SSDLC Compliance - OpenOffice

["GAN Kok Leong, Adrian" <ga...@stee.stengg.com>]

Hi,

I would like to find out whether OpenOffice version 3.3 and 3.3.1 is developed and comply with Secure Software Development Life Cycle?

Regards
Adrian Gan


[This e-mail is confidential and may be privileged. If you are not the
intended recipient, please kindly notify us immediately and delete the message
from your system; please do not copy or use it for any purpose, nor disclose
its contents to any other person. Thank you.]
---ST Electronics Group---

RE: SSDLC Compliance - OpenOffice

["Dennis E. Hamilton" <or...@apache.org>]

Comments in-line.

> -----Original Message-----
> From: Peter Kovacs [mailto:leginee@gmail.com]
> Sent: Tuesday, December 20, 2016 01:41
> To: dev <de...@openoffice.apache.org>; gan.kokleong.adrian@stee.stengg.com
> Subject: Re: SSDLC Compliance - OpenOffice
> 
> As usual I forgot to add people probably not subscribed to the list.
> 
> Peter Kovacs <le...@gmail.com> schrieb am Di., 20. Dez. 2016, 10:39:
> 
> > Hi,
> >
> > Can you elaborate on this?
> > Do you simply want to know or do you need this as an official
> statement?
> > I think you are Query the wrong Project if you need an official
> response.
> > Open Office 3.3.1 and older were maintained by Oracle. I am not sure
> if
> > Apache Foundation has the right to speak for this time. As libre
> office we
> > are a successor to Oracle OpenOffice Project.
> >
> > This is of course my personal opinion. I am not sure if Apache
> Foundation
> > has the same opinion like me on this.
> >
> > All the best
> > Peter
> >
> > GAN Kok Leong, Adrian <ga...@stee.stengg.com> schrieb am
> > Di., 20. Dez. 2016, 08:50:
> >
> > Hi,
> >
> > I would like to find out whether OpenOffice version 3.3 and 3.3.1 is
> > developed and comply with Secure Software Development Life Cycle?
[orcmid] 

I am confident that there were no Capability Maturity Model or related assurance processes applied when OpenOffice.org was developed under the umbrella of Sun Microsystems and then Oracle Corporation.

At Apache OpenOffice, there is no such process, including for the Secure Software Development Life Cycle, if you are referring to <https://www.us-cert.gov/bsi/articles/knowledge/sdlc-process/secure-software-development-life-cycle-processes>.

There is no means for assessment of Trusted CMM for Apache OpenOffice, since there is no process management in the sense involved in the Capability Maturity Model.  Lacking process management, there is also no accountability concerning processes in the sense considered in the CMM.  Those with a sense of humor would consider this to be somewhere less than CMM Level 1.

It is not clear to me how open-source governance, providing software free to the public without warranty and entirely driven by a meritocracy of unpaid volunteers who choose what and how they work on something, would accomplish this.  In any case, it is not a consideration at Apache OpenOffice.  I cannot recall ever seeing anything recognizable as the activities identified at <https://www.owasp.org/index.php/Secure_SDLC_Cheat_Sheet>.

I cannot speak for LibreOffice.  There might be more management structure than for Apache projects.  I believe there is a core engineering team.  Whether there is much attention to SSDLC processes and the necessary accountability and concrete assessment is something that needs to be discussed with the LibreOffice team.  Speculations here on dev@ oo.a.o are useless.  Most of the claims I see about dependability or lack-thereof are anecdotal and based on sparse evidence.  

Although the Microsoft Security Development Lifecycle (SDL) is a security assurance process that might be adaptable, I am not aware of any effort to investigate that for open-source projects such as OpenOffice and my suspicion is that there is no such interest (more likely, that there be hostility) despite the good reputation of that process, <https://www.microsoft.com/en-us/sdl/default.aspx>.  I have never seen threat modeling performed at Apache OpenOffice, for example.

Thanks for asking.  It is a great question.

 - Dennis


> >
> > Regards
> > Adrian Gan
> >
> >
> > [This e-mail is confidential and may be privileged. If you are not the
> > intended recipient, please kindly notify us immediately and delete the
> > message
> > from your system; please do not copy or use it for any purpose, nor
> > disclose
> > its contents to any other person. Thank you.]
> > ---ST Electronics Group---
> >
> > --
> >
> > Disclaimer: Diese Nachricht stammt aus einem Google Account. Ihre
> Antwort
> > wird in der Google Cloud Gespeichert und durch Google Algorythmen
> zwecks
> > werbeanaöysen gescannt. Es ist derzeit nicht auszuschließen das ihre
> > Nachricht auch durch einen NSA Mitarbeiter geprüft wird. Durch
> > kommunikation mit diesen Account stimmen Sie zu das ihre Mail, ihre
> > Kontaktdaten und die Termine die Sie mit mir vereinbaren online zu
> Google
> > konditionen in der Googlecloud gespeichert wird. Sollten sie dies
> nicht
> > wünschen kontaktieren sie mich bitte Umgehend um z.B. alternativen zu
> > verhandeln.
> >
> --
> 
> Disclaimer: Diese Nachricht stammt aus einem Google Account. Ihre
> Antwort
> wird in der Google Cloud Gespeichert und durch Google Algorythmen zwecks
> werbeanaöysen gescannt. Es ist derzeit nicht auszuschließen das ihre
> Nachricht auch durch einen NSA Mitarbeiter geprüft wird. Durch
> kommunikation mit diesen Account stimmen Sie zu das ihre Mail, ihre
> Kontaktdaten und die Termine die Sie mit mir vereinbaren online zu
> Google
> konditionen in der Googlecloud gespeichert wird. Sollten sie dies nicht
> wünschen kontaktieren sie mich bitte Umgehend um z.B. alternativen zu
> verhandeln.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org

Re: SSDLC Compliance - OpenOffice

[Peter Kovacs <le...@gmail.com>]

As usual I forgot to add people probably not subscribed to the list.

