You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openoffice.apache.org by "Dennis E. Hamilton" <de...@acm.org> on 2016/08/01 00:17:59 UTC
RE: Officially releasing a patch for CVE-2016-1513
> -----Original Message-----
> From: Kay Schenk@apache.org [mailto:kschenk@apache.org]
> Sent: Sunday, July 31, 2016 14:42
> To: dev@openoffice.apache.org
> Subject: Re: Officially releasing a patch for CVE-2016-1513
>
> OK, I think I'm done with the LInux64 bit area as well.
>
> And see below ....
>
>
> On 07/31/2016 01:10 PM, Marcus wrote:
[ ... ]
> > I'm preparing the hotfix webpage. For this I've some questions:
> >
> > 1. Do we want to provide zip files for every platform or just single
> > files for the library and other files?
>
> Hmmmm... I assumed we would just be point people directly at
> /dist/release/openoffice/patches.
> (Right now, these are in /dist/dev/openoffice/patches.)
>
> It would be easiest to just setup the hotfix page with three links per
> distro.
>
> Linux32
> * link to Linux32.README
> * link to linux32 libtl.so
> * link to linux32 libtl.so.asc (sig)
>
> etc.
>
> If not, the READMEs I wrote will need to change.
[orcmid]
I recommend there should be single-file (e.g., Zip) distributions, just like all other binaries. That gives just one thing to download. The MD5, SHA512, and ASC signatures should be on the whole package and stay in the dev/ and release/ folders, just as they are on download pages. (The ASC signatures on the individual library-file binaries should be inside the package.) I suspect, on the dev/ side, we might need copies of the READMEs alongside the archives, and revised more regularly, so they can be reviewed and revised easily as we get QA and trial use. When we move over to release/ we might want to do the same, even though the README is in the archive, so that people can read it without downloading the package.
Finally, please use README.txt, etc., so that line-ending adjustments will happen properly when folks move these in and out of SVN and also out of archive files. This will also help browsers when folks retrieve these directly from the repository.
PS: If we are concerned about the README.txt outside of the archive being authenticated, it can have an embedded PGP signature. (Then the final archive-internal one would be a copy of the signed README.txt -- no biggie, nice chain of custody).
[ ... ]
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Officially releasing a patch for CVE-2016-1513
Posted by Kay Schenk <ka...@gmail.com>.
On 08/02/2016 10:04 AM, Marcus wrote:
> Am 08/02/2016 05:28 PM, schrieb Kay Schenk:
>>
>>
>> On 08/01/2016 07:38 PM, Dennis E. Hamilton wrote:
>>>
>>>
>>>> -----Original Message-----
>>>> From: Kay Schenk [mailto:kay.schenk@gmail.com]
>>>> Sent: Monday, August 1, 2016 15:43
>>>> To: dev@openoffice.apache.org
>>>> Subject: Re: Officially releasing a patch for CVE-2016-1513
>>>>
>>>>
>>>> On 07/31/2016 05:17 PM, Dennis E. Hamilton wrote:
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Kay Schenk@apache.org [mailto:kschenk@apache.org]
>>>>>> Sent: Sunday, July 31, 2016 14:42
>>>>>> To: dev@openoffice.apache.org
>>>>>> Subject: Re: Officially releasing a patch for CVE-2016-1513
>>>>>>
>>>>>> OK, I think I'm done with the LInux64 bit area as well.
>>>>>>
>>>>>> And see below ....
>>>>>>
>>>>>>
>>>>>> On 07/31/2016 01:10 PM, Marcus wrote:
>>>>> [ ... ]
>>>>>>> I'm preparing the hotfix webpage. For this I've some questions:
>>>>>>>
>>>>>>> 1. Do we want to provide zip files for every platform or just single
>>>>>>> files for the library and other files?
>>>>>>
>>>>>> Hmmmm... I assumed we would just be point people directly at
>>>>>> /dist/release/openoffice/patches.
>>>>>> (Right now, these are in /dist/dev/openoffice/patches.)
>>>>>>
>>>>>> It would be easiest to just setup the hotfix page with three links
>>>> per
>>>>>> distro.
>>>>>>
>>>>>> Linux32
>>>>>> * link to Linux32.README
>>>>>> * link to linux32 libtl.so
>>>>>> * link to linux32 libtl.so.asc (sig)
>>>>>>
>>>>>> etc.
