> -----Original Message----- > From: Patricia Shanahan [mailto:p...@acm.org] > Sent: Sunday, July 31, 2016 21:37 > To: dev@openoffice.apache.org > Subject: Re: Officially releasing a patch for CVE-2016-1513 > > > > On 7/31/2016 5:17 PM, Dennis E. Hamilton wrote: > > > > > >> -----Original Message----- > >> From: Kay sch...@apache.org [mailto:ksch...@apache.org] > >> Sent: Sunday, July 31, 2016 14:42 > >> To: dev@openoffice.apache.org > >> Subject: Re: Officially releasing a patch for CVE-2016-1513 > >> > >> OK, I think I'm done with the LInux64 bit area as well. > >> > >> And see below .... > >> > >> > >> On 07/31/2016 01:10 PM, Marcus wrote: > > [ ... ] > >>> I'm preparing the hotfix webpage. For this I've some questions: > >>> > >>> 1. Do we want to provide zip files for every platform or just single > >>> files for the library and other files? > >> > >> Hmmmm... I assumed we would just be point people directly at > >> /dist/release/openoffice/patches. > >> (Right now, these are in /dist/dev/openoffice/patches.) > >> > >> It would be easiest to just setup the hotfix page with three links > per > >> distro. > >> > >> Linux32 > >> * link to Linux32.README > >> * link to linux32 libtl.so > >> * link to linux32 libtl.so.asc (sig) > >> > >> etc. > >> > >> If not, the READMEs I wrote will need to change. > > [orcmid] > > > > I recommend there should be single-file (e.g., Zip) distributions, > just like all other binaries. That gives just one thing to download. > The MD5, SHA512, and ASC signatures should be on the whole package and > stay in the dev/ and release/ folders, just as they are on download > pages. (The ASC signatures on the individual library-file binaries > should be inside the package.) I suspect, on the dev/ side, we might > need copies of the READMEs alongside the archives, and revised more > regularly, so they can be reviewed and revised easily as we get QA and > trial use. When we move over to release/ we might want to do the same, > even though the README is in the archive, so that people can read it > without downloading the package. > > > > Finally, please use README.txt, etc., so that line-ending adjustments > will happen properly when folks move these in and out of SVN and also > out of archive files. This will also help browsers when folks retrieve > these directly from the repository. > > > > PS: If we are concerned about the README.txt outside of the archive > being authenticated, it can have an embedded PGP signature. (Then the > final archive-internal one would be a copy of the signed README.txt -- > no biggie, nice chain of custody). > > > > [ ... ] > > For the end user, this is incredibly, painfully more complicated than > downloading and installing a new version. [orcmid]
Indeed it is. I think there is no question how daunting this might be and we must be very careful with this. The README.txt cannot be comprehensive for what a casual user might require, and a power user of OpenOffice might not be much of a power user of Windows. That has to be taken into account. Is there a suggestion lurking in the observation? - Dennis > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
