Joe Smith schrieb: > Ok, lots of good analysis there. Let's take the second alternative from > your final summary: "understand what you are doing and act wisely." > > Here's what I see when I open an official OO.org feature spec: > http://specs.openoffice.org/appwide/linguistic/Set_Language_Attribute_for_Text.odt > ======================================================================= > /tmp/Set_Language_Attribute_for_Text.odt > > The document contains document macros. > > Macros may contain document viruses. Disabling macros for a document is > always safe. If you disable macros you may lose functionality provided > by the document macros. > > Enable Macros -- Disable Macros > ======================================================================= > > Exactly what in that message will allow me to "understand what you are > doing and act wisely?" > > I have no information at this point--none--with which to make a rational > decision other than to disable the macros because that's "always safe."
Well, if you can't make a rational decision you still can act wisely: if you don't know about the macro then don't run it! > I think your analysis is very good, except that it does not follow to > the realistic conclusion: at this time, there is no secure option except > to avoid macros completely. The current approach bows to the highly > desired, but severely flawed "industry practice" of easily embedding > macros in documents and then dumping the responsibility on the user. Using digitally signing can at least replace "safety" by "trust". > OOo can and should do better--and until a better strategy is available, > the default should be all macros off, no questions asked. The user (or > network administrator) should have to specifically enable them. Document > creators should have to assume that the user will not have macros turned > on and plan a graceful fallback. My personal opinion is the same as yours - plus the option that digitally signed macros should be executable. > Some ways I can think of off the top of my head to improve the situation > are: a) give the document user some information to answer those > questions I posed above; b) give the document creator other, safer ways > to provide macros and information about the macros (e.g. a signed > download from a secure site); c) provide a distinct facility that would > allow the macro writer to manipulate the open document, and nothing > else, and allow the document user to know with certainty the macro is > limited in its possible effects. b) Is already available: using signed macros in the document. I also think that providing macros as installable exetensions (that itself can be signed) is a good idea. > Maybe these are foolish or technically unrealistic, but there must be > something we can do beyond defending the status quo. Your ideas are neither foolish nor technically unrealistic, though a) comes close to the latter. And I agree that we always should try to do better. I just don't believe that imposing a security concept on OOo Basic is the way to go - it will add new security holes that are harder to understand and fix than the only hole we have now - the mouse click to grant permission to execute. Ciao, Mathias -- Mathias Bauer (mba) - Project Lead OpenOffice.org Writer OpenOffice.org Engineering at Sun: http://blogs.sun.com/GullFOSS Please don't reply to "[EMAIL PROTECTED]". I use it for the OOo lists and only rarely read other mails sent to it. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
