do anything
about it myself beyond attempt to provide supporting information and supplementary instructions.
>

There are others in the PPMC who could do these things if they thought
it was important to do so.  In fact, the definition of "important" is
pretty much synonymous with "it gets someone to take action".

> And I, am, of course, a volunteer here.
>
> I also don't see what that has to do with the relationship between the PPMC and ooo-security.
 That's about getting many eyes, not about where orcmid might exercise his heroic super powers.
>

But I hope you see my point.  If neither you nor anyone else on the
PPMC has thought it important to address these issues in the month
since the patch has been public, then I do not think that the same
PPMC members would have addressed these concerns if the security team
gave them a heads up a day or two earlier.  Or a week earlier.
Evidently even a month is not even enough.

-Rob

>  - Dennis
>
> -----Original Message-----
> From: Rob Weir [mailto:robweir@apache.org]
> Sent: Thursday, April 12, 2012 09:46
> To: general@incubator.apache.org
> Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of
"April2012" by robweir)
>
> On Thu, Apr 12, 2012 at 12:32 PM, Dennis E. Hamilton
> <dennis.hamilton@acm.org> wrote:
>> I don't think the problem is with the size of the ooo-security list membership.  I
think it is in the assumption that the [P]PMC has somehow delegated the ability to make a
release of any kind to the ooo-security team.  I don't mean slip-streaming fixes and working
off the public SVN until that happens.  I mean developing and deploying all the rest of what
accompanies an advisory along with provision of a mitigation.
>>
>> The breakdowns were not in analyzing the reported vulnerability and the proof-of-exploit
that accompanied it.  I assume that ooo-security acquitted itself well in that regard as
well as with the coordination with other parties, including ones external to Apache, having
common concerns.  The breakdown was in all of the non-security considerations and assumptions,
even though they needed to be developed in confidence.  The PPMC would have provided a proper
arena for working that out.
>>
>> The PPMC has much to offer concerning the announcement of CVEs and the appropriate
coordination and form of patch releases/updates.  Those with valuable perspective on the
deployment strategy and its support might have no sense of the technical work that ooo-security
members undertake.
>>
>
> Dennis, if the PPMC wishes to make any changes to the patch, or the
> documentation, or the announcement, or the website related this patch,
> they have had that ability for nearly a month now.  But no one,
> including yourself, has offered one change.  A lot of criticism,
> certainly, but no patches. The actions (or inaction) of the PPMC since
> this patch was announced proves the point.  It was good enough, and no
> one -- including you -- has ventured to raise a finger to improve any
> of the patch materials.
>
> -Rob
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message