Re: Where to find information about *.xcu schema (extension, dev, toolbar)

[FR web forum]

>Where to find information about *.xcu schema (extension, dev, toolbar)
Use this extension: http://wiki.services.openoffice.org/wiki/Extensions_Packager
Easy to produce OXT

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: Where to find information about *.xcu schema (extension, dev, toolbar)

[Carl Marcum]

On 04/07/2016 07:55 AM, Christian Giehl wrote:

Hi,

I'm currently working on a custom toolbar for my oo-extension. To 
create the visual appearance of the toolbar, I have to write an 
Addons.xcu file, which contains a custom xml. However, the tag names 
and attributes I found in the tutorial all across the www are not 
sufficient for my case and I stumbled accross tags I never encountered 
anywhere before, e.g.



 


 



You can include 4 icons for the toolbar, these are for High Contrast.

The big one should be 26 x 26 and the small one 16 x 16.

Same for the two low contrast ones.



or some attributes like oor:op="replace".

Since I can't reliably figure out what these tags/attributes represent 
and how they are used I am in need for some kind of documentation. The 
only ref I've found so far is 
(https://wiki.openoffice.org/wiki/Documentation/DevGuide/WritingUNO/AddOns/Toolbars), 
but not all props/tags/attrs are listed there.


I wonder if anyone of you guys can tell me how I can approach to these 
kinds of problems better. Is there a reference documentation I haven't 
found yet? How do I gain a clearer understanding of those tags without 
a documentation? I beg nobody says reverse engineering :D


Thanks in advance!

Chris


Hi Chris,

I'm not aware of a schema published anywhere but perhaps someone else may.

In the mean time I generated a sample Addons.xcu with the NetBeans 
plugin with some examples filled in.


To make it simpler I'll just post the text below..
--



http://openoffice.org/2001/registry"; 
xmlns:xs="http://www.w3.org/2001/XMLSchema"; oor:name="Addons" 
oor:package="org.openoffice.Office">

  

  

  
  AddOn Menu


  _self


  


  

com.example.nbaddon:Command0


  


  _self


  


  
  Command0

  

  


  

  Dummy


  

  com.example.nbaddon:Command0


  


  _self


com.sun.star.frame.Bibliography,com.sun.star.chart.ChartDocument,com.sun.star.sdb.OfficeDatabaseDocument,com.sun.star.drawing.DrawingDocument,com.sun.star.formula.FormulaProperties,com.sun.star.presentation.PresentationDocument,com.sun.star.sheet.SpreadsheetDocument,com.sun.star.text.TextDocument,com.sun.star.text.GlobalDocument


  
  Command0

  

  


  oor:op="replace">


  com.example.nbaddon:Command0


  

  
  

  
  
%origin%/../../../../../images/edit-cut.png
  
  

  

  
  
  


--

Please let me know if you have any questions.

Thanks,
Carl


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [DISCUSS] Cleanup needed for RESOLVED-FIXED issues

[Kay Schenk]

On Thu, Apr 7, 2016 at 9:59 AM, Marcus  wrote:

> Am 04/07/2016 06:35 PM, schrieb Dennis E. Hamilton:
>
>> My only concern is that this is a giant CTR and pretty much assures that
>> the "R" will not happen.
>>
>
> yes, but especially with old issues I don't see a big problem here. Maybe
> for single issues. But IMHO this is no argument to keep every issue open
> and inspect them in all details. Then it's better to reopen some of them.
>

​Ok, perhaps some misunderstanding here. What I'm asking for is assistance
is finding the RESOLVED-FIXED issues that actually were incorporated in a
release, and CLOSE them.


​Some of them even have comments that the issue was checked against a
release, but they were not CLOSEd.​ I am NOT requesting that RESOLVED-FIXED
issues that did not make it to a release be closed. This would be
premature. Sorry for the misunderstanding.