>>>>>>
>>>>>> If not, the READMEs I wrote will need to change.
>>>>> [orcmid]
>>>>>
>>>>> I recommend there should be single-file (e.g., Zip) distributions,
>>>> just like all other binaries. That gives just one thing to download.
>>>> The MD5, SHA512, and ASC signatures should be on the whole package and
>>>> stay in the dev/ and release/ folders, just as they are on download
>>>> pages. (The ASC signatures on the individual library-file binaries
>>>> should be inside the package.) I suspect, on the dev/ side, we might
>>>> need copies of the READMEs alongside the archives, and revised more
>>>> regularly,
>>>>
>>>> I was Ok up to this statement. Are you saying INCLUDE the readmes in
>>>> the
>>>> zip package but leave them outside of where they now are? If we want
>>>> signed zip files, can't we just leave the files we have now in:
>>>>
>>>> https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/binaries/
>>>>
>>>>
>>>> but zip them up as well, inlcuding the READMEs?
>>>> Or, are you saying at distribution time, remove the libraries and their
>>>> sigs Btu leave the README files?
>>>> We have these in their own labeled area -- 4.1.2-patch1 -- so I don't
>>>> see a problem with just leaving everything there.
>>>>
>>> [orcmid]
>>>
>>> I'll do what I mean by example when I upload the Windows case by
>>> tomorrow morning, at the latest.
>>>
>>> Then it will be easier to talk about it.
>>>
>>> - Dennis
>>>
>>
>> OK, great...it's looks like we are still lacking a MacOSX README. Any
>> volunteers?
>> Even if you can't or don't want to commit to:
>> https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/binaries/
>>
>> Please send to this list as a ".txt" attachment and we should be able to
>> receive it.
>>
>> Thanks in advance for your help.
>
> OK, I'll give you (the Mac experts) a starting point:
>
> 1. Make sure that OpenOffice is not running.
> 2. Open a terminal and unpack the downloaded file (e.g., with Archive
> Utility or WinZip Mac Edition) to an easily locatable path.
> 3. Open the Finder App - or another file manager of your choice.
> 4. Locate the installation path of OpenOffice (e.g.,
> "/Applications/Utilities/OpenOffice4/program/").
> 5. Rename the old file "libtl.dylib" to "libtl.dylib.original" to keep a
> backup.
> 6. Copy the new file from the unpacked Zip file to the installation path
> (e.g, "/Desktop/libtl.dylib" -->
> "/Applications/Utilities/OpenOffice4/program/").
>
> Yes, it's not complete and maybe a bit incorrect. But better this than
> nothing. :-P
>
> Marcus
Thank you, Marcus! Much appreciated. I can see I need to change the
numbering scheme I used to be consistent with our others.
>
>
>
>>>>> so they can be reviewed and revised easily as we get QA and trial use.
>>>> When we move over to release/ we might want to do the same, even though
>>>> the README is in the archive, so that people can read it without
>>>> downloading the package.
>>>>>
>>>>> Finally, please use README.txt, etc., so that line-ending adjustments
>>>> will happen properly when folks move these in and out of SVN and also
>>>> out of archive files. This will also help browsers when folks retrieve
>>>> these directly from the repository.
>>>>>
>>>>> PS: If we are concerned about the README.txt outside of the archive
>>>> being authenticated, it can have an embedded PGP signature. (Then the
>>>> final archive-internal one would be a copy of the signed README.txt --
>>>> no biggie, nice chain of custody).
>>>>>
>>>>> [ ... ]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: dev-help@openoffice.apache.org
>
--
--------------------------------------------
MzK
"Time spent with cats is never wasted."
-- Sigmund Freud
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Officially releasing a patch for CVE-2016-1513
Posted by Marcus <ma...@wtnet.de>.
Am 08/02/2016 05:28 PM, schrieb Kay Schenk:
>
>
> On 08/01/2016 07:38 PM, Dennis E. Hamilton wrote:
>>
>>
>>> -----Original Message-----
>>> From: Kay Schenk [mailto:kay.schenk@gmail.com]
>>> Sent: Monday, August 1, 2016 15:43
>>> To: dev@openoffice.apache.org
>>> Subject: Re: Officially releasing a patch for CVE-2016-1513
>>>
>>>
>>> On 07/31/2016 05:17 PM, Dennis E. Hamilton wrote:
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: Kay Schenk@apache.org [mailto:kschenk@apache.org]
>>>>> Sent: Sunday, July 31, 2016 14:42
>>>>> To: dev@openoffice.apache.org
>>>>> Subject: Re: Officially releasing a patch for CVE-2016-1513
>>>>>
>>>>> OK, I think I'm done with the LInux64 bit area as well.
