Hi all,
On 22.12.20 20:24, Dave Fisher wrote:
Hi -
On Dec 22, 2020, at 7:37 AM, Jörg Schmidt <joe...@j-m-schmidt.de> wrote:
-----Original Message-----
From: Marcus [mailto:marcus.m...@wtnet.de]
Sent: Tuesday, December 22, 2020 12:37 PM
To: dev@openoffice.apache.org
Subject: Re: Security vulnerabilities in AOO?
To do this, I need to acquire factual knowledge, and also
understand which criticism is based on facts and which is
(possibly) just based on anti-AOO marketing.
I don't understand why you try to answer these things. It's
absolutely
OK when you go the easy way and just point them to the
security@ mailing
list.
1.
Especially because I'm paid professionally as an IT consultant to answer
questions like this for my customers.
Do you think customers who hear from others that AOO is supposedly insecure
because it doesn't fix security problems quickly, would be pleased if I
referred them to security@?
The purpose of secur...@openoffice.apache.org
<mailto:secur...@openoffice.apache.org> is for security issues to be reported
so that AOO PMC members are aware of the issue and can discuss the bug and fix with
the reporter. The discussion includes the timing of disclosure.
AOO shares a security list with the TDF - officesecur...@lists.freedesktop.org
<mailto:officesecur...@lists.freedesktop.org> - we see any discussions there on
security@openoffice. LOs security issues are not always ours.
The best way to increase the frequency of any security fixes is to increase the
frequency of minor releases.
Nononono. We have roundabout 1 security incident within one year. At
least that has been the statistical case during the time I was involved
with security (2017 - 2020). There is no hint that need we more minor
releases because of security. More minor releases would automatically
come if we would fix more stuff. However we are fixing things usually in
the second half of the year. So all ends up in this one end year release
we shedule.
There is a lot of software in the OpenSource and none OpenSource
environment which does not close all Issues within the disclosure time.
That does not make a software insecure? The type of open Issue makes a
software insecure and the ability to install it on a system. Just think
on the security discussion within the Android environment for a minute.
We have fixed all big published Issues. Maybe not within industry
expectations but they are fixed. And we roll the fix out to the
availability to over 90 percent of our users. I think in the end we
provide a good service for OpenOffice users, by our standards.
The standards the people raise can only be uphold if they are payed for.
Only then you have the resources to work on time. LO is doing this with
their substantial buiness arm. Mainly Collabora and Red Hat are
involved. If those two player would stop their engagement, it would be a
major impact on LO side. I want to loosely point here towards the
financial mail Michael Meeks has posted to the LO dev List, in order to
underline how little this is free lunch. We can setup a security
service if there is interest / need. I have been looking into this since
Rafael tried to set up a business arm. And I have different pieces I can
follow up, all I need are interested founders for an security service
for AOO in order to see how big the funds are and what the most
efficient method is to reach the goal.
So if someone says download LO for without paying for the service
because it is more secure, then they are damaging the LO service which
is making this possible. I say if you need or want Industry promised
security you have to pay the industry. And then a sentence like
everything that does not uphold an industry security standard, is
insecure, means everything that you do not pay money is insecure. Which
has been a long standing argument against open source for times. It is
just a new flavor of an old argument.
My 2 cents.
Peter
--
This is the Way! http://www.apache.org/theapacheway/index.html
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org