> When it's "RESOLVED - FIXED", then I trust the status somehow and will
> only do some checks. But I don't put the resolution "FIXED" into doubt and
> do everything again that is listed in the issue.
>
> So be it.
>>
>> However, do not disable the issues mails for any reason.  There is a
>> difference between R not happening and R not being possible.
>>
>
> That's right.
>

​The search I referenced in the first post has more than 1500 issues in the
RESOLVED-FIXED category. ​

​ Of these, some percentage should be CLOSEd. And yes, it's a bit of an
annoyance to get the emails, but I think it's worth it to keep better
records.
​

>
> Marcus
>
>
>
>
> -Original Message-
>>> From: Marcus [mailto:marcus.m...@wtnet.de]
>>> Sent: Thursday, April 7, 2016 02:10
>>> To: dev@openoffice.apache.org
>>> Cc: q...@openoffice.apache.org
>>> Subject: Re: [DISCUSS] Cleanup needed for RESOLVED-FIXED issues
>>>
>>> [ ... ]
>>
>>> I've closed all listed issues regarding our infrastructure (Website,
>>> Bugzilla, etc.). As you can see every single change results in a mail
>>> and will fill everybody's inbox - when you are subscribed to the issues@
>>> mailing list.
>>>
>>> There will be the possibility to disable mails when performing special
>>> actions (e.g., bulk issue changes) but not before release 6.0 [1]. At
>>> the moment we are at 5.0.2. So, it will take some more time. ;-(
>>>
>>> For the time being we have only the way do disable completely sending
>>> mails when we work on the issue. But this means that *absolutely no
>>> mails will be sent* regardless what was done (new issue, change,
>>> comments, closing, etc.).
>>>
>>> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1062718
>>>
>>> Sorry for the spam. ;-)
>>>
>>> Marcus
>>>
>>
> -
> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
> For additional commands, e-mail: dev-h...@openoffice.apache.org
>
>


-- 
--
MzK

"Time spent with cats is never wasted."
-- Sigmund Freud

Apache OpenOffice Mailing List Statistics

[Dennis E. Hamilton]

[BCC to PMC]

The tabulation below provides the rate of mailing list usage for all of public 
lists since Apache OpenOffice became a top-level project in November 2012.

The full, auditable compilation of the data can be found in the PDF at 
.

In the tabulation below, the list entries are in declining order by average 
monthly activity in 2015, with 2014 for tie-breakers.

 LISTAVERAGE MONTHLY ACTIVITY

   2012  2013  2014  2015 2016Q1

 dev@  1266  1124   552   340  305
   users@   235   198   328   219  231
users-de@38   167   14794  111
   utenti-it@29403037   27
i10n@   211   225   11934   22
  qa@   150   1277116   25
 api@303520152
 doc@ 7412512   36
  dev-de@ 0 042 6   12
  general-es@3424 9 45
   marketing@638718 35
 progetto-it@1217 8 20
users-fr@ 1 4 6 00
  geral-ptbr@21 5 1 00
  general-ja@ 3 2 0 00

 - Dennis




-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: Cross Script vulnerabilities in AOo Extensions?

[Fernando Cassia]

On 4/7/16, toki  wrote:
> All:
>
> In reading
> http://arstechnica.com/security/2016/04/noscript-and-other-popular-firefox-add-ons-open-millions-to-new-attack/
> is the same type of vulnerability is possible with AOo extensions?
>
> jonathon

"By piggybacking off the capabilities of trusted third-party add-ons,
the malicious add-on faces much better odds of not being detected."

The spiral of restrictions only helps the #infosec rock stars continue
being in the spotlight and keep their jobs.

This is akin to someone "discovering" that a forks and knives can be
used as lethal weapons. So let's restrict kitchenware. Better yet,
let's implement a security measure by tying the forks and knife to the
table  to restrict movement of the fork and knife only a few inches
from the dish. But then some "security researcher" will discover that
the wire can be cut by malicious users. So the rope will be replaced
by a steel wire.

Then one day one security researcher will discover that malicious
users can use the steel wire to strangle people.

This can go on ad-infinitum. Hey, just found that pens, those
innocuous devices used for writing and present in the pockets of
numeroous geeks, can be taken by surprise by a bystander and poke you
in the eye!. This is a grave security vulnerability. Let's put all
pens under lock!.