>>>>>
>>>>> And see below ....
>>>>>
>>>>>
>>>>> On 07/31/2016 01:10 PM, Marcus wrote:
>>>> [ ... ]
>>>>>> I'm preparing the hotfix webpage. For this I've some questions:
>>>>>>
>>>>>> 1. Do we want to provide zip files for every platform or just single
>>>>>> files for the library and other files?
>>>>>
>>>>> Hmmmm... I assumed we would just be point people directly at
>>>>> /dist/release/openoffice/patches.
>>>>> (Right now, these are in /dist/dev/openoffice/patches.)
>>>>>
>>>>> It would be easiest to just setup the hotfix page with three links
>>> per
>>>>> distro.
>>>>>
>>>>> Linux32
>>>>> * link to Linux32.README
>>>>> * link to linux32 libtl.so
>>>>> * link to linux32 libtl.so.asc (sig)
>>>>>
>>>>> etc.
>>>>>
>>>>> If not, the READMEs I wrote will need to change.
>>>> [orcmid]
>>>>
>>>> I recommend there should be single-file (e.g., Zip) distributions,
>>> just like all other binaries. That gives just one thing to download.
>>> The MD5, SHA512, and ASC signatures should be on the whole package and
>>> stay in the dev/ and release/ folders, just as they are on download
>>> pages. (The ASC signatures on the individual library-file binaries
>>> should be inside the package.) I suspect, on the dev/ side, we might
>>> need copies of the READMEs alongside the archives, and revised more
>>> regularly,
>>>
>>> I was Ok up to this statement. Are you saying INCLUDE the readmes in the
>>> zip package but leave them outside of where they now are? If we want
>>> signed zip files, can't we just leave the files we have now in:
>>>
>>> https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/binaries/
>>>
>>> but zip them up as well, inlcuding the READMEs?
>>> Or, are you saying at distribution time, remove the libraries and their
>>> sigs Btu leave the README files?
>>> We have these in their own labeled area -- 4.1.2-patch1 -- so I don't
>>> see a problem with just leaving everything there.
>>>
>> [orcmid]
>>
>> I'll do what I mean by example when I upload the Windows case by tomorrow morning, at the latest.
>>
>> Then it will be easier to talk about it.
>>
>> - Dennis
>>
>
> OK, great...it's looks like we are still lacking a MacOSX README. Any
> volunteers?
> Even if you can't or don't want to commit to:
> https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/binaries/
>
> Please send to this list as a ".txt" attachment and we should be able to
> receive it.
>
> Thanks in advance for your help.
OK, I'll give you (the Mac experts) a starting point:
1. Make sure that OpenOffice is not running.
2. Open a terminal and unpack the downloaded file (e.g., with Archive
Utility or WinZip Mac Edition) to an easily locatable path.
3. Open the Finder App - or another file manager of your choice.
4. Locate the installation path of OpenOffice (e.g.,
"/Applications/Utilities/OpenOffice4/program/").
5. Rename the old file "libtl.dylib" to "libtl.dylib.original" to keep a
backup.
6. Copy the new file from the unpacked Zip file to the installation path
(e.g, "/Desktop/libtl.dylib" -->
"/Applications/Utilities/OpenOffice4/program/").
Yes, it's not complete and maybe a bit incorrect. But better this than
nothing. :-P
Marcus
>>>> so they can be reviewed and revised easily as we get QA and trial use.
>>> When we move over to release/ we might want to do the same, even though
>>> the README is in the archive, so that people can read it without
>>> downloading the package.
>>>>
>>>> Finally, please use README.txt, etc., so that line-ending adjustments
>>> will happen properly when folks move these in and out of SVN and also
>>> out of archive files. This will also help browsers when folks retrieve
>>> these directly from the repository.
