Looks good to me.
On 07/24/2016 05:37 PM, Andrea Pescetti wrote:
While the severity of the security bug we disclosed
http://www.openoffice.org/security/cves/CVE-2016-1513.html is not
particularly high (it is classified as "Medium" with no known exploits
and anti-virus software can detect malicious documents), we should
release an update incorporating the -already tested- patch we
disclosed in the announcement.
I assume we will want to keep the effort minimal.
To do so, an outline would be:
1) We commit the patch to the AOO410 branch. This is the branch used
for all the 4.1.x series. 4.2.0 isn't out yet, so 4.1.x is still our
reference version.
2) We do not make any other changes to the AOO410 branch. This is
really meant to be a minimal update. Even the version number in the
source package will remain 4.1.2.
3) We tag the release as AOO4121 and build the corresponding source
package, which will have 4.1.2.1 in its name (I mean the filename,
nowhere else).
4) We don't prepare full end-user release binaries but we do supply
repaired libraries for power users - remember the circumstances above.
The bugfix modifies one library file, and we have binaries ready for
several platforms already.
5) We vote on the source and possibly binaries. We advertise the
availability of the new packages on our website, but we don't send out
update notifications and we don't put the files on SourceForge.
Does this look OK?
Once this is done, we will probably want to open another discussion
and see how we can coordinate for a release that incorporates more
fixes or features and is made available in full form, with all
localized installers, to end users. But the above is mostly aimed in
having an official way to ship the existing patch.
Regards,
Andrea.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org
