Updates

[Knut H Flottorp <kh...@gmail.com>]

Just a brief note:

Please, can we leave it now to Microsoft to distribute “Security Updates” - unless the fix is related to just security.

There are and always will be “bugs” out there, and these must be fixed. But most bugs are not related to security, nothing is compromised if you do not apply the fix, nothing is risked, except that your software may become more stable and robust.

If Open Office provide security such as encryption of documents, password locks, digital certificates - and the use of these is threatened and has been fixed, then it is a “Security fix”, but most bugs are not related to security here and the term should not be abused.


Knut H. F,
Strickly off the record ....	
Oslo
Email: khflottorp@yahoo.com

Skype: knuthf
Please protect our environment by not printing this email.

RE: Updates

["Dennis E. Hamilton" <de...@acm.org>]

<orcnote> below.

-----Original Message-----
From: Knut H Flottorp [mailto:khflottorp@gmail.com] 
Sent: Saturday, October 11, 2014 15:42
To: dev@openoffice.apache.org
Subject: Updates

Just a brief note:

Please, can we leave it now to Microsoft to distribute “Security Updates” - unless the fix is related to just security.

There are and always will be “bugs” out there, and these must be fixed. But most bugs are not related to security, nothing is compromised if you do not apply the fix, nothing is risked, except that your software may become more stable and robust.

If Open Office provide security such as encryption of documents, password locks, digital certificates - and the use of these is threatened and has been fixed, then it is a “Security fix”, but most bugs are not related to security here and the term should not be abused.


<orcmid>
   This is rather vague.  Are you referring to the fact that AOO 4.1.1 includes 2 security fixes?

   There are also security fixes when there is a *vulnerability* that has been exposed in AOO.  
   These repairs generally come out as part of a regular update and that is what those two are about.

   That is a different class of bug.  In general, specific details of the vulnerability that is
   removed are provided in separate notices separate from the usual release notes.  

   It does appear that the security bulletins have not been updated for 4.1.1 as promised 
   though: <https://www.openoffice.org/security/bulletin.html>.  This may be intentional if
   there is need to ensure that other software having the same vulnerability needs time to
   update before the vulnerability is disclosed.

   Fixes to privacy and security related features need not be security fixes in that sense. 
   For example, addition of XAdES support to the handling of digitally-signed documents would 
   simply be release of a feature.  (It is unfortunate that passwords on protection locks are
   still identified as security features.  They are not.  See
   <https://tools.oasis-open.org/version-control/svn/oic/Advisories/00009-ProtectionKeySafety/trunk/description.html>.)
</orcmid>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org