Regression tests?

[Patricia Shanahan]

I have a few simple changes I would like to check in. Before doing that, 
I would normally run regression tests against my working copy. In any 
case, as one of the few people who are building on Windows, I should 
test early, test often.


What tests do people normally run to check that changes do not have 
unintended consequences?


Thanks,

Patricia

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

upgrading serf

[Don Lewis]

I was just looking at what it would take to upgrade our bundled version
of serf.  It turns out to be a bit complicated because recent versions
of serf uses scons to build.


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

RE: Release Manager for 4.2.0?

[Dennis E. Hamilton]

> -Original Message-
> From: Don Lewis [mailto:truck...@apache.org]
> Sent: Monday, March 28, 2016 15:32
> To: dev@openoffice.apache.org
> Cc: dennis.hamil...@acm.org
> Subject: Re: Release Manager for 4.2.0?
> 
> On 28 Mar, Dennis E. Hamilton wrote:
> > Commenting just on document signing ...
> >
> >> -Original Message-
> >> From: Pedro Giffuni [mailto:p...@apache.org]
> >> Sent: Monday, March 28, 2016 13:48
> >> To: OOo Apache 
> >> Subject: Re: Release Manager for 4.2.0?
> > [ ... ]
> >>
> >> [ ... ] I am unsure about what in OpenOffice
> >> uses the new cyphers. I think OpenSSL is used for signing documents:
> >> when we update OpenSSL will AOO automatically accept more signing
> >> options? I would expect browsers will bring their own SSL
> >> implementations.
> > [orcmid]
> >
> > The document signature support in Apache OpenOffice is based on XML
> > Digital Signatures Second Edition,
> > . This has
> > nothing to do with communications via secure sockets of course.
> > Granted that OpenSSL provides library functions for more than that,
> > there is still very limited use for signing documents.
> >
> > X.509 digital certificates are employed.  XadES extensions may be used
> > (impacting metadata information mainly and only implemented by
> > Microsoft in ODF as far as I know).  Depending on the platform the
> > operating-system secure store for the signing key will usually be
> > employed, so there is operating-system integration.  (This is
> > definitely true for Windows.)
> 
> OpenSSL also provides libcrypto which contains functions for creating,
> validating, and using certificates.  It uses some of this functionality
> to verify that a secure socket connection is actually connected to the
> desired remote endpoint.  I've used to the openssl command line tool to
> produce a certificate that was used to authenticate a connection from a
> local application to a remote service.
> 
> There seems to be a standard place to store certificates under a user's
> home directory in the *nix world.  A while back I signed up for a
> service that requires updates from me to be signed with a certificate
> that they created for me and that my browser downloaded and stashed away
> somewhere.  When I tried signing a document with OpenOffice, it found
> this certificate and offered it as a choice for signing.
> 
> Since OpenOffice also uses curl, which is used for downloading files,
> and curl uses OpenSSL, it looks like OpenOffice depends on OpenSSL for
> secure downloads.  I don't know if it downloads anything other than
> extensions and updates.
[orcmid] 

That's useful to know.

Apache OpenOffice doesn't generate any client-side certificates, but it does 
use certs it can find for signing documents.  

I suspect, for secure downloads, AOO only works with the cert from the server, 
HTTPS-style.
> 
> 
> 
> 
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
> For additional commands, e-mail: dev-h...@openoffice.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: Release Manager for 4.2.0?

[Don Lewis]

