Re: Hyperlink Warning Message
Hi All, On 5/28/21 4:46 PM, Peter Kovacs wrote: On 28.05.21 22:04, Arrigo Marchiori wrote: Hello all, replying to an older message in this thread. On Thu, May 13, 2021 at 07:23:16PM -0400, Carl Marcum wrote: [...] Hopefully we can collect the exceptions in the BZ issue noted in this thread and then agree on the direction. The few I see so far are: 1. in-document links beginning with #. 2. .uno:XXX links 3. Links to local files. I think all 3 are candidates but that's just me. I have bad news about number 1. Apparently, when the link is indicated as "#anchor", it is transformed into "file://path/document.ods#anchor" and then passed to SfxApplication::OpenDocExec_Impl() This means that if we want to have warning-less links to the same document, then we may have to consider the file:// protocol possibly safe. We should then rely on extensions. Suprisingly, the OpenDocument extensions do not seem to be included in the standard list of safe extensions. Such list should be in main/officecfg/registry/data/org/openoffice/Office/Security.xcu -- I cannot recall who brought this to my attention and therefore I am unable to credit him/her, I am sorry. Does anyone see any possible security issues in considering the file:// protocol safe and deciding on the target file's extension whether to show a warning or not? I would not go for file://. Can we go for a pattern derivated from file://path/document.ods#anchor ? We had CVEs in the past working with file links, based odf definition and UNO. Maybe you can try the test files from those CVEs. I think the file protocol as a hyperlink was considered safe by the office right up until this fix. It seems the uno and file protocols were caught up in the fix and are the primary ones causing the users problems. I don't believe either of these were the subject of the CVE that was fixed so I don't think we're harming that one. I would think we could allow these at least for a test build while also going back and verify the previous CVE's didn't get opened up. Just my thoughts. Carl - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Ubuntu 21.04 / dark mode
On 28/05/2021 Dave Fisher wrote: https://bz.apache.org/ooo/show_bug.cgi?id=119096 If the concern is a GPL build tool that we do not distribute (that is allowed) and what we distribute is PD w/ a Notice request then I don’t see any issue. The concern, by reading comment 3 in the issue, https://bz.apache.org/ooo/show_bug.cgi?id=119096#c3 was about the license of the SVG files themselves. And indeed anyone can check the commits in the issue and open, e.g., https://svn.apache.org/viewvc/incubator/ooo/trunk/main/ooo_custom_images/tango/res/lx03216.svg?revision=1162288=co=1302866 and then the source to see the GPL reference mentioned by Herbert (hdu) in the issue: http://creativecommons.org/licenses/GPL/2.0/; /> Now, it could be that icons were relicensed after they became part of OpenOffice. While Wikipedia is definitely not a trusted source, it talks about a public domain relicensing in 2009 due to the original terms being too restrictive. I tried opening an SVG from http://tango.freedesktop.org/releases/tango-icon-theme-0.8.90.tar.gz and indeed I can't see the GPL reference in the SVG any longer. In short, a possible explanation should be: we were carrying GPL icons and deleted them due to license incompatibility, but in the meantime, and independently, those icons had been relicensed to avoid excessive restrictions; so they might be allowed now, even though we may want to find something nicer than Tango. Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Ubuntu 21.04 / dark mode
Sorry for top posting: The Tango Desktop Project says: Though the tango-icon-theme package is released to the Public Domain, we ask that you still please attribute the Tango Desktop Project, for all the hard work we've done. Thanks. see: http://tango.freedesktop.org/Tango_Desktop_Project I am not sure if this is the same theme you refering to. On 28.05.21 21:14, Dave Fisher wrote: On May 28, 2021, at 11:32 AM, Matthias Seidel wrote: Hi Pedro, Am 27.05.21 um 11:33 schrieb Pedro Lino: Hi Matthias On 05/27/2021 9:35 AM Matthias Seidel wrote: I asked a friend who is in graphic design and he spontaneously said "Tango" [1]. But i think we removed Tango from AOO? I wonder why, since it is Public Domain... Excellent! And the tar.gz file includes all images as SVG so we can easily modify to create new PNGs in all sizes! Looked good on Ubuntu: https://people.canonical.com/~doko/ooicons/diff_industrial_tango.html I think someone read GPL (the naming utilities which we won't use) and panicked? Should we ask ASF bureaucrats before starting? It was removed just because of that... See: https://bz.apache.org/ooo/show_bug.cgi?id=119096 If the concern is a GPL build tool that we do not distribute (that is allowed) and what we distribute is PD w/ a Notice request then I don’t see any issue. I’d like to know if Jim concurs. All The Best, Dave I think we need another icon theme. Regards, Matthias Regards, Pedro - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org -- This is the Way! http://www.apache.org/theapacheway/index.html - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Hyperlink Warning Message
