openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kay Schenk <kay.sch...@gmail.com>
Subject Re: Officially releasing a patch for CVE-2016-1513
Date Mon, 01 Aug 2016 22:43:17 GMT

On 07/31/2016 05:17 PM, Dennis E. Hamilton wrote:
> 
> 
>> -----Original Message-----
>> From: Kay Schenk@apache.org [mailto:kschenk@apache.org]
>> Sent: Sunday, July 31, 2016 14:42
>> To: dev@openoffice.apache.org
>> Subject: Re: Officially releasing a patch for CVE-2016-1513
>>
>> OK, I think I'm done with the LInux64 bit area as well.
>>
>> And see below ....
>>
>>
>> On 07/31/2016 01:10 PM, Marcus wrote:
> [ ... ]
>>> I'm preparing the hotfix webpage. For this I've some questions:
>>>
>>> 1. Do we want to provide zip files for every platform or just single
>>> files for the library and other files?
>>
>> Hmmmm... I assumed we would just be point people directly at
>> /dist/release/openoffice/patches.
>> (Right now, these are in /dist/dev/openoffice/patches.)
>>
>> It would be easiest to just setup the hotfix page with three links per
>> distro.
>>
>> Linux32
>> * link to Linux32.README
>> * link to linux32 libtl.so
>> * link to linux32 libtl.so.asc (sig)
>>
>> etc.
>>
>> If not, the READMEs I wrote will need to change.
> [orcmid] 
> 
> I recommend there should be single-file (e.g., Zip) distributions, just like all other
binaries.  That gives just one thing to download.  The MD5, SHA512, and ASC signatures should
be on the whole package and stay in the dev/ and release/ folders, just as they are on download
pages.  (The ASC signatures on the individual library-file binaries should be inside the package.)
 I suspect, on the dev/ side, we might need copies of the READMEs alongside the archives,
and revised more regularly,

I was Ok up to this statement. Are you saying INCLUDE the readmes in the
zip package but leave them outside of where they now are? If we want
signed zip files, can't we just leave the files we have now in:

https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/binaries/

but zip them up as well, inlcuding the READMEs?
Or, are you saying at distribution time, remove the libraries and their
sigs Btu leave the README files?
We have these in their own labeled area -- 4.1.2-patch1 -- so I don't
see a problem with just leaving everything there.

> so they can be reviewed and revised easily as we get QA and trial use.  When we move
over to release/ we might want to do the same, even though the README is in the archive, so
that people can read it without downloading the package.
> 
> Finally, please use README.txt, etc., so that line-ending adjustments will happen properly
when folks move these in and out of SVN and also out of archive files.  This will also help
browsers when folks retrieve these directly from the repository.
> 
> PS: If we are concerned about the README.txt outside of the archive being authenticated,
it can have an embedded PGP signature.  (Then the final archive-internal one would be a copy
of the signed README.txt -- no biggie, nice chain of custody).
> 
> [ ... ]
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: dev-help@openoffice.apache.org
> 

-- 
--------------------------------------------
MzK

"Time spent with cats is never wasted."
                   -- Sigmund Freud

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org


Mime
View raw message