>>>>
>>>> PS: If we are concerned about the README.txt outside of the archive
>>> being authenticated, it can have an embedded PGP signature. (Then the
>>> final archive-internal one would be a copy of the signed README.txt --
>>> no biggie, nice chain of custody).
>>>>
>>>> [ ... ]
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Officially releasing a patch for CVE-2016-1513
Posted by Kay Schenk <ka...@gmail.com>.
On 08/01/2016 07:38 PM, Dennis E. Hamilton wrote:
>
>
>> -----Original Message-----
>> From: Kay Schenk [mailto:kay.schenk@gmail.com]
>> Sent: Monday, August 1, 2016 15:43
>> To: dev@openoffice.apache.org
>> Subject: Re: Officially releasing a patch for CVE-2016-1513
>>
>>
>> On 07/31/2016 05:17 PM, Dennis E. Hamilton wrote:
>>>
>>>
>>>> -----Original Message-----
>>>> From: Kay Schenk@apache.org [mailto:kschenk@apache.org]
>>>> Sent: Sunday, July 31, 2016 14:42
>>>> To: dev@openoffice.apache.org
>>>> Subject: Re: Officially releasing a patch for CVE-2016-1513
>>>>
>>>> OK, I think I'm done with the LInux64 bit area as well.
>>>>
>>>> And see below ....
>>>>
>>>>
>>>> On 07/31/2016 01:10 PM, Marcus wrote:
>>> [ ... ]
>>>>> I'm preparing the hotfix webpage. For this I've some questions:
>>>>>
>>>>> 1. Do we want to provide zip files for every platform or just single
>>>>> files for the library and other files?
>>>>
>>>> Hmmmm... I assumed we would just be point people directly at
>>>> /dist/release/openoffice/patches.
>>>> (Right now, these are in /dist/dev/openoffice/patches.)
>>>>
>>>> It would be easiest to just setup the hotfix page with three links
>> per
>>>> distro.
>>>>
>>>> Linux32
>>>> * link to Linux32.README
>>>> * link to linux32 libtl.so
>>>> * link to linux32 libtl.so.asc (sig)
>>>>
>>>> etc.
>>>>
>>>> If not, the READMEs I wrote will need to change.
>>> [orcmid]
>>>
>>> I recommend there should be single-file (e.g., Zip) distributions,
>> just like all other binaries. That gives just one thing to download.
>> The MD5, SHA512, and ASC signatures should be on the whole package and
>> stay in the dev/ and release/ folders, just as they are on download
>> pages. (The ASC signatures on the individual library-file binaries
>> should be inside the package.) I suspect, on the dev/ side, we might
>> need copies of the READMEs alongside the archives, and revised more
>> regularly,
>>
>> I was Ok up to this statement. Are you saying INCLUDE the readmes in the
>> zip package but leave them outside of where they now are? If we want
>> signed zip files, can't we just leave the files we have now in:
>>
>> https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/binaries/
>>
>> but zip them up as well, inlcuding the READMEs?
>> Or, are you saying at distribution time, remove the libraries and their
>> sigs Btu leave the README files?
>> We have these in their own labeled area -- 4.1.2-patch1 -- so I don't
>> see a problem with just leaving everything there.
>>
> [orcmid]
>
> I'll do what I mean by example when I upload the Windows case by tomorrow morning, at the latest.
>
> Then it will be easier to talk about it.
>
> - Dennis
>
OK, great...it's looks like we are still lacking a MacOSX README. Any
volunteers?
Even if you can't or don't want to commit to:
https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/binaries/
Please send to this list as a ".txt" attachment and we should be able to
receive it.
Thanks in advance for your help.
>>> so they can be reviewed and revised easily as we get QA and trial use.
>> When we move over to release/ we might want to do the same, even though
>> the README is in the archive, so that people can read it without
>> downloading the package.
>>>
>>> Finally, please use README.txt, etc., so that line-ending adjustments
>> will happen properly when folks move these in and out of SVN and also
>> out of archive files. This will also help browsers when folks retrieve
>> these directly from the repository.
>>>
>>> PS: If we are concerned about the README.txt outside of the archive
>> being authenticated, it can have an embedded PGP signature. (Then the
>> final archive-internal one would be a copy of the signed README.txt --
>> no biggie, nice chain of custody).
>>>
>>> [ ... ]
>>>
--
--------------------------------------------
MzK
"Time spent with cats is never wasted."
