Re: [Libreoffice-qa] ESC meeting agenda: 2023-09-28 16:00 CEST

[Eyal Rozenberg]

The minutes item about the UI/UX aspect of dealing with security
vulnerabilities is something that, in the last design meeting, John and
myself specifically asked to be brought up at the ESC - assuming it
would be part of a larger discussion of this matter. I want to thank
Heiko for bringing the subject up and I'm glad this was discussed, but
Miklos' response suggests that the ESC is considering this as
weakly-related future enhancement rather than part of the response to
the (past and) current vulnerability.

About what we are currently doing:

1. I have not been prompted to upgrade to 7.6.2. Granted, I'm on Linux,
but that's still a significant percentage of our users; have Windows
users been prompted to upgrade? Even if they otherwise don't care about
upgrades?

2. When looking at "Check for updates..." I am told: "LibreOffice 7.6.2
is available" - not even a mention of the security issue, let alone a
warning that an update is highly advisable because of it, a link to
guidance about the vulnerability etc. Most users will probably not
bother: "Why should I switch from 7.6.0.3 to 7.6.2? It's not even a
second-level version number change. My LibreOffice works fine, let's not
waste time on this."

3. So, LibreOffice 7.4 is out of official support. Have old-LO-version
users been warned by the app about the security vulnerability? If not
specifically, have they been actively and intrusively warned on June
12th that they should upgrade LO, to avoid potential security
vulnerabilities? IIANM, the answer is negative.

Note that I am not suggesting we auto-update without user consent. That
is for others to decide (never auto-update, opt-in to auto-update,
auto-update by default with opt-out). But security warnings, while
auto-update is not in effect, are important. Of course some people might
want to opt out of any call-home behavior, even for security warnings,
and that should be respected as well.

Eyal

On 29/09/2023 10:52, Xisco Fauli wrote:

Hello,

This particular issue only affects users using LibreOffice 7.4,
LibreOffice 7.5 and LibreOffice 7.6 since the Webp support was added in
LibreOffice 7.4. See https://wiki.documentfoundation.org/ReleaseNotes/7.4

For those users still using LibreOffice 7.4, the official support of
this branch ended in June 12, 2023 ( See
https://wiki.documentfoundation.org/ReleasePlan/7.4 ) so if they are
still using it, we can't force them to upgrade their version to a newer
one. They have been suggested to upgrade it for a while now, even before
this vulnerability was known.

For 7.5 and 7.6 users, the autoupdater has been already bumped to 7.5.7
and 7.6.2 respectively so users will be suggested to upgrade the next
time they launch LibreOffice. It's also up to them to upgrade it or not.
Marketing is also spreading the word in different channels about the
importance of this release ( see
https://blog.documentfoundation.org/blog/2023/09/26/lo-762-and-lo-757/ )

For the future, it's possible there will be an automatic updater
mechanism in place, see the ESC minutes from yesterday (
https://lists.freedesktop.org/archives/libreoffice/2023-September/091022.html "The 
UI/UX aspect of how to deal with security vulnerabilities" topic)

Regards

On 28/9/23 23:26, Eyal Rozenberg wrote:

But Sophie, from the dev point of view, the problem is actually not
solved - until LO has a mechanism for pushing intrusive notifications of
required critical updates (with an opt-out for people who don't want
that). Some might disagree with this position, but it is certainly a
matter for discussion in the ESC.

Also, the ESC has not mapped out for us the potential for exploiting the
vulnerability with LO (with and without "social engineering" of user
behavior). While that is not critical, it would be useful both for
identifying, retroactively, LO exploitation as the culprit in case of
actual malicious intrusions; and for those rare cases where an upgrade
is impossible for some reason.

Eyal




On 28/09/2023 23:23, sophi wrote:

Hi Eyal, John,

Just to give some information on this peculiar episode. The CVE happened
just before the conference where most of the team was traveling, not
easy to do a respin in those conditions.