On 28.05.21 22:04, Arrigo Marchiori wrote: Hello all, replying to an older message in this thread. On Thu, May 13, 2021 at 07:23:16PM -0400, Carl Marcum wrote: [...] Hopefully we can collect the exceptions in the BZ issue noted in this thread and then agree on the direction. The few I see so far are: 1. in-document links beginning with #. 2. .uno:XXX links 3. Links to local files. I think all 3 are candidates but that's just me. I have bad news about number 1. Apparently, when the link is indicated as "#anchor", it is transformed into "file://path/document.ods#anchor" and then passed to SfxApplication::OpenDocExec_Impl() This means that if we want to have warning-less links to the same document, then we may have to consider the file:// protocol possibly safe. We should then rely on extensions. Suprisingly, the OpenDocument extensions do not seem to be included in the standard list of safe extensions. Such list should be in main/officecfg/registry/data/org/openoffice/Office/Security.xcu -- I cannot recall who brought this to my attention and therefore I am unable to credit him/her, I am sorry. Does anyone see any possible security issues in considering the file:// protocol safe and deciding on the target file's extension whether to show a warning or not? I would not go for file://. Can we go for a pattern derivated from file://path/document.ods#anchor ? We had CVEs in the past working with file links, based odf definition and UNO. Maybe you can try the test files from those CVEs. -- This is the Way! http://www.apache.org/theapacheway/index.html - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Hyperlink Warning Message
Hello all, replying to an older message in this thread. On Thu, May 13, 2021 at 07:23:16PM -0400, Carl Marcum wrote: [...] > Hopefully we can collect the exceptions in the BZ issue noted in this thread > and then agree on the direction. > > The few I see so far are: > 1. in-document links beginning with #. > 2. .uno:XXX links > 3. Links to local files. > > I think all 3 are candidates but that's just me. I have bad news about number 1. Apparently, when the link is indicated as "#anchor", it is transformed into "file://path/document.ods#anchor" and then passed to SfxApplication::OpenDocExec_Impl() This means that if we want to have warning-less links to the same document, then we may have to consider the file:// protocol possibly safe. We should then rely on extensions. Suprisingly, the OpenDocument extensions do not seem to be included in the standard list of safe extensions. Such list should be in main/officecfg/registry/data/org/openoffice/Office/Security.xcu -- I cannot recall who brought this to my attention and therefore I am unable to credit him/her, I am sorry. Does anyone see any possible security issues in considering the file:// protocol safe and deciding on the target file's extension whether to show a warning or not? Best regards, -- Arrigo - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Ubuntu 21.04 / dark mode
> On May 28, 2021, at 11:32 AM, Matthias Seidel > wrote: > > Hi Pedro, > > Am 27.05.21 um 11:33 schrieb Pedro Lino: >> Hi Matthias >>> On 05/27/2021 9:35 AM Matthias Seidel wrote: >>> I asked a friend who is in graphic design and he spontaneously said >>> "Tango" [1]. >>> >>> But i think we removed Tango from AOO? I wonder why, since it is Public >>> Domain... >> Excellent! And the tar.gz file includes all images as SVG so we can easily >> modify to create new PNGs in all sizes! > > Looked good on Ubuntu: > https://people.canonical.com/~doko/ooicons/diff_industrial_tango.html > >> >> I think someone read GPL (the naming utilities which we won't use) and >> panicked? Should we ask ASF bureaucrats before starting? > > It was removed just because of that... See: > https://bz.apache.org/ooo/show_bug.cgi?id=119096 If the concern is a GPL build tool that we do not distribute (that is allowed) and what we distribute is PD w/ a Notice request then I don’t see any issue. I’d like to know if Jim concurs. All The Best, Dave > I think we need another icon theme. > > Regards, > >Matthias > >> >> Regards, >> Pedro >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org >> For additional commands, e-mail: dev-h...@openoffice.apache.org >> > - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Ubuntu 21.04 / dark mode
Hi Pedro, Am 27.05.21 um 11:33 schrieb Pedro Lino: > Hi Matthias >> On 05/27/2021 9:35 AM Matthias Seidel wrote: >> I asked a friend who is in graphic design and he spontaneously said >> "Tango" [1]. >> >> But i think we removed Tango from AOO? I wonder why, since it is Public >> Domain... > Excellent! And the tar.gz file includes all images as SVG so we can easily > modify to create new PNGs in all sizes! Looked good on Ubuntu: https://people.canonical.com/~doko/ooicons/diff_industrial_tango.html > > I think someone read GPL (the naming utilities which we won't use) and > panicked? Should we ask ASF bureaucrats before starting? It was removed just because of that... See: https://bz.apache.org/ooo/show_bug.cgi?id=119096 I think we need another icon theme. Regards, Matthias > > Regards, > Pedro > > - > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org > smime.p7s Description: S/MIME Cryptographic Signature