-- Sigmund Freud
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
RE: Officially releasing a patch for CVE-2016-1513
Posted by "Dennis E. Hamilton" <de...@acm.org>.
> -----Original Message-----
> From: Kay Schenk [mailto:kay.schenk@gmail.com]
> Sent: Monday, August 1, 2016 15:43
> To: dev@openoffice.apache.org
> Subject: Re: Officially releasing a patch for CVE-2016-1513
>
>
> On 07/31/2016 05:17 PM, Dennis E. Hamilton wrote:
> >
> >
> >> -----Original Message-----
> >> From: Kay Schenk@apache.org [mailto:kschenk@apache.org]
> >> Sent: Sunday, July 31, 2016 14:42
> >> To: dev@openoffice.apache.org
> >> Subject: Re: Officially releasing a patch for CVE-2016-1513
> >>
> >> OK, I think I'm done with the LInux64 bit area as well.
> >>
> >> And see below ....
> >>
> >>
> >> On 07/31/2016 01:10 PM, Marcus wrote:
> > [ ... ]
> >>> I'm preparing the hotfix webpage. For this I've some questions:
> >>>
> >>> 1. Do we want to provide zip files for every platform or just single
> >>> files for the library and other files?
> >>
> >> Hmmmm... I assumed we would just be point people directly at
> >> /dist/release/openoffice/patches.
> >> (Right now, these are in /dist/dev/openoffice/patches.)
> >>
> >> It would be easiest to just setup the hotfix page with three links
> per
> >> distro.
> >>
> >> Linux32
> >> * link to Linux32.README
> >> * link to linux32 libtl.so
> >> * link to linux32 libtl.so.asc (sig)
> >>
> >> etc.
> >>
> >> If not, the READMEs I wrote will need to change.
> > [orcmid]
> >
> > I recommend there should be single-file (e.g., Zip) distributions,
> just like all other binaries. That gives just one thing to download.
> The MD5, SHA512, and ASC signatures should be on the whole package and
> stay in the dev/ and release/ folders, just as they are on download
> pages. (The ASC signatures on the individual library-file binaries
> should be inside the package.) I suspect, on the dev/ side, we might
> need copies of the READMEs alongside the archives, and revised more
> regularly,
>
> I was Ok up to this statement. Are you saying INCLUDE the readmes in the
> zip package but leave them outside of where they now are? If we want
> signed zip files, can't we just leave the files we have now in:
>
> https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/binaries/
>
> but zip them up as well, inlcuding the READMEs?
> Or, are you saying at distribution time, remove the libraries and their
> sigs Btu leave the README files?
> We have these in their own labeled area -- 4.1.2-patch1 -- so I don't
> see a problem with just leaving everything there.
>
[orcmid]
I'll do what I mean by example when I upload the Windows case by tomorrow morning, at the latest.
Then it will be easier to talk about it.
- Dennis
> > so they can be reviewed and revised easily as we get QA and trial use.
> When we move over to release/ we might want to do the same, even though
> the README is in the archive, so that people can read it without
> downloading the package.
> >
> > Finally, please use README.txt, etc., so that line-ending adjustments
> will happen properly when folks move these in and out of SVN and also
> out of archive files. This will also help browsers when folks retrieve
> these directly from the repository.
> >
> > PS: If we are concerned about the README.txt outside of the archive
> being authenticated, it can have an embedded PGP signature. (Then the
> final archive-internal one would be a copy of the signed README.txt --
> no biggie, nice chain of custody).
> >
> > [ ... ]
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> > For additional commands, e-mail: dev-help@openoffice.apache.org
> >
>
> --
> --------------------------------------------
> MzK
>
> "Time spent with cats is never wasted."
> -- Sigmund Freud
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: dev-help@openoffice.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Officially releasing a patch for CVE-2016-1513
Posted by Kay Schenk <ka...@gmail.com>.
On 07/31/2016 05:17 PM, Dennis E. Hamilton wrote:
>
>
>> -----Original Message-----
>> From: Kay Schenk@apache.org [mailto:kschenk@apache.org]
>> Sent: Sunday, July 31, 2016 14:42
>> To: dev@openoffice.apache.org
>> Subject: Re: Officially releasing a patch for CVE-2016-1513
>>
>> OK, I think I'm done with the LInux64 bit area as well.
