On 3/26/12 11:21 AM, xia zhao wrote:
2012/3/26 Jürgen Schmidt<[email protected]>
On 3/26/12 3:15 AM, Dennis E. Hamilton wrote:
TJ,
I was doing some nosing around and, based on some information on the
Community Forums (thank you Hagar), it looks like the settings are
controlled in a file called registrymodifications.xcu, at least on Windows.
The location will vary with different versions of windows.
On windows, you can find one under the installed-user profile, such as
Documents& Settings\orcmid\Application Data [a hidden file],
OpenOffice/3/user/**registrymodification.xcu for any install since the
AES256 has been instituted as default. the *.xcu is actually an XML file
and you can find the settings by searching for "blowfish" and for "SHA1".
How this works for Mac, Solaris, OS/2, and the various Linus and BSD
builds, I have no idea.
I think I have mentioned before that it is easy to provide an extension to
switch the relevant configuration settings.
As the release manger I will accept the issue as critical enough to change
the default back for 3.4. For AOO 4.0 we will switch the default again and
will provide a GUI to allow the user the change it more easily.
I give +1 for Juergen here, this issue is critical but I don't think it is
critical enough to block AOO 3.4 ship from QA view, for one software, one
new release may has some difference with previous release, even for the
same feature. I don't think this issue locates at changing the default
setting back for 3.4 or not, the point is which encryption algorithm is
more polular and buy in by users.
I am not sure, most users don't care about the technical details and
they will be simply confused if it won't work any more with older office
versions.
We should make it better in AOO 4.0 and allow more flexibility
But I agree offering user more flexibility by modifying the configuration
file etc is one good idea.
Lily
For 3.4 we provide a mini extension that switch the default back to AES for
users who prefer this encryption algorithm.
I put a small oxt together, you can find it under
http://people.apache.org/~jsc/extensions/ODF12-Default-encryption-AES256-cbc.oxt
Feel free to test it, it should work in AOO3.4 only (in contains a
minimal and maximal version dependency)
Juergen
Juergen
- Dennis
-----Original Message-----
From: TJ Frazier [mailto:[email protected]]
Sent: Friday, March 23, 2012 11:26
To: [email protected]
Subject: Re: [RELEASE,CODE]: Bug 119090 - Default Encryption Fails for
Down-Level Implementations
[ ... ]
... options to consider:
3. User change to config file, to use the new option.
I have suggested a writeup on this, but such instructions are much
better aimed at the (few?) users who want the "latest and greatest"
security option, and will do a little work to get it. (Does anybody know
what that file name is? Given that, I volunteer to update the Release
Notes.)
4. Macro to toggle the settings.
This could be distributed in a BASIC library (new or existing); no
extension necessary. User instructions to find and run the macro are
simple. I may be able to write this; preliminary investigation is
promising but not certain. I volunteer to try. There are several real
experts on this list, whom I might ask for help.
/tj/
[1]
https://issues.apache.org/ooo/**show_bug.cgi?id=119090<https://issues.apache.org/ooo/show_bug.cgi?id=119090>
On 19.03.2012 14:48, Jürgen Schmidt wrote:
On 3/19/12 2:16 PM, TJ Frazier wrote:
On 3/19/2012 08:48, Jürgen Schmidt wrote:
Hi,
I think issue 119090 is no show stopper from my point of view. The new
default provides a better security than before when I understand it
correct. And if people detect potential problems they can save the
document again with other settings.
I agree that this is important for interoperability but no show
stopper.
Any other opinion?
Juergen
Hi, Jürgen,
Like Dennis, I'm nervous about this. Perhaps we can handle it with a
mention in the Release Notes; something like,
PLEASE NOTE: the default options for [technical details here] should
provide your best /individual/ security. However, if you intend to
share
the document in secure fashion, the default mode cannot be read by
* previous versions of OpenOffice.org
* current versions of LibreOffice, at least through [version]
* Ms Office [version info]
For compatibility, use the options [details here].
I agree that it make sense to mention it in the release notes.
Any volunteer for updating the release notes?
Juergen
