> -----Original Message-----
> From: Phillip Rhodes [mailto:motley.crue....@gmail.com]
> Sent: Thursday, September 1, 2016 21:23
> To: dev@openoffice.apache.org
> Cc: priv...@openoffice.apache.org
> Subject: Re: [DISCUSS] What Would OpenOffice Retirement Involve? (long)
> > (3) I think that working towards being able to release rather than
> patch
> > as Patricia has suggested is our best way to solve the security issue.
> The
> > quick patch is not much faster and has been proven to be more of a
> > challenge then kick starting the broken build process.
> >
> Forgive me for being a little behind.  What is broken in the build
> process?
> Technical problem, or process issue, or other or what?

This is off-topic for this thread, but it may be helpful in illustrating why 
the Board wants to know what the project's considerations are with respect to 
retirement and in particular, with regard to avoiding the situation I will now 

The remark about a patch has to do with CVE-2016-1513, with our advisory at 

The vulnerability, and a proof of concept were reported to the project on 
2016-10-20 as Apache OpenOffice 4.1.2 was going out the door.  

We had figured out the source-code fix in March.  

On June 7, the reporter was concerned about sitting on the disclosure any 
longer and gave us a June deadline, proposing to disclose even though we had 
not committed to an AOO update.  We were sitting on the fix because we didn't 
want to give anyone ideas when they saw it applied to the source code unless 
there was a release in the works.  

We negotiated a disclosure extension to July 21.  Part of that agreement was 
our working to create a hotfix instead of attempting to work up a full 
maintenance release (e.g., a 4.1.3).  On July 21 we issued an advisory that 
disclosed existence of the vulnerability without offering any repaired 

We had the corrected shared library at the time of disclosure, but had not 
tested much for possible regressions with it.  Also, instructions needed to be 
written.  General Availability of the Hotfix, 4.1.2-patch1, was on August 30, 
after more testing, QA of the instructions and the fix, and adding a couple of 
localizations.  The QA period did turn up a couple of glitches and improvements 
to the instructions and also included scripts to simplify the task for Windows 

There are two prospects for this year: a 4.1.3 maintenance release for some 
important maintenance-only items and the 4.2.0 feature release.  In either case 
it is likely that an update of any kind will be a year since the release of 
Apache OpenOffice 4.1.2.

If anyone wants to look into the issues of producing releases, I suggest you 
confirm the 4.1.2 release by compiling it from the source archive using the 
available build instructions and see how well you can replicate the released 
binary for the same platform.  Where we fall the most short is having enough 
folks who can do this for Windows and MacOSX, covering almost 95% of our user 
base [;<).

> Phil

To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Reply via email to