On 28 Mar, Kay Schenk wrote:
> 
> 
> On 03/27/2016 03:37 PM, Don Lewis wrote:
>> On 27 Mar, Andrea Pescetti wrote:
>>> On 29/01/2016 Andrea Pescetti wrote:
 For 4.2.0 we need a Release Manager. I would prefer NOT to be the
 Release Manager for 4.2.0 since I'm finding that in this period I can
 help more productively with tasks that do not require constant
 interaction ...
 I am surely available to have a significant role in the 4.2.0 release
>>>
>>> A few days after writing this, almost 2 months ago, sudden events left 
>>> me incapacitated to make any significant contributions until very 
>>> recently. I'm still unable to make long-term commitments.
>>>
>>> Anyway, there are some issues we need to get done as a team before 
>>> appointing a release manager makes sense:
>>>
>>> 1) Enough code. Done. The merge of the recent gbuild work totally 
>>> justifies a 4.2.0 release. Also, in 4.1.2 we only included a tiny 
>>> fraction of the fixes that (at that time) were available on trunk. So 
>>> here we are already OK, and we've been OK for months.
>> 
>> Some of the external software that is bundled has security issues.  I
>> put together a patch for nss here:
>> .
>> 
>> The version of libxml currently bundled also has a lot of known
>> vulnerabilities.  I'm currently testing a patch.
>> 
>> These both need review and testing.
> 
> Ok, I'll keep my eyes open for the libxml patch and test
> with your already supplied nss patch.

I filed a PR with the libxml patch late yesterday:


As an added bonus, here is the curl patch:



-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: Release Manager for 4.2.0?

[Kay Schenk]

On 03/27/2016 03:37 PM, Don Lewis wrote:
> On 27 Mar, Andrea Pescetti wrote:
>> On 29/01/2016 Andrea Pescetti wrote:
>>> For 4.2.0 we need a Release Manager. I would prefer NOT to be the
>>> Release Manager for 4.2.0 since I'm finding that in this period I can
>>> help more productively with tasks that do not require constant
>>> interaction ...
>>> I am surely available to have a significant role in the 4.2.0 release
>>
>> A few days after writing this, almost 2 months ago, sudden events left 
>> me incapacitated to make any significant contributions until very 
>> recently. I'm still unable to make long-term commitments.
>>
>> Anyway, there are some issues we need to get done as a team before 
>> appointing a release manager makes sense:
>>
>> 1) Enough code. Done. The merge of the recent gbuild work totally 
>> justifies a 4.2.0 release. Also, in 4.1.2 we only included a tiny 
>> fraction of the fixes that (at that time) were available on trunk. So 
>> here we are already OK, and we've been OK for months.
> 
> Some of the external software that is bundled has security issues.  I
> put together a patch for nss here:
> .
> 
> The version of libxml currently bundled also has a lot of known
> vulnerabilities.  I'm currently testing a patch.
> 
> These both need review and testing.

Ok, I'll keep my eyes open for the libxml patch and test
with your already supplied nss patch.


> 
> The versions of openssl and curl badly need updating for the same
> reason, and there is one CVE for serf.
> 
> There is a CVE for raptor-1.4.18, but I believe there was a cherry
> picked patch commited for that.
> 
> There are likely to be vulnerabilites in the bundled version of
> silgraphite, but it has been unmaintained upstream for quite some time.
> Ideally we would switch to Graphite2, but the API is radically different
> and this looks difficult.  The unattractive alternative is to look at
> the additional sanity checks added in recent Graphite2 commits and try
> to retrofit those into silgraphite.
> 
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
> For additional commands, e-mail: dev-h...@openoffice.apache.org
> 

-- 

MzK

"Time spent with cats is never wasted."
   -- Sigmund Freud

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: Release Manager for 4.2.0?

[Don Lewis]

On 28 Mar, Dennis E. Hamilton wrote:
> Commenting just on document signing ...
> 
>> -Original Message-
>> From: Pedro Giffuni [mailto:p...@apache.org]
>> Sent: Monday, March 28, 2016 13:48
>> To: OOo Apache 
>> Subject: Re: Release Manager for 4.2.0?
> [ ... ]
>> 
>> [ ... ] I am unsure about what in OpenOffice
>> uses the new cyphers. I think OpenSSL is used for signing documents:
>> when we update OpenSSL will AOO automatically accept more signing
>> options? I would expect browsers will bring their own SSL
>> implementations.
> [orcmid] 
> 
> The document signature support in Apache OpenOffice is based on XML
> Digital Signatures Second Edition,
> . This has
> nothing to do with communications via secure sockets of course. 
> Granted that OpenSSL provides library functions for more than that,
> there is still very limited use for signing documents.
> 
> X.509 digital certificates are employed.  XadES extensions may be used
> (impacting metadata information mainly and only implemented by
> Microsoft in ODF as far as I know).  Depending on the platform the
> operating-system secure store for the signing key will usually be
> employed, so there is operating-system integration.  (This is
> definitely true for Windows.)