What Miklos meant is that in the *dev* point of view it was solved, a
fix has been provided thanks to Caolan, that's all developers can do
"they move on to the next issue". So nothing more on their side to talk
about. It doesn't mean they don't care about users, they have done their
job in fixing the issue, the rest is not in their power. It's up to us,
you, me.

Then it's up to release engineering, UX and marketing to act. What RE
did from Monday to today because there was some problem with a Mac
version.

We have discussed today inside the team how we could better served our
users when this type of issue emerged. Security is a difficult topic to
talk about, there is not only the fix, but how it's embargoed for other
products, etc.

I think the best way now to go on positively on 

Re: [Libreoffice-qa] ESC meeting agenda: 2023-09-28 16:00 CEST

[Xisco Fauli]

Hello,

This particular issue only affects users using LibreOffice 7.4, 
LibreOffice 7.5 and LibreOffice 7.6 since the Webp support was added in 
LibreOffice 7.4. See https://wiki.documentfoundation.org/ReleaseNotes/7.4


For those users still using LibreOffice 7.4, the official support of 
this branch ended in June 12, 2023 ( See 
https://wiki.documentfoundation.org/ReleasePlan/7.4 ) so if they are 
still using it, we can't force them to upgrade their version to a newer 
one. They have been suggested to upgrade it for a while now, even before 
this vulnerability was known.


For 7.5 and 7.6 users, the autoupdater has been already bumped to 7.5.7 
and 7.6.2 respectively so users will be suggested to upgrade the next 
time they launch LibreOffice. It's also up to them to upgrade it or not. 
Marketing is also spreading the word in different channels about the 
importance of this release ( see 
https://blog.documentfoundation.org/blog/2023/09/26/lo-762-and-lo-757/ )


For the future, it's possible there will be an automatic updater 
mechanism in place, see the ESC minutes from yesterday ( 
https://lists.freedesktop.org/archives/libreoffice/2023-September/091022.html 
"The UI/UX aspect of how to deal with security vulnerabilities" topic)


Regards

On 28/9/23 23:26, Eyal Rozenberg wrote:

But Sophie, from the dev point of view, the problem is actually not
solved - until LO has a mechanism for pushing intrusive notifications of
required critical updates (with an opt-out for people who don't want
that). Some might disagree with this position, but it is certainly a
matter for discussion in the ESC.

Also, the ESC has not mapped out for us the potential for exploiting the
vulnerability with LO (with and without "social engineering" of user
behavior). While that is not critical, it would be useful both for
identifying, retroactively, LO exploitation as the culprit in case of
actual malicious intrusions; and for those rare cases where an upgrade
is impossible for some reason.

Eyal




On 28/09/2023 23:23, sophi wrote:

Hi Eyal, John,

Just to give some information on this peculiar episode. The CVE happened
just before the conference where most of the team was traveling, not
easy to do a respin in those conditions.

What Miklos meant is that in the *dev* point of view it was solved, a
fix has been provided thanks to Caolan, that's all developers can do
"they move on to the next issue". So nothing more on their side to talk
about. It doesn't mean they don't care about users, they have done their
job in fixing the issue, the rest is not in their power. It's up to us,
you, me.

Then it's up to release engineering, UX and marketing to act. What RE
did from Monday to today because there was some problem with a Mac 
version.


We have discussed today inside the team how we could better served our
users when this type of issue emerged. Security is a difficult topic to
talk about, there is not only the fix, but how it's embargoed for other
products, etc.

I think the best way now to go on positively on this is to have a
discussion between marketing, UX and RE: should we have a pop-up in the
product advertising about security fix, should we have a special
communication campaign. Most of the time, there is an embargo and we
release security fixes without communication because of that, what
should we do?

Please, open the discussion on the marketing list, all points of view
and ideas are valuable, but don't shout to our developers, they provided
a fix very quickly, up to us to know how to communicate it now. This was
a new situation that needs to be addressed, your opinion about users is
very much valid, how should we go from there now?

Cheers
Sophi

Le 28/09/2023 à 21:36, Eyal Rozenberg a écrit :

I second John's sentiment.

