openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: Officially releasing a patch for CVE-2016-1513
Date Mon, 01 Aug 2016 00:17:59 GMT


> -----Original Message-----
> From: Kay Schenk@apache.org [mailto:kschenk@apache.org]
> Sent: Sunday, July 31, 2016 14:42
> To: dev@openoffice.apache.org
> Subject: Re: Officially releasing a patch for CVE-2016-1513
> 
> OK, I think I'm done with the LInux64 bit area as well.
> 
> And see below ....
> 
> 
> On 07/31/2016 01:10 PM, Marcus wrote:
[ ... ]
> > I'm preparing the hotfix webpage. For this I've some questions:
> >
> > 1. Do we want to provide zip files for every platform or just single
> > files for the library and other files?
> 
> Hmmmm... I assumed we would just be point people directly at
> /dist/release/openoffice/patches.
> (Right now, these are in /dist/dev/openoffice/patches.)
> 
> It would be easiest to just setup the hotfix page with three links per
> distro.
> 
> Linux32
> * link to Linux32.README
> * link to linux32 libtl.so
> * link to linux32 libtl.so.asc (sig)
> 
> etc.
> 
> If not, the READMEs I wrote will need to change.
[orcmid] 

I recommend there should be single-file (e.g., Zip) distributions, just like all other binaries.
 That gives just one thing to download.  The MD5, SHA512, and ASC signatures should be on
the whole package and stay in the dev/ and release/ folders, just as they are on download
pages.  (The ASC signatures on the individual library-file binaries should be inside the package.)
 I suspect, on the dev/ side, we might need copies of the READMEs alongside the archives,
and revised more regularly, so they can be reviewed and revised easily as we get QA and trial
use.  When we move over to release/ we might want to do the same, even though the README is
in the archive, so that people can read it without downloading the package.

Finally, please use README.txt, etc., so that line-ending adjustments will happen properly
when folks move these in and out of SVN and also out of archive files.  This will also help
browsers when folks retrieve these directly from the repository.

PS: If we are concerned about the README.txt outside of the archive being authenticated, it
can have an embedded PGP signature.  (Then the final archive-internal one would be a copy
of the signed README.txt -- no biggie, nice chain of custody).

[ ... ]


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org


Mime
View raw message