OpenSSL also provides libcrypto which contains functions for creating,
validating, and using certificates.  It uses some of this functionality
to verify that a secure socket connection is actually connected to the
desired remote endpoint.  I've used to the openssl command line tool to
produce a certificate that was used to authenticate a connection from a
local application to a remote service.

There seems to be a standard place to store certificates under a user's
home directory in the *nix world.  A while back I signed up for a
service that requires updates from me to be signed with a certificate
that they created for me and that my browser downloaded and stashed away
somewhere.  When I tried signing a document with OpenOffice, it found
this certificate and offered it as a choice for signing.

Since OpenOffice also uses curl, which is used for downloading files,
and curl uses OpenSSL, it looks like OpenOffice depends on OpenSSL for
secure downloads.  I don't know if it downloads anything other than
extensions and updates.





-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

RE: Release Manager for 4.2.0?

[Dennis E. Hamilton]

Commenting just on document signing ...

> -Original Message-
> From: Pedro Giffuni [mailto:p...@apache.org]
> Sent: Monday, March 28, 2016 13:48
> To: OOo Apache 
> Subject: Re: Release Manager for 4.2.0?
[ ... ]
> 
> [ ... ] I am unsure about what in OpenOffice
> uses the new cyphers. I think OpenSSL is used for signing documents:
> when we update OpenSSL will AOO automatically accept more signing
> options? I would expect browsers will bring their own SSL
> implementations.
[orcmid] 

The document signature support in Apache OpenOffice is based on XML Digital 
Signatures Second Edition, 
. This has nothing to do 
with communications via secure sockets of course.  Granted that OpenSSL 
provides library functions for more than that, there is still very limited use 
for signing documents.

X.509 digital certificates are employed.  XadES extensions may be used 
(impacting metadata information mainly and only implemented by Microsoft in ODF 
as far as I know).  Depending on the platform the operating-system secure store 
for the signing key will usually be employed, so there is operating-system 
integration.  (This is definitely true for Windows.)

Basically, SHA-1 digests of each part within the ODF package (a Zip) are 
incorporated in the signature file in a  element.  That element is 
effectively what is signed using method RSA-SHA1.  The  element 
provides the encrypted details by which the  can be verified.  This 
information can be decrypted and checked using the public key certificate of 
the signer that is included in the signature file.  (These certificates have 
their own cryptographic verification.)

There are no other methods for the signature data and its signing.

PS. The encryption of ODF files is very different and independent of the 
signature mechanism.  It is password-based and it uses Blowfish 8-bit CFB mode 
by default, encrypting each part of the ODF package separately.  Signing of 
encrypted files is done after encryption.  There is an optional AES-256 usage 
as well.  That is not produced by Apache OpenOffice.  


> 
> TBH, when I updated OpenSSL in AOO, I intentionally didn't upgrade it
> further because the newer versions have more code but also more
> vulnerabilities, therefore the expected maintenance cost would be
> higher.  The FreeBSD 9.x updates are only a temporary workaround.
> Now that upstream is not maintaining the older 0.9.8 version
> it probably makes sense to reconsider upgrading.
> 
> Pedro.
> 
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
> For additional commands, e-mail: dev-h...@openoffice.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: Release Manager for 4.2.0?