For the vast majority of LibreOffice users, this security problem is
_not_ fixed. And that is because they run versions of LibreOffice with
the vulnerability but without the fix; and have not been made aware of
the vulnerability and the release-with-a-fix.

I would claim that we are responsible to make our users thus aware. 
Now,

it's true that a user is not likely to allow this particular exploit to
be taken advantage of, since that would mean directing LO at a 
malicious

.webp somewhere. But - we have over 200 million users IIANM. If
malicious .webp's turn up on the web, it's quite likely some of our
users may do this by mistake; and we would bear some of the
responsibility for the consequences of such an outcome - after we've
told our users that they are in the capable hands of "security experts"
(to quote our website).

Also, what if, next time, the vulnerability is easier to exploit? Do we
even have the mechanism to push at least a warning about the need to
update LO?


Eyal

PS 1: I have widened the CC of this exchange, as this question relates
to how we present LibreOffice to users; our claims regarding the 
quality

of this product; and the implicit and explicit guarantees we make to
users.

Re: [Libreoffice-qa] ESC meeting agenda: 2023-09-28 16:00 CEST

[Eyal Rozenberg]

But Sophie, from the dev point of view, the problem is actually not
solved - until LO has a mechanism for pushing intrusive notifications of
required critical updates (with an opt-out for people who don't want
that). Some might disagree with this position, but it is certainly a
matter for discussion in the ESC.

Also, the ESC has not mapped out for us the potential for exploiting the
vulnerability with LO (with and without "social engineering" of user
behavior). While that is not critical, it would be useful both for
identifying, retroactively, LO exploitation as the culprit in case of
actual malicious intrusions; and for those rare cases where an upgrade
is impossible for some reason.

Eyal




On 28/09/2023 23:23, sophi wrote:

Hi Eyal, John,

Just to give some information on this peculiar episode. The CVE happened
just before the conference where most of the team was traveling, not
easy to do a respin in those conditions.

What Miklos meant is that in the *dev* point of view it was solved, a
fix has been provided thanks to Caolan, that's all developers can do
"they move on to the next issue". So nothing more on their side to talk
about. It doesn't mean they don't care about users, they have done their
job in fixing the issue, the rest is not in their power. It's up to us,
you, me.

Then it's up to release engineering, UX and marketing to act. What RE
did from Monday to today because there was some problem with a Mac version.

We have discussed today inside the team how we could better served our
users when this type of issue emerged. Security is a difficult topic to
talk about, there is not only the fix, but how it's embargoed for other
products, etc.

I think the best way now to go on positively on this is to have a
discussion between marketing, UX and RE: should we have a pop-up in the
product advertising about security fix, should we have a special
communication campaign. Most of the time, there is an embargo and we
release security fixes without communication because of that, what
should we do?

Please, open the discussion on the marketing list, all points of view
and ideas are valuable, but don't shout to our developers, they provided
a fix very quickly, up to us to know how to communicate it now. This was
a new situation that needs to be addressed, your opinion about users is
very much valid, how should we go from there now?

Cheers
Sophi

Le 28/09/2023 à 21:36, Eyal Rozenberg a écrit :

I second John's sentiment.

For the vast majority of LibreOffice users, this security problem is
_not_ fixed. And that is because they run versions of LibreOffice with
the vulnerability but without the fix; and have not been made aware of
the vulnerability and the release-with-a-fix.

I would claim that we are responsible to make our users thus aware. Now,
it's true that a user is not likely to allow this particular exploit to
be taken advantage of, since that would mean directing LO at a malicious
.webp somewhere. But - we have over 200 million users IIANM. If
malicious .webp's turn up on the web, it's quite likely some of our
users may do this by mistake; and we would bear some of the
responsibility for the consequences of such an outcome - after we've
told our users that they are in the capable hands of "security experts"
(to quote our website).

Also, what if, next time, the vulnerability is easier to exploit? Do we
even have the mechanism to push at least a warning about the need to
update LO?


