> -----Original Message----- > From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org] > Sent: Thursday, September 1, 2016 22:08 > To: dev@openoffice.apache.org > Subject: RE: [DISCUSS] What Would OpenOffice Retirement Involve? (long) > > > > > -----Original Message----- > > From: Phillip Rhodes [mailto:motley.crue....@gmail.com] > > Sent: Thursday, September 1, 2016 21:23 > > To: dev@openoffice.apache.org > > Cc: priv...@openoffice.apache.org > > Subject: Re: [DISCUSS] What Would OpenOffice Retirement Involve? > (long) > > > > > (3) I think that working towards being able to release rather than > > patch > > > as Patricia has suggested is our best way to solve the security > issue. > > The > > > quick patch is not much faster and has been proven to be more of a > > > challenge then kick starting the broken build process. > > > > > > > > > Forgive me for being a little behind. What is broken in the build > > process? > > Technical problem, or process issue, or other or what? [orcmid]
I should add that the situation recounted below was not the first time this happened. Also, I gave the wrong date for when the CVE-2016-1513 defect was reported to us. It was 2015-10-20, not 2016 of course. Now, if you look at CVE-2015-1774, <http://www.openoffice.org/security/cves/CVE-2015-1774.html>, you'll see that the disclosure and related advisory was made on 2015-04-27 (that was Version 1.0). We did not have a fix, we had only the workaround. This disclosure happened because the defect applied in the original openoffice.org code base and applied to other products that did have a fix. The remedy, for AOO, was to remove the offending library and its use from 4.1.2 on 2015-10-28. Furthermore, 4.1.2 was itself an emergency release because of the imminent disclosure of the other four CVEs fixed in that release and listed on <http://www.openoffice.org/security/bulletin.html>. The peer distributions actually held up their issuance of security updates and disclosure so that AOO could catch up with 4.1.2. If you look at the credits of those four CVEs, you'll see that the [OfficeSecurity] list members were instrumental in creating fixes that AOO also used. Our problem was how much longer it took to produce the emergency release of 4.1.2 (and also desist from putting in other pent-up fixes to do so). That was a nail-biter. It was clear that the [Officesecurity] folk had lost patience with AOO as a hold-up of rapid repair of common defects in our products. This was also stated very clearly at the AOO PMC. (The AOO Security team can do much to analyze reported defects and figure out fixes, but it cannot do releases. The PMC has to act on that.) There was some unhappiness about forcing 4.1.2 out the door. Some preferred going straight to 4.2.0 which, with UI and localization changes, would take longer and have increased regression risk. That tension persists. And here we are. 2015-10-28 4.1.2 2014-08-21 4.1.1 2014-04-29 4.1 2013-10-01 4.0.1 2013-07-17 4 2013-01-30 3.4.1 refresh (8 more languages) 2012-08-21 3.4.1 incubating 2012-05-08 3.4 incubating > > > [orcmid] > > This is off-topic for this thread, but it may be helpful in illustrating > why the Board wants to know what the project's considerations are with > respect to retirement and in particular, with regard to avoiding the > situation I will now recount. > > The remark about a patch has to do with CVE-2016-1513, with our advisory > at > <http://www.openoffice.org/security/cves/CVE-2016-1513.html>. > > The vulnerability, and a proof of concept were reported to the project > on 2016-10-20 as Apache OpenOffice 4.1.2 was going out the door. > > We had figured out the source-code fix in March. > > On June 7, the reporter was concerned about sitting on the disclosure > any longer and gave us a June deadline, proposing to disclose even > though we had not committed to an AOO update. We were sitting on the > fix because we didn't want to give anyone ideas when they saw it applied > to the source code unless there was a release in the works. > > We negotiated a disclosure extension to July 21. Part of that agreement > was our working to create a hotfix instead of attempting to work up a > full maintenance release (e.g., a 4.1.3). On July 21 we issued an > advisory that disclosed existence of the vulnerability without offering > any repaired software. > > We had the corrected shared library at the time of disclosure, but had > not tested much for possible regressions with it. Also, instructions > needed to be written. General Availability of the Hotfix, 4.1.2-patch1, > was on August 30, after more testing, QA of the instructions and the > fix, and adding a couple of localizations. The QA period did turn up a > couple of glitches and improvements to the instructions and also > included scripts to simplify the task for Windows users. > > There are two prospects for this year: a 4.1.3 maintenance release for > some important maintenance-only items and the 4.2.0 feature release. In > either case it is likely that an update of any kind will be a year since > the release of Apache OpenOffice 4.1.2. > > If anyone wants to look into the issues of producing releases, I suggest > you confirm the 4.1.2 release by compiling it from the source archive > using the available build instructions and see how well you can > replicate the released binary for the same platform. Where we fall the > most short is having enough folks who can do this for Windows and > MacOSX, covering almost 95% of our user base [;<). > > > > > Phil > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
