openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: [DISCUSS] What Would OpenOffice Retirement Involve? (long)
Date Fri, 02 Sep 2016 05:08:09 GMT


> -----Original Message-----
> From: Phillip Rhodes [mailto:motley.crue.fan@gmail.com]
> Sent: Thursday, September 1, 2016 21:23
> To: dev@openoffice.apache.org
> Cc: private@openoffice.apache.org
> Subject: Re: [DISCUSS] What Would OpenOffice Retirement Involve? (long)
> 
> > (3) I think that working towards being able to release rather than
> patch
> > as Patricia has suggested is our best way to solve the security issue.
> The
> > quick patch is not much faster and has been proven to be more of a
> > challenge then kick starting the broken build process.
> >
> 
> 
> Forgive me for being a little behind.  What is broken in the build
> process?
> Technical problem, or process issue, or other or what?
> 
[orcmid] 

This is off-topic for this thread, but it may be helpful in illustrating why the Board wants
to know what the project's considerations are with respect to retirement and in particular,
with regard to avoiding the situation I will now recount.

The remark about a patch has to do with CVE-2016-1513, with our advisory at 
<http://www.openoffice.org/security/cves/CVE-2016-1513.html>.

The vulnerability, and a proof of concept were reported to the project on 2016-10-20 as Apache
OpenOffice 4.1.2 was going out the door.  

We had figured out the source-code fix in March.  

On June 7, the reporter was concerned about sitting on the disclosure any longer and gave
us a June deadline, proposing to disclose even though we had not committed to an AOO update.
 We were sitting on the fix because we didn't want to give anyone ideas when they saw it applied
to the source code unless there was a release in the works.  

We negotiated a disclosure extension to July 21.  Part of that agreement was our working to
create a hotfix instead of attempting to work up a full maintenance release (e.g., a 4.1.3).
 On July 21 we issued an advisory that disclosed existence of the vulnerability without offering
any repaired software.  

We had the corrected shared library at the time of disclosure, but had not tested much for
possible regressions with it.  Also, instructions needed to be written.  General Availability
of the Hotfix, 4.1.2-patch1, was on August 30, after more testing, QA of the instructions
and the fix, and adding a couple of localizations.  The QA period did turn up a couple of
glitches and improvements to the instructions and also included scripts to simplify the task
for Windows users.

There are two prospects for this year: a 4.1.3 maintenance release for some important maintenance-only
items and the 4.2.0 feature release.  In either case it is likely that an update of any kind
will be a year since the release of Apache OpenOffice 4.1.2.

If anyone wants to look into the issues of producing releases, I suggest you confirm the 4.1.2
release by compiling it from the source archive using the available build instructions and
see how well you can replicate the released binary for the same platform.  Where we fall the
most short is having enough folks who can do this for Windows and MacOSX, covering almost
95% of our user base [;<).

> 
> Phil


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org


Mime
View raw message