#sarcasm
FC
FC
-- 
During times of Universal Deceit, telling the truth becomes a revolutionary
act
Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto
Revolucionario
- George Orwell

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: Cross Script vulnerabilities in AOo Extensions?

[toki]

On 07/04/2016 16:35, Dennis E. Hamilton wrote:

> Multi-component collaborative exploit staging is possible although
unnecessary.

Rephrasing: For the time being, at least, one can "safely" ignore this
type of exploit, because other vectors are much easier to exploit.

Still, for those who are paranoid about security, this is yet another
cause for concern, for which they will have to create the appropriate
tools to verify the extension is not an exploit.

jonathon




signature.asc
Description: OpenPGP digital signature

Re: [DISCUSS] Cleanup needed for RESOLVED-FIXED issues

[Marcus]

Am 04/07/2016 06:35 PM, schrieb Dennis E. Hamilton:

My only concern is that this is a giant CTR and pretty much assures that the 
"R" will not happen.


yes, but especially with old issues I don't see a big problem here. 
Maybe for single issues. But IMHO this is no argument to keep every 
issue open and inspect them in all details. Then it's better to reopen 
some of them.


When it's "RESOLVED - FIXED", then I trust the status somehow and will 
only do some checks. But I don't put the resolution "FIXED" into doubt 
and do everything again that is listed in the issue.



So be it.

However, do not disable the issues mails for any reason.  There is a difference 
between R not happening and R not being possible.


That's right.

Marcus




-Original Message-
From: Marcus [mailto:marcus.m...@wtnet.de]
Sent: Thursday, April 7, 2016 02:10
To: dev@openoffice.apache.org
Cc: q...@openoffice.apache.org
Subject: Re: [DISCUSS] Cleanup needed for RESOLVED-FIXED issues


[ ... ]

I've closed all listed issues regarding our infrastructure (Website,
Bugzilla, etc.). As you can see every single change results in a mail
and will fill everybody's inbox - when you are subscribed to the issues@
mailing list.

There will be the possibility to disable mails when performing special
actions (e.g., bulk issue changes) but not before release 6.0 [1]. At
the moment we are at 5.0.2. So, it will take some more time. ;-(

For the time being we have only the way do disable completely sending
mails when we work on the issue. But this means that *absolutely no
mails will be sent* regardless what was done (new issue, change,
comments, closing, etc.).

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1062718

Sorry for the spam. ;-)

Marcus


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

RE: Cross Script vulnerabilities in AOo Extensions?

[Dennis E. Hamilton]

Toki, thanks for your useful question.

Here are some factors to consider.

 1. The Apache OpenOffice project does not vet or review extensions and 
templates that are produced by third parties and downloadable from the 
SourceForge extension and template collections.  These are all "at your own 
risk." 

 2. To the extent that extensions and templates operate at the privilege level 
of the OpenOffice user, it is possible for extension code to accomplish 
malicious purposes.

 3. There is no sandbox for the operation of extensions generally: access to 
the internet, the desktop platform, and file systems are not constrained.
 
Basically, it does not require anything so elaborate as the bypassing of 
FireFox add-on protection described in the Ars Technica article.  
Multi-component collaborative exploit staging is possible although unnecessary.

Part of the problem is that the extension format goes back to OpenOffice.org 
1.x and a simpler world.  

There is also complacency and mythology about OpenOffice not being vulnerable 
to some of the difficulties that arose in Microsoft Office software of the same 
and earlier eras.  It could be more the case that exploit perpetrators prefer 
to go where the most victims are to be found.  That does not mean other 
low-hanging fruit escapes attention, as we now know for Linux, Apple, Android, 
and other products.  

An upgrade of the extension packaging could provide some auditability.  Perhaps 
the most important upgrade, using a form of ODF 1.2 packaging, would be use of 
digital signatures to provide a level of authentication on the 
extension/template source and allow detection of modifications or counterfeits.

Other kinds of auditing and forensic analysis require better computer-based 
tools.  Those are lacking generally, not just for extension packages.

This is one of those situations where defenses require considerable more effort 
than attacking, although skill is required for an exploit to go undetected.

No concerted effort on this area is foreseen at this time.  