[Don Lewis]

On 28 Mar, Pedro Giffuni wrote:
> Hi Don;
> 
>> On 28 Mar, Pedro Giffuni wrote:
>> > In reply to Don,
>>
>> >> The versions of openssl and curl badly need updating for the same
>> >> reason, and there is one CVE for serf.
>> >
>> > FreeBSD casually keeps some backported updates for the same openssl
>> > version AOO uses:
>> >
>> > https://svnweb.freebsd.org/base/stable/9/crypto/openssl/?view=log
>> >
>> > It should be pretty straightforward to take them from there and use 
>> them
>> > into
>> > main/openssl with minor adaptions.
>>
>> That would fix only part of the problem.  The other part of the problem
>> is that the version of openssl that we currently bundle doesn't
>> implement the newer and more secure protocols and ciphers.  The older
>> and less secure ones are gradually getting disabled on the server side.
>>
>> For instance, my only copy of Windows is XP, and the last version of IE
>> released for XP can no longer connect to some web sites because they
>> have disabled all of the protocols that IE supports.
>>
> 
> That is a valid concern, however I am unsure about what in OpenOffice
> uses the new cyphers. I think OpenSSL is used for signing documents:
> when we update OpenSSL will AOO automatically accept more signing
> options? I would expect browsers will bring their own SSL
> implementations.

I don't know what OpenOffice uses it for, either, but I would expect
that it also gets used for downloading extensions.  I hadn't even
thought about signatures.  That's something I haven't exercised it at
all.

> TBH, when I updated OpenSSL in AOO, I intentionally didn't upgrade it
> further because the newer versions have more code but also more
> vulnerabilities, therefore the expected maintenance cost would be
> higher.  The FreeBSD 9.x updates are only a temporary workaround.
> Now that upstream is not maintaining the older 0.9.8 version
> it probably makes sense to reconsider upgrading.

And using FreeBSD 9.x as a patch source will not work past the end of
this year because of the FreeBSD 9 EOL.

The FreeBSD OpenOffice port uses --with-system-openssl, and when I build
it for my own use, I set WITH_OPENSSL_PORT=yes, so I am always using the
latest and greatest openssl release.  I haven't run into any problems
with it.  I just signed a document with it ;-)



-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: Let's fix the Windows build bots

[Andrea Pescetti]

On 01/02/2016 j.nitschke wrote:

But a global haltOnFailure would stop the build at 'svn info' step.
About the 'svn info' step, this one stopped working ...


And we are back here, it seems. With the HTTPS fixes now in place, all 
the Linux and FreeBSD buildbots completed their build successfully, 
while the Windows one ran build --all but then suddenly stopped almost 
at the end, after delivering sc


https://ci.apache.org/builders/aoo-win7/builds/231/steps/build.pl%20--all/logs/stdio
command timed out: 2 seconds without output, killing pid 13888

and today it stopped at a very early stage that you had already fixed, 
the "svn info":


https://ci.apache.org/builders/aoo-win7/builds/232/steps/svn%20export/logs/stdio
Inappropriate ioctl for device

Jochen, Damjan, do you remember how you fixed it back at the time? Or 
was it handled in the chat session with pono Damjan mentions later in 
this thread (which would basically mean that it disappeared magically 
after a restart and some magic by Infra)?


Regards,
  Andrea.

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: Release Manager for 4.2.0?

[Pedro Giffuni]

Hi Don;


On 28 Mar, Pedro Giffuni wrote:
> In reply to Don,

>> The versions of openssl and curl badly need updating for the same
>> reason, and there is one CVE for serf.
>
> FreeBSD casually keeps some backported updates for the same openssl
> version AOO uses:
>
> https://svnweb.freebsd.org/base/stable/9/crypto/openssl/?view=log
>
> It should be pretty straightforward to take them from there and use 
them

> into
> main/openssl with minor adaptions.

That would fix only part of the problem.  The other part of the problem
is that the version of openssl that we currently bundle doesn't
implement the newer and more secure protocols and ciphers.  The older
and less secure ones are gradually getting disabled on the server side.

For instance, my only copy of Windows is XP, and the last version of IE
released for XP can no longer connect to some web sites because they
have disabled all of the protocols that IE supports.



That is a valid concern, however I am unsure about what in OpenOffice
uses the new cyphers. I think OpenSSL is used for signing documents:
when we update OpenSSL will AOO automatically accept more signing
options? I would expect browsers will bring their own SSL
implementations.

