> -----Original Message----- > From: Phillip Rhodes [mailto:motley.crue....@gmail.com] > Sent: Thursday, September 1, 2016 21:23 > To: dev@openoffice.apache.org > Cc: priv...@openoffice.apache.org > Subject: Re: [DISCUSS] What Would OpenOffice Retirement Involve? (long) > > > (3) I think that working towards being able to release rather than > patch > > as Patricia has suggested is our best way to solve the security issue. > The > > quick patch is not much faster and has been proven to be more of a > > challenge then kick starting the broken build process. > > > > > Forgive me for being a little behind. What is broken in the build > process? > Technical problem, or process issue, or other or what? > [orcmid]
This is off-topic for this thread, but it may be helpful in illustrating why the Board wants to know what the project's considerations are with respect to retirement and in particular, with regard to avoiding the situation I will now recount. The remark about a patch has to do with CVE-2016-1513, with our advisory at <http://www.openoffice.org/security/cves/CVE-2016-1513.html>. The vulnerability, and a proof of concept were reported to the project on 2016-10-20 as Apache OpenOffice 4.1.2 was going out the door. We had figured out the source-code fix in March. On June 7, the reporter was concerned about sitting on the disclosure any longer and gave us a June deadline, proposing to disclose even though we had not committed to an AOO update. We were sitting on the fix because we didn't want to give anyone ideas when they saw it applied to the source code unless there was a release in the works. We negotiated a disclosure extension to July 21. Part of that agreement was our working to create a hotfix instead of attempting to work up a full maintenance release (e.g., a 4.1.3). On July 21 we issued an advisory that disclosed existence of the vulnerability without offering any repaired software. We had the corrected shared library at the time of disclosure, but had not tested much for possible regressions with it. Also, instructions needed to be written. General Availability of the Hotfix, 4.1.2-patch1, was on August 30, after more testing, QA of the instructions and the fix, and adding a couple of localizations. The QA period did turn up a couple of glitches and improvements to the instructions and also included scripts to simplify the task for Windows users. There are two prospects for this year: a 4.1.3 maintenance release for some important maintenance-only items and the 4.2.0 feature release. In either case it is likely that an update of any kind will be a year since the release of Apache OpenOffice 4.1.2. If anyone wants to look into the issues of producing releases, I suggest you confirm the 4.1.2 release by compiling it from the source archive using the available build instructions and see how well you can replicate the released binary for the same platform. Where we fall the most short is having enough folks who can do this for Windows and MacOSX, covering almost 95% of our user base [;<). > > Phil --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
