[
https://issues.apache.org/jira/browse/COR-19?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14272113#comment-14272113
]
Dennis E. Hamilton commented on COR-19:
---------------------------------------
This project did not achieve its funding. Tariq Rashid has a few interesting
blog posts at http://secure-odf.blogspot.co.uk/
There's a draft profile white paper at
https://docs.google.com/document/d/1PTt7PKrQBriy1MGKMb8A_QtlkCByh0LPdSNT6KXEgEs/edit
It's probably appropriate to close this item, since it was basically as a
"watch" item on GitHub.
> Security, Safety and Forensics
> ------------------------------
>
> Key: COR-19
> URL: https://issues.apache.org/jira/browse/COR-19
> Project: Corinthia
> Issue Type: New Feature
> Environment: source
> Reporter: jan iversen
> Priority: Minor
>
> The Secure ODF initiative
> I don't expect to see much on this effort, which I had seen early rumblings
> about:
> https://www.kickstarter.com/projects/849734365/secure-open-document-format
> 100,000 Euro in under 30 days is certainly a great Christmas present, but
> that is a monstrous reach for a from-zero effort.
> Drive-By Thoughts
> Document security in terms of how to avoid exploits via maliciously-crafted
> document files is a big deal. So that is a profile case for safe documents as
> well as a compliance case for how processors are resilient about it and don't
> do anything to produce unsafe documents or to perpetuate unsafe features from
> input to output.
> For me, I see an absence of forensic tools, all the way up from the
> raw/packaged files into practices around how various matters are dealt with
> up the levels through XML tricks, covert content, dangerous Internet
> references, etc.
> The nice thing about forensic tools is they are not burdened with UI and
> formatting-fidelity issues, yet they can reuse (or be sources of) vetted
> components. I was reminded of that when I saw other MiniZip-related work of
> Mathias Svensson that includes tools for extracting the structure of a Zip in
> human-readable form, http://result42.com/projects.
> It is always nice to build forensic tools as part of working up the layers of
> reusable modules for format analysis and related tasks. It goes with unit
> tests as a valuable way to confirm library modules and demonstrate their
> effective use.
> Just some thoughts.
> jan:
> This is an extremely interesting topic. And might be one that can attract
> attention. It is at least a theme that triggers the programmer in me.
> Crowd sourcing is also very interesting, sadly enough ASF does not allow
> targeted donations. But it would not be a problem if part of the community
> tried to do it as persons....I am sure it could be interesting for some. The
> proposal would in that case be, that people pay to get a specific feature
> developed, there is only little caveat, the proposal cannot promise that the
> feature becomes part of corinthia, only the community can decide that (but
> one can ask in advance).
> dennis: I don't expect us or anyone to seek crowd-funding for Corinthia in
> any manner. My observation is that the proposed effort is interesting. I
> don't think Tariq will reach the funding target he has set, so he won't
> receive any funding at all. One problem is that the only thing a contributor
> receives is a thank you, with the loudness of the acknowledgment dependent on
> the funding level. (Usually there is bling of some sort, including T shirts,
> other goodies.) And his result is very undefined -- there is no commitment to
> what will be covered at a minimum, what stretch goals are, etc. I don't think
> this will work out as a kick-starter.
> I do think that document security and safety will be a consideration in
> Corinthia, however, and it applies to profiling and also the idea of
> preserving unconverted provisions of input documents. I also see that it
> matters with regard to the plug-in design and what can be done to deal with
> malicious/counterfeit plug-ins.
> (I am thinking that using the ODF 1.2 Package and its provision for digital
> signatures is a way of packaging and authenticating plug-ins, if dynamic
> plug-in integration is offered for Corinthia. It is overdue for OpenOffice to
> update their OXT plug-in package which is almost but not quite an ODF package
> already.)
> Oh, funny. I just received a notice about this in my inbox:
> http://rcbd.buaa.edu.cn/issc/
> I separate crowd-funding from crowd-sourcing (as in searching for comets,
> cracking hash functions, operating wireless grids, creating gaming components
> and accessories, and distributed hack-a-thons). I didn't realized that
> crowd-sourcing is used for the funding model too.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