 - Dennis  



> -Original Message-
> From: toki [mailto:toki.kant...@gmail.com]
> Sent: Thursday, April 7, 2016 03:45
> To: dev@openoffice.apache.org
> Subject: Cross Script vulnerabilities in AOo Extensions?
> 
> All:
> 
> In reading
> http://arstechnica.com/security/2016/04/noscript-and-other-popular-
> firefox-add-ons-open-millions-to-new-attack/
> is the same type of vulnerability is possible with AOo extensions?
> 
> jonathon
> 



-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

RE: [DISCUSS] Cleanup needed for RESOLVED-FIXED issues

[Dennis E. Hamilton]

My only concern is that this is a giant CTR and pretty much assures that the 
"R" will not happen.

So be it.

However, do not disable the issues mails for any reason.  There is a difference 
between R not happening and R not being possible.

 - Dennis

> -Original Message-
> From: Marcus [mailto:marcus.m...@wtnet.de]
> Sent: Thursday, April 7, 2016 02:10
> To: dev@openoffice.apache.org
> Cc: q...@openoffice.apache.org
> Subject: Re: [DISCUSS] Cleanup needed for RESOLVED-FIXED issues
> 
[ ... ]
> I've closed all listed issues regarding our infrastructure (Website,
> Bugzilla, etc.). As you can see every single change results in a mail
> and will fill everybody's inbox - when you are subscribed to the issues@
> mailing list.
> 
> There will be the possibility to disable mails when performing special
> actions (e.g., bulk issue changes) but not before release 6.0 [1]. At
> the moment we are at 5.0.2. So, it will take some more time. ;-(
> 
> For the time being we have only the way do disable completely sending
> mails when we work on the issue. But this means that *absolutely no
> mails will be sent* regardless what was done (new issue, change,
> comments, closing, etc.).
> 
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1062718
> 
> Sorry for the spam. ;-)
> 
> Marcus
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
> For additional commands, e-mail: dev-h...@openoffice.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: Eclipse Module Export UNO -> OOo package does not proceed

[Christian Giehl]

Am 4/7/2016 um 12:47 AM schrieb Carl Marcum:

On 04/06/2016 04:35 AM, Christian Giehl wrote:

Hi,

I'm fairly new on the field and wanted to start developing an
extension to be used in Writer. I started on reading the wiki and just
tried to follow the tutorial here:
https://wiki.openoffice.org/wiki/JavaEclipseTuto
Unfortunately when it comes to exporting the module in Eclipse File ->
Export -> UNO -> OpenOffice.org package, nothing happens. From my pov
I have two possibilities now: ask if sb can help troubleshoot or build
the module somehow manually.
Since I am a beginner, I am not restricted in writing the extension in
Java. Another possibility I considered is to write in python. I chose
Java because it seemed to me the more stable and documented approach
to get in touch. I'm free for suggestions regarding the language.

My system:
Win10 x64
OO 4.12.9782
OO SDK 4.12.9782
(note: OO installed with x86 instead of x64)

What I tried:
- reinstall of all features
- changed the eclipse plugin from
(http://www.openoffice.org/api/Projects/EclipseIntegration/dev-update/site.xml)
to (http://drake79.users.sourceforge.net/ooeclipse/site) due to the
issue described here
(http://stackoverflow.com/questions/17980315/openoffice-eclipse-plugin-doesnt-recognize-openoffice-sdk)

- reinstalled OO and removed the spaces in path (I saw a hint during
installation stating that spaces in paths might break the build)

Disclaimer: I don't know whether this is the appropriate newsgroup to
post such kind of questions. Please give hints if there might be a
more suitable place. Please tell me if you need further info.

Thanks in advance!
Greetings


Hi Christian,

I admit not knowing much about the Eclipse plugin.

There is a good chance the AOO 4.x changes broke it due to the SDK
directory changes.

If you want to try to fix the eclipse plugin you could look through the
changes made to the NetBeans plugin.

I updated the NetBeans plugin for these changes under bugzilla issue
123266 here [1].

Or you could use the NetBeans plugin. It is available through the
NetBeans plugins UI. or download from NetBeans.org. [2]

After you generate an extension project you could probably import it to
Eclipse as it's an Apache Ant based build but I've never tried.