Eyal

PS 1: I have widened the CC of this exchange, as this question relates
to how we present LibreOffice to users; our claims regarding the quality
of this product; and the implicit and explicit guarantees we make to
users.

PS 2: Many of us are not able to attend ESC sessions - in general, and
especially in the middle of a work day. And when this is the case we
send an email asking for relevant issues to be considered. Personally, I
struggle to attend even the design meetings (where I believe I can be of
more use).




On 28/09/2023 11:44, John Mills wrote:

Hello Miklos,

Is it an acceptable statement just to say that "we" move on? Yes, the
issue is now resolved for those people that download the newest version
of LibreOffice. However what about the many millions of users that will
not update or have no idea that they are now susceptible to this high
rated CVE?

This is not a compelling strategy and does not serve the best interests
of these users. I think it is poor for the reputation of LibreOffice and
the Document Foundation that there are many millions of unpatched
instances being used that could negatively impact people like this.

Perhaps this particular CVE is on the scale of things considered not
that critical, however what is the strategy if there was ever an exploit
that significantly impacted LibreOffice? How would this be made known to
our user and corrected?

With best regards,

John

Sent from Yahoo Mail on Android

Re: [Libreoffice-qa] ESC meeting agenda: 2023-09-28 16:00 CEST

[sophi]

Hi Eyal, John,

Just to give some information on this peculiar episode. The CVE happened 
just before the conference where most of the team was traveling, not 
easy to do a respin in those conditions.


What Miklos meant is that in the *dev* point of view it was solved, a 
fix has been provided thanks to Caolan, that's all developers can do 
"they move on to the next issue". So nothing more on their side to talk 
about. It doesn't mean they don't care about users, they have done their 
job in fixing the issue, the rest is not in their power. It's up to us, 
you, me.


Then it's up to release engineering, UX and marketing to act. What RE 
did from Monday to today because there was some problem with a Mac version.


We have discussed today inside the team how we could better served our 
users when this type of issue emerged. Security is a difficult topic to 
talk about, there is not only the fix, but how it's embargoed for other 
products, etc.


I think the best way now to go on positively on this is to have a 
discussion between marketing, UX and RE: should we have a pop-up in the 
product advertising about security fix, should we have a special 
communication campaign. Most of the time, there is an embargo and we 
release security fixes without communication because of that, what 
should we do?


Please, open the discussion on the marketing list, all points of view 
and ideas are valuable, but don't shout to our developers, they provided 
a fix very quickly, up to us to know how to communicate it now. This was 
a new situation that needs to be addressed, your opinion about users is 
very much valid, how should we go from there now?


Cheers
Sophi

Le 28/09/2023 à 21:36, Eyal Rozenberg a écrit :

I second John's sentiment.

For the vast majority of LibreOffice users, this security problem is
_not_ fixed. And that is because they run versions of LibreOffice with
the vulnerability but without the fix; and have not been made aware of
the vulnerability and the release-with-a-fix.

I would claim that we are responsible to make our users thus aware. Now,
it's true that a user is not likely to allow this particular exploit to
be taken advantage of, since that would mean directing LO at a malicious
.webp somewhere. But - we have over 200 million users IIANM. If
malicious .webp's turn up on the web, it's quite likely some of our
users may do this by mistake; and we would bear some of the
responsibility for the consequences of such an outcome - after we've
told our users that they are in the capable hands of "security experts"
(to quote our website).

Also, what if, next time, the vulnerability is easier to exploit? Do we
even have the mechanism to push at least a warning about the need to
update LO?


Eyal

PS 1: I have widened the CC of this exchange, as this question relates
to how we present LibreOffice to users; our claims regarding the quality
of this product; and the implicit and explicit guarantees we make to users.

PS 2: Many of us are not able to attend ESC sessions - in general, and
especially in the middle of a work day. And when this is the case we
send an email asking for relevant issues to be considered. Personally, I
struggle to attend even the design meetings (where I believe I can be of
more use).