>>
>> And see below ....
>>
>>
>> On 07/31/2016 01:10 PM, Marcus wrote:
> [ ... ]
>>> I'm preparing the hotfix webpage. For this I've some questions:
>>>
>>> 1. Do we want to provide zip files for every platform or just single
>>> files for the library and other files?
>>
>> Hmmmm... I assumed we would just be point people directly at
>> /dist/release/openoffice/patches.
>> (Right now, these are in /dist/dev/openoffice/patches.)
>>
>> It would be easiest to just setup the hotfix page with three links per
>> distro.
>>
>> Linux32
>> * link to Linux32.README
>> * link to linux32 libtl.so
>> * link to linux32 libtl.so.asc (sig)
>>
>> etc.
>>
>> If not, the READMEs I wrote will need to change.
> [orcmid]
>
> I recommend there should be single-file (e.g., Zip) distributions, just like all other binaries. That gives just one thing to download. The MD5, SHA512, and ASC signatures should be on the whole package and stay in the dev/ and release/ folders, just as they are on download pages. (The ASC signatures on the individual library-file binaries should be inside the package.) I suspect, on the dev/ side, we might need copies of the READMEs alongside the archives, and revised more regularly,
I was Ok up to this statement. Are you saying INCLUDE the readmes in the
zip package but leave them outside of where they now are? If we want
signed zip files, can't we just leave the files we have now in:
https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/binaries/
but zip them up as well, inlcuding the READMEs?
Or, are you saying at distribution time, remove the libraries and their
sigs Btu leave the README files?
We have these in their own labeled area -- 4.1.2-patch1 -- so I don't
see a problem with just leaving everything there.
> so they can be reviewed and revised easily as we get QA and trial use. When we move over to release/ we might want to do the same, even though the README is in the archive, so that people can read it without downloading the package.
>
> Finally, please use README.txt, etc., so that line-ending adjustments will happen properly when folks move these in and out of SVN and also out of archive files. This will also help browsers when folks retrieve these directly from the repository.
>
> PS: If we are concerned about the README.txt outside of the archive being authenticated, it can have an embedded PGP signature. (Then the final archive-internal one would be a copy of the signed README.txt -- no biggie, nice chain of custody).
>
> [ ... ]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: dev-help@openoffice.apache.org
>
--
--------------------------------------------
MzK
"Time spent with cats is never wasted."
-- Sigmund Freud
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
RE: Officially releasing a patch for CVE-2016-1513
Posted by "Dennis E. Hamilton" <de...@acm.org>.
> -----Original Message-----
> From: Patricia Shanahan [mailto:pats@acm.org]
> Sent: Sunday, July 31, 2016 21:37
> To: dev@openoffice.apache.org
> Subject: Re: Officially releasing a patch for CVE-2016-1513
>
>
>
> On 7/31/2016 5:17 PM, Dennis E. Hamilton wrote:
> >
> >
> >> -----Original Message-----
> >> From: Kay Schenk@apache.org [mailto:kschenk@apache.org]
> >> Sent: Sunday, July 31, 2016 14:42
> >> To: dev@openoffice.apache.org
> >> Subject: Re: Officially releasing a patch for CVE-2016-1513
> >>
> >> OK, I think I'm done with the LInux64 bit area as well.
> >>
> >> And see below ....
> >>
> >>
> >> On 07/31/2016 01:10 PM, Marcus wrote:
> > [ ... ]
> >>> I'm preparing the hotfix webpage. For this I've some questions:
> >>>
> >>> 1. Do we want to provide zip files for every platform or just single
> >>> files for the library and other files?
> >>
> >> Hmmmm... I assumed we would just be point people directly at
> >> /dist/release/openoffice/patches.
> >> (Right now, these are in /dist/dev/openoffice/patches.)
> >>
> >> It would be easiest to just setup the hotfix page with three links
> per
> >> distro.
> >>
> >> Linux32
> >> * link to Linux32.README
> >> * link to linux32 libtl.so
> >> * link to linux32 libtl.so.asc (sig)
> >>
> >> etc.
> >>
> >> If not, the READMEs I wrote will need to change.
> > [orcmid]
> >
> > I recommend there should be single-file (e.g., Zip) distributions,
> just like all other binaries. That gives just one thing to download.
