incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jürgen Schmidt <jogischm...@googlemail.com>
Subject Re: [RELEASE,CODE]: Bug 119090 - Default Encryption Fails for Down-Level Implementations
Date Mon, 26 Mar 2012 08:13:29 GMT
On 3/26/12 10:10 AM, Jürgen Schmidt wrote:
> On 3/26/12 3:15 AM, Dennis E. Hamilton wrote:
>> TJ,
>>
>> I was doing some nosing around and, based on some information on the
>> Community Forums (thank you Hagar), it looks like the settings are
>> controlled in a file called registrymodifications.xcu, at least on
>> Windows. The location will vary with different versions of windows.
>>
>> On windows, you can find one under the installed-user profile, such as
>> Documents& Settings\orcmid\Application Data [a hidden file],
>> OpenOffice/3/user/registrymodification.xcu for any install since the
>> AES256 has been instituted as default. the *.xcu is actually an XML
>> file and you can find the settings by searching for "blowfish" and for
>> "SHA1".
>>
>> How this works for Mac, Solaris, OS/2, and the various Linus and BSD
>> builds, I have no idea.
>
> I think I have mentioned before that it is easy to provide an extension
> to switch the relevant configuration settings.
>
> As the release manger I will accept the issue as critical enough to
> change the default back for 3.4. For AOO 4.0 we will switch the default
> again and will provide a GUI to allow the user the change it more easily.
>
> For 3.4 we provide a mini extension that switch the default back to AES
> for users who prefer this encryption algorithm.
>

please don't apply the patch in the issue, it won't work.

Juergen

> Juergen
>
>
>>
>> - Dennis
>>
>> -----Original Message-----
>> From: TJ Frazier [mailto:tjfrazier@cfl.rr.com]
>> Sent: Friday, March 23, 2012 11:26
>> To: ooo-dev@incubator.apache.org
>> Subject: Re: [RELEASE,CODE]: Bug 119090 - Default Encryption Fails for
>> Down-Level Implementations
>>
>> [ ... ]
>>
>> ... options to consider:
>>
>> 3. User change to config file, to use the new option.
>>
>> I have suggested a writeup on this, but such instructions are much
>> better aimed at the (few?) users who want the "latest and greatest"
>> security option, and will do a little work to get it. (Does anybody know
>> what that file name is? Given that, I volunteer to update the Release
>> Notes.)
>>
>> 4. Macro to toggle the settings.
>>
>> This could be distributed in a BASIC library (new or existing); no
>> extension necessary. User instructions to find and run the macro are
>> simple. I may be able to write this; preliminary investigation is
>> promising but not certain. I volunteer to try. There are several real
>> experts on this list, whom I might ask for help.
>>
>> /tj/
>>>
>>>
>>>
>>> [1] https://issues.apache.org/ooo/show_bug.cgi?id=119090
>>>
>>> On 19.03.2012 14:48, Jürgen Schmidt wrote:
>>>> On 3/19/12 2:16 PM, TJ Frazier wrote:
>>>>> On 3/19/2012 08:48, Jürgen Schmidt wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I think issue 119090 is no show stopper from my point of view. The
>>>>>> new
>>>>>> default provides a better security than before when I understand
it
>>>>>> correct. And if people detect potential problems they can save the
>>>>>> document again with other settings.
>>>>>>
>>>>>> I agree that this is important for interoperability but no show
>>>>>> stopper.
>>>>>>
>>>>>> Any other opinion?
>>>>>>
>>>>>> Juergen
>>>>>>
>>>>>>
>>>>> Hi, Jürgen,
>>>>>
>>>>> Like Dennis, I'm nervous about this. Perhaps we can handle it with a
>>>>> mention in the Release Notes; something like,
>>>>>
>>>>> PLEASE NOTE: the default options for [technical details here] should
>>>>> provide your best /individual/ security. However, if you intend to
>>>>> share
>>>>> the document in secure fashion, the default mode cannot be read by
>>>>> * previous versions of OpenOffice.org
>>>>> * current versions of LibreOffice, at least through [version]
>>>>> * Ms Office [version info]
>>>>> For compatibility, use the options [details here].
>>>>>
>>>>
>>>> I agree that it make sense to mention it in the release notes.
>>>>
>>>> Any volunteer for updating the release notes?
>>>>
>>>> Juergen
>>>
>>>
>>
>>
>


Mime
View raw message