On 28/09/2023 11:44, John Mills wrote:

Hello Miklos,

Is it an acceptable statement just to say that "we" move on? Yes, the
issue is now resolved for those people that download the newest version
of LibreOffice. However what about the many millions of users that will
not update or have no idea that they are now susceptible to this high
rated CVE?

This is not a compelling strategy and does not serve the best interests
of these users. I think it is poor for the reputation of LibreOffice and
the Document Foundation that there are many millions of unpatched
instances being used that could negatively impact people like this.

Perhaps this particular CVE is on the scale of things considered not
that critical, however what is the strategy if there was ever an exploit
that significantly impacted LibreOffice? How would this be made known to
our user and corrected?

With best regards,

John

Sent from Yahoo Mail on Android


    On Thu, 28 Sept 2023 at 8:13 am, Miklos Vajna
     wrote:
    Hi Eyal,

    On Wed, Sep 27, 2023 at 08:31:04PM +0300, Eyal Rozenberg
    mailto:eyalr...@gmx.com>> wrote:
 > I would like to ask you to discuss the situation with the 
recent CVE:

 > https://bugs.documentfoundation.org/show_bug.cgi?id=157231
    

    It was already discussed 2 weeks ago. If you have specific questions,
    please ask on the developer list or take part in the ESC call 
yourself.


    In short: the problem is fixed, it's released, we move on.


 

Re: [Libreoffice-qa] ESC meeting agenda: 2023-09-28 16:00 CEST

[Eyal Rozenberg]

I second John's sentiment.

For the vast majority of LibreOffice users, this security problem is
_not_ fixed. And that is because they run versions of LibreOffice with
the vulnerability but without the fix; and have not been made aware of
the vulnerability and the release-with-a-fix.

I would claim that we are responsible to make our users thus aware. Now,
it's true that a user is not likely to allow this particular exploit to
be taken advantage of, since that would mean directing LO at a malicious
.webp somewhere. But - we have over 200 million users IIANM. If
malicious .webp's turn up on the web, it's quite likely some of our
users may do this by mistake; and we would bear some of the
responsibility for the consequences of such an outcome - after we've
told our users that they are in the capable hands of "security experts"
(to quote our website).

Also, what if, next time, the vulnerability is easier to exploit? Do we
even have the mechanism to push at least a warning about the need to
update LO?


Eyal

PS 1: I have widened the CC of this exchange, as this question relates
to how we present LibreOffice to users; our claims regarding the quality
of this product; and the implicit and explicit guarantees we make to users.

PS 2: Many of us are not able to attend ESC sessions - in general, and
especially in the middle of a work day. And when this is the case we
send an email asking for relevant issues to be considered. Personally, I
struggle to attend even the design meetings (where I believe I can be of
more use).




On 28/09/2023 11:44, John Mills wrote:

Hello Miklos,

Is it an acceptable statement just to say that "we" move on? Yes, the
issue is now resolved for those people that download the newest version
of LibreOffice. However what about the many millions of users that will
not update or have no idea that they are now susceptible to this high
rated CVE?

This is not a compelling strategy and does not serve the best interests
of these users. I think it is poor for the reputation of LibreOffice and
the Document Foundation that there are many millions of unpatched
instances being used that could negatively impact people like this.

Perhaps this particular CVE is on the scale of things considered not
that critical, however what is the strategy if there was ever an exploit
that significantly impacted LibreOffice? How would this be made known to
our user and corrected?

With best regards,

John

Sent from Yahoo Mail on Android


On Thu, 28 Sept 2023 at 8:13 am, Miklos Vajna
 wrote:
Hi Eyal,

On Wed, Sep 27, 2023 at 08:31:04PM +0300, Eyal Rozenberg
mailto:eyalr...@gmx.com>> wrote:
 > I would like to ask you to discuss the situation with the recent CVE:
 > https://bugs.documentfoundation.org/show_bug.cgi?id=157231


It was already discussed 2 weeks ago. If you have specific questions,
please ask on the developer list or take part in the ESC call yourself.