> The MD5, SHA512, and ASC signatures should be on the whole package and
> stay in the dev/ and release/ folders, just as they are on download
> pages. (The ASC signatures on the individual library-file binaries
> should be inside the package.) I suspect, on the dev/ side, we might
> need copies of the READMEs alongside the archives, and revised more
> regularly, so they can be reviewed and revised easily as we get QA and
> trial use. When we move over to release/ we might want to do the same,
> even though the README is in the archive, so that people can read it
> without downloading the package.
> >
> > Finally, please use README.txt, etc., so that line-ending adjustments
> will happen properly when folks move these in and out of SVN and also
> out of archive files. This will also help browsers when folks retrieve
> these directly from the repository.
> >
> > PS: If we are concerned about the README.txt outside of the archive
> being authenticated, it can have an embedded PGP signature. (Then the
> final archive-internal one would be a copy of the signed README.txt --
> no biggie, nice chain of custody).
> >
> > [ ... ]
>
> For the end user, this is incredibly, painfully more complicated than
> downloading and installing a new version.
[orcmid]
Indeed it is. I think there is no question how daunting this might be and we must be very careful with this.
The README.txt cannot be comprehensive for what a casual user might require, and a power user of OpenOffice might not be much of a power user of Windows. That has to be taken into account.
Is there a suggestion lurking in the observation?
- Dennis
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: dev-help@openoffice.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Officially releasing a patch for CVE-2016-1513
Posted by Andrea Pescetti <pe...@apache.org>.
Patricia Shanahan wrote:
> For the end user, this is incredibly, painfully more complicated than
> downloading and installing a new version.
It is. We must make clear that this is a "convenience" update made
available to power users, but at the same time state clearly that this
(non-critical) vulnerability will be fixed in the next release. Now the
patch is applied to all active branches, so whatever we release will
surely contain the fix.
Regards,
Andrea.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Officially releasing a patch for CVE-2016-1513
Posted by Patricia Shanahan <pa...@acm.org>.
On 7/31/2016 5:17 PM, Dennis E. Hamilton wrote:
>
>
>> -----Original Message-----
>> From: Kay Schenk@apache.org [mailto:kschenk@apache.org]
>> Sent: Sunday, July 31, 2016 14:42
>> To: dev@openoffice.apache.org
>> Subject: Re: Officially releasing a patch for CVE-2016-1513
>>
>> OK, I think I'm done with the LInux64 bit area as well.
>>
>> And see below ....
>>
>>
>> On 07/31/2016 01:10 PM, Marcus wrote:
> [ ... ]
>>> I'm preparing the hotfix webpage. For this I've some questions:
>>>
>>> 1. Do we want to provide zip files for every platform or just single
>>> files for the library and other files?
>>
>> Hmmmm... I assumed we would just be point people directly at
>> /dist/release/openoffice/patches.
>> (Right now, these are in /dist/dev/openoffice/patches.)
>>
>> It would be easiest to just setup the hotfix page with three links per
>> distro.
>>
>> Linux32
>> * link to Linux32.README
>> * link to linux32 libtl.so
>> * link to linux32 libtl.so.asc (sig)
>>
>> etc.
>>
>> If not, the READMEs I wrote will need to change.
> [orcmid]
>
> I recommend there should be single-file (e.g., Zip) distributions, just like all other binaries. That gives just one thing to download. The MD5, SHA512, and ASC signatures should be on the whole package and stay in the dev/ and release/ folders, just as they are on download pages. (The ASC signatures on the individual library-file binaries should be inside the package.) I suspect, on the dev/ side, we might need copies of the READMEs alongside the archives, and revised more regularly, so they can be reviewed and revised easily as we get QA and trial use. When we move over to release/ we might want to do the same, even though the README is in the archive, so that people can read it without downloading the package.
>
> Finally, please use README.txt, etc., so that line-ending adjustments will happen properly when folks move these in and out of SVN and also out of archive files. This will also help browsers when folks retrieve these directly from the repository.
>
> PS: If we are concerned about the README.txt outside of the archive being authenticated, it can have an embedded PGP signature. (Then the final archive-internal one would be a copy of the signed README.txt -- no biggie, nice chain of custody).
>
> [ ... ]
For the end user, this is incredibly, painfully more complicated than
downloading and installing a new version.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org