RE: [DISCUSS] Issue 125954 unhiding "hidden" content on e-mail send of document

["Dennis E. Hamilton" <de...@acm.org>]

> -----Original Message-----
> From: Carl Marcum [mailto:cmarcum@apache.org]
> Sent: Saturday, April 30, 2016 14:57
> To: dev@openoffice.apache.org
> Subject: Re: [DISCUSS] Issue 125954 unhiding "hidden" content on e-mail
> send of document
> 
> On 04/30/2016 05:07 PM, Kay Schenk wrote:
> > On Fri, Apr 29, 2016 at 3:53 PM, Dennis E. Hamilton
> <dennis.hamilton@acm.org
> >> wrote:
> >>> -----Original Message-----
> >>> From: Kay Schenk [mailto:kay.schenk@gmail.com]
> >>> Sent: Friday, April 29, 2016 13:28
> >>> To: dev@openoffice.apache.org
> >>> Subject: Re: [DISCUSS] Issue 125954 unhiding "hidden" content on e-
> mail
> >>> send of document
> >>>
> >>>
> >>>
> >>> On 04/26/2016 03:39 AM, Carl Marcum wrote:
> >> [ ... ]
> >>>> I think If there is one Email command, the user should then be
> >>> presented
> >>>> a choice. It could just be a choice of 2 buttons.
> >>>>
> >>>> The checkbox I was thinking of would be in a dialog after the email
> >>>> command was selected to include or remove hidden content prior to
> >>>> continuing.
> >>>>
> >>>> Thanks,
> >>>> Carl
> >>> The feedback is really appreciated.I haven't tested the patch yet.
> I'm
> >>> hoping to get to it soon.
> >>> In any case, what would anyone think about using the checkbox
> approach
> >>> but have it NOT saved with the document if that is possible. This
> way,
> >>> it would need to be rechecked each time it is needed, as opposed to
> >>> accidentally cause security issues.
> >> [orcmid]
> >>
> >> There's a little more forensic work at the issue itself now,
> >> <https://bz.apache.org/ooo/show_bug.cgi?id=125954>.
> >>
> > ​Yes, there has been and it is very interesting to say the least.
> Thanks
> > for the extensive testing on this.
> > 
> >
> >
> >> This can be done with a check box rather than two radio buttons.  If
> we
> >> take this route, which I feel works against the dominant community of
> >> casual users, the choice to remove hidden content should be pre-
> selected.
> >>
> >> Also, will this choice be required whether or not there is hidden
> >> content?  That can have its own usability and user-confidence
> consequences
> >> with respect to casual users and might still be an annoyance to
> expert
> >> users.
> >>
> >> This might be something worth polling the users@ list about.
> >>
> > ​I think that might be worthwhile. I don't really have any idea how
> often
> > "hidden content" is used in OpenOffice, or what users' expectations
> are
> > about it.
> > 
> 
> My experience with hidden content in an enterprise environment is that
> the hidden content is often "help" type information and should stay with
> the document as it is moved around the organization for review or
> approval.
> 
> Our wiki has many examples of such documents with this type of content
> that were the original specifications by Sun where they include a
> toolbar and macros for hide/unhide, add sections, etc. Removing this
> content will break this functionality.
> Here are a few examples:
> 
> http://www.openoffice.org/specs/ui_in_general/menus/Menus.odt
> http://www.openoffice.org/specs/appwide/packagemanager/simple_extension_
> license.odt
[orcmid] 

That's useful confirmation that this happens under expert-use conditions.  

Thank you.  

I am not clear what to make of this in regard to the question of Send > Document as E-mail ... preservation of hidden content though.

I just discovered an interesting security-related edge case.  Apache OpenOffice will provide digital signatures on documents having hidden content.  LibreOffice 5.0.0 will reject those signatures and it will fail to sign such documents itself.

I can't check myself.  My unverified theory is that if Apache OpenOffice accepts a request to send such a signed document, it will probably break/remove the signature always but certainly if it sends the document with hidden content removed.

I don't know how this informs any determination of resolution for the hidden-content stripping situation.

