https://issues.apache.org/ooo/show_bug.cgi?id=119090
--- Comment #19 from orcmid <[email protected]> 2012-03-23 06:13:30 UTC --- (In reply to comment #10) > Thinking on this a little more. > At some point we need to change to AES and at that point we will break compat > with earlier editors. We cannot avoid that. We can only delay that. > But delay does have some value. We can seed the install base with the ability > to read AES files,and do that for a release or two before we enable AES as the > default for writing. So then in the future, when we make AES the default for > writing, the older versions (at least 3.4+) have the ability to read them as > well. > I have no idea whether changing the default is easy or hard, or whether any > one > volunteers to do this. But it is one possible approach. > The user could then change the default via the configuration option. Since you were looking for a volunteer, I dug through the SVN and found the place where the defaults can be changed with ease. I submitted the patch that makes it so. I have seen no review of the patch (which I requested just to be on the safe side). Now the question seems to be whether or not the change of the default is desirable or not. I claim that it is for interoperability reasons. There is no basis for assuming that switching from Blowfish CFB to AES256 CBC does anything to reduce the actual vulnerabilities and the cost to interoperability is quite high if there is no staging and means to gradual switch-over. How do we resolve this? -- Configure bugmail: https://issues.apache.org/ooo/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
