Re: Officially releasing a patch for CVE-2016-1513

Sun, 31 Jul 2016 21:38:12 -0700 


On 7/31/2016 5:17 PM, Dennis E. Hamilton wrote:




-----Original Message-----
From: Kay sch...@apache.org [mailto:ksch...@apache.org]
Sent: Sunday, July 31, 2016 14:42
To: dev@openoffice.apache.org
Subject: Re: Officially releasing a patch for CVE-2016-1513

OK, I think I'm done with the LInux64 bit area as well.

And see below ....


On 07/31/2016 01:10 PM, Marcus wrote:

[ ... ]

I'm preparing the hotfix webpage. For this I've some questions:

1. Do we want to provide zip files for every platform or just single
files for the library and other files?


Hmmmm... I assumed we would just be point people directly at
/dist/release/openoffice/patches.
(Right now, these are in /dist/dev/openoffice/patches.)

It would be easiest to just setup the hotfix page with three links per
distro.

Linux32
* link to Linux32.README
* link to linux32 libtl.so
* link to linux32 libtl.so.asc (sig)

etc.

If not, the READMEs I wrote will need to change.

[orcmid]

I recommend there should be single-file (e.g., Zip) distributions, just like 
all other binaries.  That gives just one thing to download.  The MD5, SHA512, 
and ASC signatures should be on the whole package and stay in the dev/ and 
release/ folders, just as they are on download pages.  (The ASC signatures on 
the individual library-file binaries should be inside the package.)  I suspect, 
on the dev/ side, we might need copies of the READMEs alongside the archives, 
and revised more regularly, so they can be reviewed and revised easily as we 
get QA and trial use.  When we move over to release/ we might want to do the 
same, even though the README is in the archive, so that people can read it 
without downloading the package.

Finally, please use README.txt, etc., so that line-ending adjustments will 
happen properly when folks move these in and out of SVN and also out of archive 
files.  This will also help browsers when folks retrieve these directly from 
the repository.

PS: If we are concerned about the README.txt outside of the archive being 
authenticated, it can have an embedded PGP signature.  (Then the final 
archive-internal one would be a copy of the signed README.txt -- no biggie, 
nice chain of custody).

[ ... ]



For the end user, this is incredibly, painfully more complicated than 
downloading and installing a new version.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org






























					Reply via email to