incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <>
Subject Re: Proposal: ooo-announce list
Date Mon, 12 Dec 2011 18:36:12 GMT
On Mon, Dec 12, 2011 at 10:14 AM, Andrea Pescetti
<> wrote:
> On 11/12/2011 Rob Weir wrote:
>> Tthe practice is to check in such fixes without making it evident to
>> the observer that it is security-related.  So don't expect SVN
>> comments to give it away.
> Like this?

We'll probably see things like this as well, but not until after the
security report is made.  Remember, with SVN a commit comment is just
a property (svn:log), and that can be changed.  So the process would
be to commit the fix without drawing attention to it, and then after
the public report is made, to go back and update the SVN log to
include the CVE for that revision.

See step 15 here:


> I know the example is from LibreOffice (even though the bug might be shared
> with or Apache OpenOffice) but I just happened to spot it and
> it doesn't seem particularly hidden... Such a policy would have to apply to
> all related projects (again, I totally don't know if this bug is related to
> Apache OpenOffice too, I'm just discussing the issue in general).
> Regards,
>  Andrea.

View raw message