openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carl Marcum <cmar...@apache.org>
Subject Re: [DISCUSS] Issue 125954 unhiding "hidden" content on e-mail send of document
Date Mon, 02 May 2016 02:04:37 GMT
On 05/01/2016 07:56 PM, Dennis E. Hamilton wrote:
>
>> -----Original Message-----
>> From: Carl Marcum [mailto:cmarcum@apache.org]
>> Sent: Saturday, April 30, 2016 14:57
>> To: dev@openoffice.apache.org
>> Subject: Re: [DISCUSS] Issue 125954 unhiding "hidden" content on e-mail
>> send of document
>>
>> On 04/30/2016 05:07 PM, Kay Schenk wrote:
>>> On Fri, Apr 29, 2016 at 3:53 PM, Dennis E. Hamilton
>> <dennis.hamilton@acm.org
>>>> wrote:
>>>>> -----Original Message-----
>>>>> From: Kay Schenk [mailto:kay.schenk@gmail.com]
>>>>> Sent: Friday, April 29, 2016 13:28
>>>>> To: dev@openoffice.apache.org
>>>>> Subject: Re: [DISCUSS] Issue 125954 unhiding "hidden" content on e-
>> mail
>>>>> send of document
>>>>>
>>>>>
>>>>>
>>>>> On 04/26/2016 03:39 AM, Carl Marcum wrote:
>>>> [ ... ]
>>>>>> I think If there is one Email command, the user should then be
>>>>> presented
>>>>>> a choice. It could just be a choice of 2 buttons.
>>>>>>
>>>>>> The checkbox I was thinking of would be in a dialog after the email
>>>>>> command was selected to include or remove hidden content prior to
>>>>>> continuing.
>>>>>>
>>>>>> Thanks,
>>>>>> Carl
>>>>> The feedback is really appreciated.I haven't tested the patch yet.
>> I'm
>>>>> hoping to get to it soon.
>>>>> In any case, what would anyone think about using the checkbox
>> approach
>>>>> but have it NOT saved with the document if that is possible. This
>> way,
>>>>> it would need to be rechecked each time it is needed, as opposed to
>>>>> accidentally cause security issues.
>>>> [orcmid]
>>>>
>>>> There's a little more forensic work at the issue itself now,
>>>> <https://bz.apache.org/ooo/show_bug.cgi?id=125954>.
>>>>
>>> ​Yes, there has been and it is very interesting to say the least.
>> Thanks
>>> for the extensive testing on this.
>>>
>>>
>>>
>>>> This can be done with a check box rather than two radio buttons.  If
>> we
>>>> take this route, which I feel works against the dominant community of
>>>> casual users, the choice to remove hidden content should be pre-
>> selected.
>>>> Also, will this choice be required whether or not there is hidden
>>>> content?  That can have its own usability and user-confidence
>> consequences
>>>> with respect to casual users and might still be an annoyance to
>> expert
>>>> users.
>>>>
>>>> This might be something worth polling the users@ list about.
>>>>
>>> ​I think that might be worthwhile. I don't really have any idea how
>> often
>>> "hidden content" is used in OpenOffice, or what users' expectations
>> are
>>> about it.
>>>
>> My experience with hidden content in an enterprise environment is that
>> the hidden content is often "help" type information and should stay with
>> the document as it is moved around the organization for review or
>> approval.
>>
>> Our wiki has many examples of such documents with this type of content
>> that were the original specifications by Sun where they include a
>> toolbar and macros for hide/unhide, add sections, etc. Removing this
>> content will break this functionality.
>> Here are a few examples:
>>
>> http://www.openoffice.org/specs/ui_in_general/menus/Menus.odt
>> http://www.openoffice.org/specs/appwide/packagemanager/simple_extension_
>> license.odt
> [orcmid]
>
> That's useful confirmation that this happens under expert-use conditions.
>
> Thank you.
>
> I am not clear what to make of this in regard to the question of Send > Document as
E-mail ... preservation of hidden content though.
>
> I just discovered an interesting security-related edge case.  Apache OpenOffice will
provide digital signatures on documents having hidden content.  LibreOffice 5.0.0 will reject
those signatures and it will fail to sign such documents itself.
>
> I can't check myself.  My unverified theory is that if Apache OpenOffice accepts a request
to send such a signed document, it will probably break/remove the signature always but certainly
if it sends the document with hidden content removed.
>
> I don't know how this informs any determination of resolution for the hidden-content
stripping situation.
>
[cmarcum]

IMHO since the command "seems" like a shortcut to manually attaching the 
open document as-is to an email.  If it is not going behave the same way 
that at least a warning is given instructing the user of a loss of data 
and that if they do not wish this they should perform the manual 
operation or better yet provide a notice and a choice before continuing.

Just my 2 cents.
Carl


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org


Mime
View raw message