In short: the problem is fixed, it's released, we move on.


Regards,

Miklos

Re: [Libreoffice-qa] ESC meeting agenda: 2023-09-28 16:00 CEST

[Miklos Vajna]

Hi Eyal,

On Wed, Sep 27, 2023 at 08:31:04PM +0300, Eyal Rozenberg  
wrote:
> I would like to ask you to discuss the situation with the recent CVE:
> https://bugs.documentfoundation.org/show_bug.cgi?id=157231

It was already discussed 2 weeks ago. If you have specific questions,
please ask on the developer list or take part in the ESC call yourself.

In short: the problem is fixed, it's released, we move on.

Regards,

Miklos

Re: [Libreoffice-qa] ESC meeting agenda: 2023-09-28 16:00 CEST

[Regina Henschel]

Hi Eyal,

Eyal Rozenberg schrieb am 27.09.2023 um 19:31:

Hello ESC,

I would like to ask you to discuss the situation with the recent CVE:
https://bugs.documentfoundation.org/show_bug.cgi?id=157231


I'm not the ESC, but please notice
https://listarchives.documentfoundation.org/www/announce/msg00392.html

Kind regards,
Regina

Re: [Libreoffice-qa] ESC meeting agenda: 2023-09-28 16:00 CEST

[Eyal Rozenberg]

Hello ESC,

I would like to ask you to discuss the situation with the recent CVE:
https://bugs.documentfoundation.org/show_bug.cgi?id=157231

which potentially affects LibreOffice:
https://bugs.documentfoundation.org/show_bug.cgi?id=157231

Specifically:

1. Please asses the potential effect on LO.
2. Please list the scenarios in which LO may be affected.
3. What capability do we currently have to strongly-encourage users to 
update to a secure version (assuming one is available)?
4. What capability do we currently have to force users to update to a 
secure version (assuming one is available)?
5. Assuming the answer to (3.) or (4.) is "none" - consider taking a 
decision on changing that, with high priority, even if the current CVE 
is rarely dangerous for LO users.
6. Assuming the answer to (3.) or (4.) is "some" - please decide whether 
to do so, or recommend the board decide to do so etc.


Eyal


On 27/09/2023 18:12, Miklos Vajna wrote:

Hi,

The prototype agenda is below. Extra items are appreciated either in
this document or as a reply to this mail:

https://pad.documentfoundation.org/p/esc

You can join using Jitsi here:

https://jitsi.documentfoundation.org/esc

Regards,

Miklos

---

* Present:
     +

* Completed Action Items:

* Pending Action Items:
     + Try gtk4 local builds, Qt6 local builds (Cloph)
     + review bot: ignore distro branches when adding reviewers (Xisco)

* Release Engineering update (Cloph)
     + 7.6 status:
     + 7.5 status:

* Documentation (Olivier)
     + Bugzilla Documentation statistics
     272(272) bugs open
     + Updates:
     BZ changes   1 week   1 month   3 months   12 months
    created 6(2) 19(2)  70(1)  298(0)
  commented 6(0) 48(-9)    225(-12)   1079(-15)
   resolved 0(-2) 4(-1) 30(0)  163(-2)
     + top 10 contributors:
   Stéphane Guillou made 16 changes in 1 month, and 341 changes 
in 1 year
   Olivier Hallot made 13 changes in 1 month, and 440 changes in 
1 year
   Ilmari Lauhakangas made 8 changes in 1 month, and 114 changes 
in 1 year
   Nabet, Julien made 8 changes in 1 month, and 39 changes in 1 
year

   aswath t made 5 changes in 1 month, and 5 changes in 1 year
   Jim Avera made 5 changes in 1 month, and 5 changes in 1 year
   steve made 4 changes in 1 month, and 18 changes in 1 year
   Seth Chaiklin made 4 changes in 1 month, and 306 changes in 1 
year
   Vernon, Stuart Foote made 3 changes in 1 month, and 44 
changes in 1 year
   Heiko Tietze made 2 changes in 1 month, and 107 changes in 1 
year