Peter Kovacs <le...@gmail.com> schrieb am Di., 20. Dez. 2016, 10:39:

> Hi,
>
> Can you elaborate on this?
> Do you simply want to know or do you need this as an official statement?
> I think you are Query the wrong Project if you need an official response.
> Open Office 3.3.1 and older were maintained by Oracle. I am not sure if
> Apache Foundation has the right to speak for this time. As libre office we
> are a successor to Oracle OpenOffice Project.
>
> This is of course my personal opinion. I am not sure if Apache Foundation
> has the same opinion like me on this.
>
> All the best
> Peter
>
> GAN Kok Leong, Adrian <ga...@stee.stengg.com> schrieb am
> Di., 20. Dez. 2016, 08:50:
>
> Hi,
>
> I would like to find out whether OpenOffice version 3.3 and 3.3.1 is
> developed and comply with Secure Software Development Life Cycle?
>
> Regards
> Adrian Gan
>
>
> [This e-mail is confidential and may be privileged. If you are not the
> intended recipient, please kindly notify us immediately and delete the
> message
> from your system; please do not copy or use it for any purpose, nor
> disclose
> its contents to any other person. Thank you.]
> ---ST Electronics Group---
>
> --
>
> Disclaimer: Diese Nachricht stammt aus einem Google Account. Ihre Antwort
> wird in der Google Cloud Gespeichert und durch Google Algorythmen zwecks
> werbeanaöysen gescannt. Es ist derzeit nicht auszuschließen das ihre
> Nachricht auch durch einen NSA Mitarbeiter geprüft wird. Durch
> kommunikation mit diesen Account stimmen Sie zu das ihre Mail, ihre
> Kontaktdaten und die Termine die Sie mit mir vereinbaren online zu Google
> konditionen in der Googlecloud gespeichert wird. Sollten sie dies nicht
> wünschen kontaktieren sie mich bitte Umgehend um z.B. alternativen zu
> verhandeln.
>
-- 

Disclaimer: Diese Nachricht stammt aus einem Google Account. Ihre Antwort
wird in der Google Cloud Gespeichert und durch Google Algorythmen zwecks
werbeanaöysen gescannt. Es ist derzeit nicht auszuschließen das ihre
Nachricht auch durch einen NSA Mitarbeiter geprüft wird. Durch
kommunikation mit diesen Account stimmen Sie zu das ihre Mail, ihre
Kontaktdaten und die Termine die Sie mit mir vereinbaren online zu Google
konditionen in der Googlecloud gespeichert wird. Sollten sie dies nicht
wünschen kontaktieren sie mich bitte Umgehend um z.B. alternativen zu
verhandeln.

Re: SSDLC Compliance - OpenOffice

[Peter Kovacs <le...@gmail.com>]

Hi,

Can you elaborate on this?
Do you simply want to know or do you need this as an official statement?
I think you are Query the wrong Project if you need an official response.
Open Office 3.3.1 and older were maintained by Oracle. I am not sure if
Apache Foundation has the right to speak for this time. As libre office we
are a successor to Oracle OpenOffice Project.

This is of course my personal opinion. I am not sure if Apache Foundation
has the same opinion like me on this.

All the best
Peter

GAN Kok Leong, Adrian <ga...@stee.stengg.com> schrieb am Di.,
20. Dez. 2016, 08:50:

> Hi,
>
> I would like to find out whether OpenOffice version 3.3 and 3.3.1 is
> developed and comply with Secure Software Development Life Cycle?
>
> Regards
> Adrian Gan
>
>
> [This e-mail is confidential and may be privileged. If you are not the
> intended recipient, please kindly notify us immediately and delete the
> message
> from your system; please do not copy or use it for any purpose, nor
> disclose
> its contents to any other person. Thank you.]
> ---ST Electronics Group---
>
-- 

Disclaimer: Diese Nachricht stammt aus einem Google Account. Ihre Antwort
wird in der Google Cloud Gespeichert und durch Google Algorythmen zwecks
werbeanaöysen gescannt. Es ist derzeit nicht auszuschließen das ihre
Nachricht auch durch einen NSA Mitarbeiter geprüft wird. Durch
kommunikation mit diesen Account stimmen Sie zu das ihre Mail, ihre
Kontaktdaten und die Termine die Sie mit mir vereinbaren online zu Google
konditionen in der Googlecloud gespeichert wird. Sollten sie dies nicht
wünschen kontaktieren sie mich bitte Umgehend um z.B. alternativen zu
verhandeln.