> -----Original Message----- > From: Andrea Pescetti [mailto:pesce...@apache.org] > Sent: Friday, July 29, 2016 14:23 > To: dev@openoffice.apache.org > Subject: Re: Officially releasing a patch for CVE-2016-1513 > > On 24/07/2016 Andrea Pescetti wrote: > > To do so, an outline would be: > > 1) We commit the patch to the AOO410 branch. This is the branch used > for > > all the 4.1.x series. 4.2.0 isn't out yet, so 4.1.x is still our > > reference version. > > This was done by Kay today (thanks!). > > > 2) We do not make any other changes to the AOO410 branch. This is > really > > meant to be a minimal update. Even the version number in the source > > package will remain 4.1.2. > > Done by Kay today (and yes, I agree that we will publish hashes of the > older libraries to make it possible to distinguish them - new libraries > come with all hashes anyway). > > > 3) We tag the release as AOO4121 and build the corresponding source > > package, which will have 4.1.2.1 in its name (I mean the filename, > > nowhere else). > > I see that Kay also created > https://svn.apache.org/viewvc/openoffice/tags/AOO4121/ which looks good. > > I've just built and tested OpenOffice from this code and I confirm it > can be released. > > So I can supply a full source package or I can give my +1 to a "patch" > package that others prepare. Since this vote is largely anticipated and > several of us built OpenOffice with the new file already, I think we can > have a 72-hour (not more) vote to comply with the standard Apache > process. Is someone is preparing the "minimal" package, please just say > so, so we can have our vote and be done with the process. [orcmid]
I can provide the patch source package on Monday. - Dennis > > > 4) We don't prepare full end-user release binaries but we do supply > > repaired libraries for power users - remember the circumstances above. > > The bugfix modifies one library file, and we have binaries ready for > > several platforms already. > > We have binaries for all platform at the moment, but these are not part > of a formal vote so they can be approved separately. > > > 5) We vote on the source and possibly binaries. We advertise the > > availability of the new packages on our website, but we don't send out > > update notifications and we don't put the files on SourceForge. > > This would be next. In preparation, I've rearranged our dev area at > https://dist.apache.org/repos/dist/dev/openoffice/ [orcmid] OK, I have the new structure checked-out. - Dennis > > Regards, > Andrea. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