* UX Update (Heiko)
     + Bugzilla (topicUI) statistics
     259(259) (topicUI) bugs open, 57(57) (needsUXEval) needs to be 
evaluated by the UXteam

     + Updates:
     BZ changes   1 week   1 month   3 months   12 months
  added  3(2) 14(4) 20(4)   45(2)
  commented 27(-3)   181(-3)   461(15)    2324(-7)
    removed  0(0)  0(0)  1(-1)  20(-4)
   resolved 10(7) 35(5) 86(9)  330(2)
     + top 10 contributors:
   Heiko Tietze made 114 changes in 1 month, and 1385 changes in 
1 year
   Stéphane Guillou made 45 changes in 1 month, and 468 changes 
in 1 year
   Eyal Rozenberg made 41 changes in 1 month, and 324 changes in 
1 year
   Kaganski, Mike made 29 changes in 1 month, and 144 changes in 
1 year

   Dieter made 20 changes in 1 month, and 247 changes in 1 year
   Vernon, Stuart Foote made 19 changes in 1 month, and 405 
changes in 1 year

   ady made 18 changes in 1 month, and 110 changes in 1 year
   Fortin Tam, Jean-François made 11 changes in 1 month, and 16 
changes in 1 year

   Bogdan B made 10 changes in 1 month, and 105 changes in 1 year
   neil made 10 changes in 1 month, and 10 changes in 1 year

* Crash Testing (Caolan)
     + 22(+0) import failure, 0(+0) export failures
     + ??? coverity issues
     + Google / ossfuzz: ?? fuzzers active now

* Crash Reporting (Xisco)
     + 7.6.0.2    105(+1)
     + 7.6.0.3    9755(+1827)
     + 7.6.1.2    3478(+2545)
     + 7.6.2.1    16(+0)

* Mentoring (Hossein)
   committer...   1 week 1 month  3 months 12 months
   open  45(-10) 97(-7)  156(-7)   209(-2)
    reviews 226(-42)   1236(-140)   3408(-12)    11502(4)
     merged 169(-25)    989(-78)    3080(-107)   
12609(-110)

  abandoned   4(-6)  60(-9)  142(-10)  634(-15)
    own commits  99(34) 657(-17)    2062(13)  9688(-75)
     review commits  35(17) 179(-38) 628(0)   3025(1)
     contributor...   1 week 1 month  3 months 12 months
   open  26(5)   56(11)   91(15)   117(16)
    reviews 498(-44)   

[Libreoffice-qa] ESC meeting agenda: 2023-09-28 16:00 CEST

[Miklos Vajna]

Hi,

The prototype agenda is below. Extra items are appreciated either in
this document or as a reply to this mail:

https://pad.documentfoundation.org/p/esc

You can join using Jitsi here:

https://jitsi.documentfoundation.org/esc

Regards,

Miklos

---

* Present:
+

* Completed Action Items:

* Pending Action Items:
+ Try gtk4 local builds, Qt6 local builds (Cloph)
+ review bot: ignore distro branches when adding reviewers (Xisco)

* Release Engineering update (Cloph)
+ 7.6 status:
+ 7.5 status:

* Documentation (Olivier)
+ Bugzilla Documentation statistics
272(272) bugs open
+ Updates:
BZ changes   1 week   1 month   3 months   12 months
   created 6(2) 19(2)  70(1)  298(0)
 commented 6(0) 48(-9)225(-12)   1079(-15)
  resolved 0(-2) 4(-1) 30(0)  163(-2)
+ top 10 contributors:
  Stéphane Guillou made 16 changes in 1 month, and 341 changes in 1 year
  Olivier Hallot made 13 changes in 1 month, and 440 changes in 1 year
  Ilmari Lauhakangas made 8 changes in 1 month, and 114 changes in 1 
year
  Nabet, Julien made 8 changes in 1 month, and 39 changes in 1 year
  aswath t made 5 changes in 1 month, and 5 changes in 1 year
  Jim Avera made 5 changes in 1 month, and 5 changes in 1 year
  steve made 4 changes in 1 month, and 18 changes in 1 year
  Seth Chaiklin made 4 changes in 1 month, and 306 changes in 1 year
  Vernon, Stuart Foote made 3 changes in 1 month, and 44 changes in 1 
year
  Heiko Tietze made 2 changes in 1 month, and 107 changes in 1 year

