Clytie Siddall wrote:
Hi Clytie,
I suppose we can simply say "it's not our problem as QA", but I
personally am quite worried about the lack of information on the
security page above. The latest advisory is dated June last year, and
the last two security problems affecting OpenOffice.org are not
mentioned at all.
This affects our users, and it affects and their perception of
OpenOffice.org. Surely I am not the only member of the QA team who is
bothered by this?
Regardless of our sub-project(s) within OpenOffice.org, sloppy security
makes us all look bad.
Yes, I agree, the absence of visible, and regularly updated security
information does look bad, and the fact that there was almost nothing
about the latest security fixes is worrying as far as I'm concerned.
On the other hand, this bug is in the JRE and not OOo, even if we supply
the JRE bundled, so I would also agree that this is not really our
problem. OOo can run without the JRE (albeit with limited
functionality), but it does not depend on the JRE for
importing/exporting GIF format images (at least not to my knowledge, I
believe these filters are still C++ coded). I feel it would be difficult
and probably even impossible to post security warnings about every
potential flaw in connected software that could interact with OOo. How
would one approach, say, the discovery of a flaw in python, that could
be abused to attack OOo ? (not talking about a flaw in the pyuno bridge,
here). Or Delphi ? I'm still of the opinion that we must be more visible
and responsive to our own flaws first, before we can even dream about
issuing notices of security problems in connected software programs.
Just my 2cents, but an interesting discussion all the same.
Alex
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