> 
> Thanks,
> Carl
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: dev-help@openoffice.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org

Re: [DISCUSS] Issue 125954 unhiding "hidden" content on e-mail send of document

[Carl Marcum <cm...@apache.org>]

On 05/01/2016 07:56 PM, Dennis E. Hamilton wrote:
>
>> -----Original Message-----
>> From: Carl Marcum [mailto:cmarcum@apache.org]
>> Sent: Saturday, April 30, 2016 14:57
>> To: dev@openoffice.apache.org
>> Subject: Re: [DISCUSS] Issue 125954 unhiding "hidden" content on e-mail
>> send of document
>>
>> On 04/30/2016 05:07 PM, Kay Schenk wrote:
>>> On Fri, Apr 29, 2016 at 3:53 PM, Dennis E. Hamilton
>> <dennis.hamilton@acm.org
>>>> wrote:
>>>>> -----Original Message-----
>>>>> From: Kay Schenk [mailto:kay.schenk@gmail.com]
>>>>> Sent: Friday, April 29, 2016 13:28
>>>>> To: dev@openoffice.apache.org
>>>>> Subject: Re: [DISCUSS] Issue 125954 unhiding "hidden" content on e-
>> mail
>>>>> send of document
>>>>>
>>>>>
>>>>>
>>>>> On 04/26/2016 03:39 AM, Carl Marcum wrote:
>>>> [ ... ]
>>>>>> I think If there is one Email command, the user should then be
>>>>> presented
>>>>>> a choice. It could just be a choice of 2 buttons.
>>>>>>
>>>>>> The checkbox I was thinking of would be in a dialog after the email
>>>>>> command was selected to include or remove hidden content prior to
>>>>>> continuing.
>>>>>>
>>>>>> Thanks,
>>>>>> Carl
>>>>> The feedback is really appreciated.I haven't tested the patch yet.
>> I'm
>>>>> hoping to get to it soon.
>>>>> In any case, what would anyone think about using the checkbox
>> approach
>>>>> but have it NOT saved with the document if that is possible. This
>> way,
>>>>> it would need to be rechecked each time it is needed, as opposed to
>>>>> accidentally cause security issues.
>>>> [orcmid]
>>>>
>>>> There's a little more forensic work at the issue itself now,
>>>> <https://bz.apache.org/ooo/show_bug.cgi?id=125954>.
>>>>
>>> \u200bYes, there has been and it is very interesting to say the least.
>> Thanks
>>> for the extensive testing on this.
>>>
>>>
>>>
>>>> This can be done with a check box rather than two radio buttons.  If
>> we
>>>> take this route, which I feel works against the dominant community of
>>>> casual users, the choice to remove hidden content should be pre-
>> selected.
>>>> Also, will this choice be required whether or not there is hidden
>>>> content?  That can have its own usability and user-confidence
>> consequences
>>>> with respect to casual users and might still be an annoyance to
>> expert
>>>> users.
>>>>
>>>> This might be something worth polling the users@ list about.
>>>>
>>> \u200bI think that might be worthwhile. I don't really have any idea how
>> often
>>> "hidden content" is used in OpenOffice, or what users' expectations
>> are
>>> about it.
>>>
>> My experience with hidden content in an enterprise environment is that
>> the hidden content is often "help" type information and should stay with
>> the document as it is moved around the organization for review or
>> approval.
>>
>> Our wiki has many examples of such documents with this type of content
>> that were the original specifications by Sun where they include a
>> toolbar and macros for hide/unhide, add sections, etc. Removing this
>> content will break this functionality.
>> Here are a few examples:
>>
>> http://www.openoffice.org/specs/ui_in_general/menus/Menus.odt
>> http://www.openoffice.org/specs/appwide/packagemanager/simple_extension_
>> license.odt
> [orcmid]
>
> That's useful confirmation that this happens under expert-use conditions.
>
> Thank you.
>
> I am not clear what to make of this in regard to the question of Send > Document as E-mail ... preservation of hidden content though.
>
> I just discovered an interesting security-related edge case.  Apache OpenOffice will provide digital signatures on documents having hidden content.  LibreOffice 5.0.0 will reject those signatures and it will fail to sign such documents itself.
>
> I can't check myself.  My unverified theory is that if Apache OpenOffice accepts a request to send such a signed document, it will probably break/remove the signature always but certainly if it sends the document with hidden content removed.
>
> I don't know how this informs any determination of resolution for the hidden-content stripping situation.
>
[cmarcum]

IMHO since the command "seems" like a shortcut to manually attaching the 
open document as-is to an email.  If it is not going behave the same way 
that at least a warning is given instructing the user of a loss of data 
and that if they do not wish this they should perform the manual 
operation or better yet provide a notice and a choice before continuing.

Just my 2 cents.
Carl


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org