* UX Update (Heiko)
+ Bugzilla (topicUI) statistics
259(259) (topicUI) bugs open, 57(57) (needsUXEval) needs to be 
evaluated by the UXteam
+ Updates:
BZ changes   1 week   1 month   3 months   12 months
 added  3(2) 14(4) 20(4)   45(2)
 commented 27(-3)   181(-3)   461(15)2324(-7)
   removed  0(0)  0(0)  1(-1)  20(-4)
  resolved 10(7) 35(5) 86(9)  330(2)
+ top 10 contributors:
  Heiko Tietze made 114 changes in 1 month, and 1385 changes in 1 year
  Stéphane Guillou made 45 changes in 1 month, and 468 changes in 1 year
  Eyal Rozenberg made 41 changes in 1 month, and 324 changes in 1 year
  Kaganski, Mike made 29 changes in 1 month, and 144 changes in 1 year
  Dieter made 20 changes in 1 month, and 247 changes in 1 year
  Vernon, Stuart Foote made 19 changes in 1 month, and 405 changes in 1 
year
  ady made 18 changes in 1 month, and 110 changes in 1 year
  Fortin Tam, Jean-François made 11 changes in 1 month, and 16 changes 
in 1 year
  Bogdan B made 10 changes in 1 month, and 105 changes in 1 year
  neil made 10 changes in 1 month, and 10 changes in 1 year

* Crash Testing (Caolan)
+ 22(+0) import failure, 0(+0) export failures
+ ??? coverity issues
+ Google / ossfuzz: ?? fuzzers active now

* Crash Reporting (Xisco)
+ 7.6.0.2105(+1)
+ 7.6.0.39755(+1827)
+ 7.6.1.23478(+2545)
+ 7.6.2.116(+0)

* Mentoring (Hossein)
  committer...   1 week 1 month  3 months 12 months
  open  45(-10) 97(-7)  156(-7)   209(-2)
   reviews 226(-42)   1236(-140)   3408(-12)11502(4)
merged 169(-25)989(-78)3080(-107)   12609(-110)
 abandoned   4(-6)  60(-9)  142(-10)  634(-15)
   own commits  99(34) 657(-17)2062(13)  9688(-75)
review commits  35(17) 179(-38) 628(0)   3025(1)
contributor...   1 week 1 month  3 months 12 months
  open  26(5)   56(11)   91(15)   117(16)
   reviews 498(-44)   2290(-194)   7130(-202)   30546(-308)
merged  13(8)   62(-25) 220(3)   2165(-41)
 abandoned  14(7)   33(10)  205(11)   625(7)
   own commits  18(15)  62(-12) 221(15)  1099(17)
review commits   0(0)0(0) 0(0)  0(0)
+ easyHack statistics:
   needsDevEval 8(8)   needsUXEval 1(1)   cleanup_comments 323(323)
   total 398(398)   assigned 24(24)   open 349(349)
+ top 10 contributors:
  Stéphane Guillou made 6 patches in 1 month, and 35 patches in 1 year
  Srebotnjak, Martin made 4 patches in 1 month, and 20 patches in 1 year
  Sahil Gautam made 4 patches in 1 month, and 9 patches in 1 year
  Adam Seskunas made 4 patches in 1 month, and 4 patches in 1 year
  Dan Horák made 4 patches in 1 month, and 4 patches in 1 year
  Bogdan B made 3 patches in 1 month, and 97 patches in 1 year
  Priyadarshi, Apurva made 2 patches in 1 month, and 2 patches in 1