incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <>
Subject RE: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of "April2012" by robweir)
Date Thu, 12 Apr 2012 18:54:36 GMT

In fact, I posted to ooo-dev and ooo-users information on the significance of the vulnerability
and ways to mitigate it.

I was unsuccessful in posting instructions, after several failed attempts, for applying the
patch on Windows XP where the dialogs are different and have different consequences than described
in the Windows-patch PDF, which gives instructions for Windows 7.  (This has to do with an
over-zealous spam filter on our lists and I could not get around it.)  I have however put
what I could on the Media Wiki as the basis for a possible FAQ, using 

I can't do anything about the fact that the need for a Linux patch has not been resolved.
 I can't do anything about the fact that the patch requires the confidence and experience
of a power user to apply on any platform.  I understand why that is; I can't do anything about
it myself beyond attempt to provide supporting information and supplementary instructions.

And I, am, of course, a volunteer here.

I also don't see what that has to do with the relationship between the PPMC and ooo-security.
 That's about getting many eyes, not about where orcmid might exercise his heroic super powers.

 - Dennis

-----Original Message-----
From: Rob Weir [] 
Sent: Thursday, April 12, 2012 09:46
Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of "April2012"
by robweir)

On Thu, Apr 12, 2012 at 12:32 PM, Dennis E. Hamilton
<> wrote:
> I don't think the problem is with the size of the ooo-security list membership.  I think
it is in the assumption that the [P]PMC has somehow delegated the ability to make a release
of any kind to the ooo-security team.  I don't mean slip-streaming fixes and working off the
public SVN until that happens.  I mean developing and deploying all the rest of what accompanies
an advisory along with provision of a mitigation.
> The breakdowns were not in analyzing the reported vulnerability and the proof-of-exploit
that accompanied it.  I assume that ooo-security acquitted itself well in that regard as well
as with the coordination with other parties, including ones external to Apache, having common
concerns.  The breakdown was in all of the non-security considerations and assumptions, even
though they needed to be developed in confidence.  The PPMC would have provided a proper arena
for working that out.
> The PPMC has much to offer concerning the announcement of CVEs and the appropriate coordination
and form of patch releases/updates.  Those with valuable perspective on the deployment strategy
and its support might have no sense of the technical work that ooo-security members undertake.

Dennis, if the PPMC wishes to make any changes to the patch, or the
documentation, or the announcement, or the website related this patch,
they have had that ability for nearly a month now.  But no one,
including yourself, has offered one change.  A lot of criticism,
certainly, but no patches. The actions (or inaction) of the PPMC since
this patch was announced proves the point.  It was good enough, and no
one -- including you -- has ventured to raise a finger to improve any
of the patch materials.


To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message