TBH, when I updated OpenSSL in AOO, I intentionally didn't upgrade it
further because the newer versions have more code but also more
vulnerabilities, therefore the expected maintenance cost would be
higher.  The FreeBSD 9.x updates are only a temporary workaround.
Now that upstream is not maintaining the older 0.9.8 version
it probably makes sense to reconsider upgrading.

Pedro.


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: Release Manager for 4.2.0?

[Don Lewis]

On 28 Mar, Pedro Giffuni wrote:
> In reply to Don,

>> The versions of openssl and curl badly need updating for the same
>> reason, and there is one CVE for serf.
> 
> FreeBSD casually keeps some backported updates for the same openssl 
> version AOO uses:
> 
> https://svnweb.freebsd.org/base/stable/9/crypto/openssl/?view=log
> 
> It should be pretty straightforward to take them from there and use them 
> into
> main/openssl with minor adaptions.

That would fix only part of the problem.  The other part of the problem
is that the version of openssl that we currently bundle doesn't
implement the newer and more secure protocols and ciphers.  The older
and less secure ones are gradually getting disabled on the server side.

For instance, my only copy of Windows is XP, and the last version of IE
released for XP can no longer connect to some web sites because they
have disabled all of the protocols that IE supports.


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: Release Manager for 4.2.0?

[Pedro Giffuni]

In reply to Don,

FWIW, On the topic of updates
...

Some of the external software that is bundled has security issues.  I
put together a patch for nss here:
.

The version of libxml currently bundled also has a lot of known
vulnerabilities.  I'm currently testing a patch.

These both need review and testing.

The versions of openssl and curl badly need updating for the same
reason, and there is one CVE for serf.


FreeBSD casually keeps some backported updates for the same openssl 
version AOO uses:


https://svnweb.freebsd.org/base/stable/9/crypto/openssl/?view=log

It should be pretty straightforward to take them from there and use them 
into

main/openssl with minor adaptions.

Pedro.

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

OpenOffice.org

[Jac Schamberger]

The software is not as compatible as Microsoft Office 10 Excel for Data
Sheets. I have just completed a University class on Excel and cannot use
this program for what I have just learned. Microsoft Office 10 has so many
short cuts that OpenOffice.org Data Sheet cannot come close to the short
cuts. I tried it and it is no where near as easy as Microsoft Office 10. I
will not use it.

Sincerely,

Jodi Schamberger

Re: Releasing the Apache OpenOffice API plugin for NetBeans

[Carl Marcum]

On 03/27/2016 10:59 PM, Patricia Shanahan wrote:

On 3/27/2016 3:53 PM, Carl Marcum wrote:

On 03/27/2016 05:01 PM, Patricia Shanahan wrote:

On 3/27/2016 12:26 PM, Andrea Pescetti wrote:
...
When we have three PMC members willing to commit to voting (at due 
time)

on the NetBeans plugin, this discussion will make sense. Otherwise we
are wasting our time.


I generally have at least one Windows box with Netbeans installed, so
I should be able to participate.


That great,  You will need v. 8.1


Got v. 8.1 installed.

I would like to attempt a build and test from what you now have. Is 
there a Wiki how-to page? If not, should we be constructing one?


Patricia


Hi Patricia,

Thanks for working on this.

The wiki page is here [1]  the source is here [2].

Open in NetBeans, it's a NetBeans project.
RMB on project and "Create NBM"

You can then install the NBM file into NetBeans and test.

The version may not have been bumped yet.  Sorry I don't have time to check.

The wiki page could use some love. I haven't had a chance to document 
the build.



[1] https://wiki.openoffice.org/wiki/OpenOffice_NetBeans_Integration
[2] 
https://svn.apache.org/repos/asf/openoffice/devtools/netbeansintegration/trunk/


Thanks,
Carl

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

AOO Design Patterns

[Lalith Ramesh]

Dev List,

I was browsing through the code on Fisheye, and I noticed some interesting
design patterns that were in use.
For example, errobject.hxx has a public factory method to make new
ErrObjects, but the constructors are not marked as public.
What was the motivation behind this design decision?