openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: Officially releasing a patch for CVE-2016-1513
Date Mon, 01 Aug 2016 15:35:49 GMT


> -----Original Message-----
> From: Patricia Shanahan [mailto:pats@acm.org]
> Sent: Sunday, July 31, 2016 21:37
> To: dev@openoffice.apache.org
> Subject: Re: Officially releasing a patch for CVE-2016-1513
> 
> 
> 
> On 7/31/2016 5:17 PM, Dennis E. Hamilton wrote:
> >
> >
> >> -----Original Message-----
> >> From: Kay Schenk@apache.org [mailto:kschenk@apache.org]
> >> Sent: Sunday, July 31, 2016 14:42
> >> To: dev@openoffice.apache.org
> >> Subject: Re: Officially releasing a patch for CVE-2016-1513
> >>
> >> OK, I think I'm done with the LInux64 bit area as well.
> >>
> >> And see below ....
> >>
> >>
> >> On 07/31/2016 01:10 PM, Marcus wrote:
> > [ ... ]
> >>> I'm preparing the hotfix webpage. For this I've some questions:
> >>>
> >>> 1. Do we want to provide zip files for every platform or just single
> >>> files for the library and other files?
> >>
> >> Hmmmm... I assumed we would just be point people directly at
> >> /dist/release/openoffice/patches.
> >> (Right now, these are in /dist/dev/openoffice/patches.)
> >>
> >> It would be easiest to just setup the hotfix page with three links
> per
> >> distro.
> >>
> >> Linux32
> >> * link to Linux32.README
> >> * link to linux32 libtl.so
> >> * link to linux32 libtl.so.asc (sig)
> >>
> >> etc.
> >>
> >> If not, the READMEs I wrote will need to change.
> > [orcmid]
> >
> > I recommend there should be single-file (e.g., Zip) distributions,
> just like all other binaries.  That gives just one thing to download.
> The MD5, SHA512, and ASC signatures should be on the whole package and
> stay in the dev/ and release/ folders, just as they are on download
> pages.  (The ASC signatures on the individual library-file binaries
> should be inside the package.)  I suspect, on the dev/ side, we might
> need copies of the READMEs alongside the archives, and revised more
> regularly, so they can be reviewed and revised easily as we get QA and
> trial use.  When we move over to release/ we might want to do the same,
> even though the README is in the archive, so that people can read it
> without downloading the package.
> >
> > Finally, please use README.txt, etc., so that line-ending adjustments
> will happen properly when folks move these in and out of SVN and also
> out of archive files.  This will also help browsers when folks retrieve
> these directly from the repository.
> >
> > PS: If we are concerned about the README.txt outside of the archive
> being authenticated, it can have an embedded PGP signature.  (Then the
> final archive-internal one would be a copy of the signed README.txt --
> no biggie, nice chain of custody).
> >
> > [ ... ]
> 
> For the end user, this is incredibly, painfully more complicated than
> downloading and installing a new version.
[orcmid] 

Indeed it is.  I think there is no question how daunting this might be and we must be very
careful with this.

The README.txt cannot be comprehensive for what a casual user might require, and a power user
of OpenOffice might not be much of a power user of Windows.  That has to be taken into account.
   

Is there a suggestion lurking in the observation?

 - Dennis
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: dev-help@openoffice.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org


Mime
View raw message