> -----Original Message----- > From: Kay Schenk [mailto:kay.sch...@gmail.com] > Sent: Monday, August 1, 2016 15:43 > To: dev@openoffice.apache.org > Subject: Re: Officially releasing a patch for CVE-2016-1513 > > > On 07/31/2016 05:17 PM, Dennis E. Hamilton wrote: > > > > > >> -----Original Message----- > >> From: Kay sch...@apache.org [mailto:ksch...@apache.org] > >> Sent: Sunday, July 31, 2016 14:42 > >> To: dev@openoffice.apache.org > >> Subject: Re: Officially releasing a patch for CVE-2016-1513 > >> > >> OK, I think I'm done with the LInux64 bit area as well. > >> > >> And see below .... > >> > >> > >> On 07/31/2016 01:10 PM, Marcus wrote: > > [ ... ] > >>> I'm preparing the hotfix webpage. For this I've some questions: > >>> > >>> 1. Do we want to provide zip files for every platform or just single > >>> files for the library and other files? > >> > >> Hmmmm... I assumed we would just be point people directly at > >> /dist/release/openoffice/patches. > >> (Right now, these are in /dist/dev/openoffice/patches.) > >> > >> It would be easiest to just setup the hotfix page with three links > per > >> distro. > >> > >> Linux32 > >> * link to Linux32.README > >> * link to linux32 libtl.so > >> * link to linux32 libtl.so.asc (sig) > >> > >> etc. > >> > >> If not, the READMEs I wrote will need to change. > > [orcmid] > > > > I recommend there should be single-file (e.g., Zip) distributions, > just like all other binaries. That gives just one thing to download. > The MD5, SHA512, and ASC signatures should be on the whole package and > stay in the dev/ and release/ folders, just as they are on download > pages. (The ASC signatures on the individual library-file binaries > should be inside the package.) I suspect, on the dev/ side, we might > need copies of the READMEs alongside the archives, and revised more > regularly, > > I was Ok up to this statement. Are you saying INCLUDE the readmes in the > zip package but leave them outside of where they now are? If we want > signed zip files, can't we just leave the files we have now in: > > https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/binaries/ > > but zip them up as well, inlcuding the READMEs? > Or, are you saying at distribution time, remove the libraries and their > sigs Btu leave the README files? > We have these in their own labeled area -- 4.1.2-patch1 -- so I don't > see a problem with just leaving everything there. > [orcmid]
I'll do what I mean by example when I upload the Windows case by tomorrow morning, at the latest. Then it will be easier to talk about it. - Dennis > > so they can be reviewed and revised easily as we get QA and trial use. > When we move over to release/ we might want to do the same, even though > the README is in the archive, so that people can read it without > downloading the package. > > > > Finally, please use README.txt, etc., so that line-ending adjustments > will happen properly when folks move these in and out of SVN and also > out of archive files. This will also help browsers when folks retrieve > these directly from the repository. > > > > PS: If we are concerned about the README.txt outside of the archive > being authenticated, it can have an embedded PGP signature. (Then the > final archive-internal one would be a copy of the signed README.txt -- > no biggie, nice chain of custody). > > > > [ ... ] > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > > For additional commands, e-mail: dev-h...@openoffice.apache.org > > > > -- > -------------------------------------------- > MzK > > "Time spent with cats is never wasted." > -- Sigmund Freud > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org