[1] https://bz.apache.org/ooo/show_bug.cgi?id=123266

[2] http://plugins.netbeans.org/plugin/57917/apache-openoffice-api-plugin

Hi Carl,

thanks for your reply, that helps me a lot! I'll give Netbeans a shot 
and see if I can fix the eclipse sources accordingly.


Greetings


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Where to find information about *.xcu schema (extension, dev, toolbar)

[Christian Giehl]

Hi,

I'm currently working on a custom toolbar for my oo-extension. To create 
the visual appearance of the toolbar, I have to write an Addons.xcu 
file, which contains a custom xml. However, the tag names and attributes 
I found in the tutorial all across the www are not sufficient for my 
case and I stumbled accross tags I never encountered anywhere before, e.g.



 


 


or some attributes like oor:op="replace".

Since I can't reliably figure out what these tags/attributes represent 
and how they are used I am in need for some kind of documentation. The 
only ref I've found so far is 
(https://wiki.openoffice.org/wiki/Documentation/DevGuide/WritingUNO/AddOns/Toolbars), 
but not all props/tags/attrs are listed there.


I wonder if anyone of you guys can tell me how I can approach to these 
kinds of problems better. Is there a reference documentation I haven't 
found yet? How do I gain a clearer understanding of those tags without a 
documentation? I beg nobody says reverse engineering :D


Thanks in advance!

Chris


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Cross Script vulnerabilities in AOo Extensions?

[toki]

All:

In reading
http://arstechnica.com/security/2016/04/noscript-and-other-popular-firefox-add-ons-open-millions-to-new-attack/
is the same type of vulnerability is possible with AOo extensions?

jonathon




signature.asc
Description: OpenPGP digital signature

Re: [DISCUSS] Cleanup needed for RESOLVED-FIXED issues

[Marcus]

Am 04/07/2016 12:43 AM, schrieb Kay Schenk:

I think typically the process for RESOLVED-FIXED (those
issues that were fixed by some kind of code change to
/trunk) issues is to:

* commit the change to a release build
* once the release build is out for testing, check that the
bug is fixed, and use RESOLVED-VERFIED, to verify the fix, then
* CLOSE the issue

Recently, when I was looking at some issues that we'd
targeted for 4.1.2, I came upon a number that had been
RESOLVED-FIXED, but some had been committed to a release and
some had not. For those that had, I skipped the
RESOLVED-VERIFIED step and just closed them.

Currently, I feel we could use some additional help with
a) closing out old issues that have been ported to a
release, and
b) resetting the Target Release information for those issues
that have been fixed but have not been "released".

The following query only looks at RESOLVED-FIXED issues
since 2011-01-01

https://bz.apache.org/ooo/buglist.cgi?bug_status=RESOLVED&chfield=resolution&chfieldfrom=2011-01-01&chfieldto=Now&chfieldvalue=Fixed&limit=0&order=priority%2Cbug_severity&query_format=advanced&resolution=FIXED&resolution=FIXED_WITHOUT_CODE

A warning -- unless you can see an SVN commit clearly
stating that the fix has been ported to one of our existing
releases, it may take a bit of investigation into the
release branch area to determine this.

release branch area--
http://svn.apache.org/viewvc/openoffice/branches/


Our new resolution of FIXED_WITHOUT_CODE should result in
CLOSING without any further investigation.

Thoughts on undertaking this cleanup?


I've closed all listed issues regarding our infrastructure (Website, 
Bugzilla, etc.). As you can see every single change results in a mail 
and will fill everybody's inbox - when you are subscribed to the issues@ 
mailing list.


There will be the possibility to disable mails when performing special 
actions (e.g., bulk issue changes) but not before release 6.0 [1]. At 
the moment we are at 5.0.2. So, it will take some more time. ;-(


For the time being we have only the way do disable completely sending 
mails when we work on the issue. But this means that *absolutely no 
mails will be sent* regardless what was done (new issue, change, 
comments, closing, etc.).


[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1062718

Sorry for the spam. ;-)

Marcus

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org