On 3/26/12 3:15 AM, Dennis E. Hamilton wrote:
TJ,
I was doing some nosing around and, based on some information on the Community
Forums (thank you Hagar), it looks like the settings are controlled in a file
called registrymodifications.xcu, at least on Windows. The location will vary
with different versions of windows.
On windows, you can find one under the installed-user profile, such as Documents&
Settings\orcmid\Application Data [a hidden file], OpenOffice/3/user/registrymodification.xcu for any
install since the AES256 has been instituted as default. the *.xcu is actually an XML file and you can
find the settings by searching for "blowfish" and for "SHA1".
How this works for Mac, Solaris, OS/2, and the various Linus and BSD builds, I
have no idea.
I think I have mentioned before that it is easy to provide an extension
to switch the relevant configuration settings.
As the release manger I will accept the issue as critical enough to
change the default back for 3.4. For AOO 4.0 we will switch the default
again and will provide a GUI to allow the user the change it more easily.
For 3.4 we provide a mini extension that switch the default back to AES
for users who prefer this encryption algorithm.
Juergen
- Dennis
-----Original Message-----
From: TJ Frazier [mailto:[email protected]]
Sent: Friday, March 23, 2012 11:26
To: [email protected]
Subject: Re: [RELEASE,CODE]: Bug 119090 - Default Encryption Fails for
Down-Level Implementations
[ ... ]
... options to consider:
3. User change to config file, to use the new option.
I have suggested a writeup on this, but such instructions are much
better aimed at the (few?) users who want the "latest and greatest"
security option, and will do a little work to get it. (Does anybody know
what that file name is? Given that, I volunteer to update the Release
Notes.)
4. Macro to toggle the settings.
This could be distributed in a BASIC library (new or existing); no
extension necessary. User instructions to find and run the macro are
simple. I may be able to write this; preliminary investigation is
promising but not certain. I volunteer to try. There are several real
experts on this list, whom I might ask for help.
/tj/
[1] https://issues.apache.org/ooo/show_bug.cgi?id=119090
On 19.03.2012 14:48, Jürgen Schmidt wrote:
On 3/19/12 2:16 PM, TJ Frazier wrote:
On 3/19/2012 08:48, Jürgen Schmidt wrote:
Hi,
I think issue 119090 is no show stopper from my point of view. The new
default provides a better security than before when I understand it
correct. And if people detect potential problems they can save the
document again with other settings.
I agree that this is important for interoperability but no show
stopper.
Any other opinion?
Juergen
Hi, Jürgen,
Like Dennis, I'm nervous about this. Perhaps we can handle it with a
mention in the Release Notes; something like,
PLEASE NOTE: the default options for [technical details here] should
provide your best /individual/ security. However, if you intend to share
the document in secure fashion, the default mode cannot be read by
* previous versions of OpenOffice.org
* current versions of LibreOffice, at least through [version]
* Ms Office [version info]
For compatibility, use the options [details here].
I agree that it make sense to mention it in the release notes.
Any volunteer for updating the release notes?
Juergen
