> -----Original Message----- > From: Andrea Pescetti [mailto:pesce...@apache.org] > Sent: Saturday, July 30, 2016 05:54 > To: dev@openoffice.apache.org > Subject: Re: Officially releasing a patch for CVE-2016-1513 > > On 30/07/2016 Dennis E. Hamilton wrote: > >> -----Original Message----- > >> From: Andrea Pescetti > >> So I can supply a full source package or I can give my +1 to a > "patch" > >> package that others prepare. ... > > [orcmid] I can provide the patch source package on Monday. > > Since I can only work on it today, I've uploaded to > https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/source/ > a set of files not meant for voting now. > > There is a full source release (the three files with r1754535 in their > name) and also an initial "patch-only" package named > apache-openoffice-4.1.2-patch1.zip. We will probably want to approve > just the latter; the former set is a backup solution, just in case. [orcmid]
I see the following, each with their .asc, .md5, and .sha256 signatures. apache-openoffice-4.1.2-patch1.zip (28kb with expected content) Then there are the following which are not patches but apparently the entire AOO4121 source tree: apache-openoffice-4.1.2-patch1-r1754535-src.tar.bz2 (215MB) apache-openoffice-4.1.2-patch1-r1754535-src.tar.gz (284MB) apache-openoffice-4.1.2-patch1-r1754535-src.zip) (334MB) This seems like overkill, especially since I don't think we want or need those in dist/release/openoffice/4.1.2-patch1/source/ Since the 4.1.2 source archives are readily available, and applying the patch or replacing the .cxx file seems pretty easy for anyone who can use the source, I would like to remove those three. I have reviewed apache-openoffice-4.1.2-patch1.zip and the content seems just fine. I have verified the .asc signature. I have verified the md5 and sha256 hashes. SVN determines that the poly2.cxx in that .zip when extracted on Windows is indistinguishable from the same file in the fully-updated working folder from branch AOO410. I think this is good enough to go with. - Dennis PS: I suggested r1753426 because it is the revision that applied the cxx patch to trunk. r1754535 is the revision where Kay merged the fix to poly2.cxx onto AOO410. I think that identifier could still be on the patch-only version. I am not wedded to the idea [;<). > Dennis (and others): feel free to adapt and modify my initial > "patch-only" package as you see fit, feel free to replace my digital > signature with yours and start the vote when appropriate. > > Regards, > Andrea. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
