incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jukka Zitting <>
Subject Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of "April2012" by robweir)
Date Wed, 11 Apr 2012 19:36:31 GMT

On Thu, Apr 5, 2012 at 7:27 PM, Apache Wiki <> wrote:
> OpenOffice
> Out-of-Band Report

Thanks the explicit report about this!

> The IPMC and Board should note that this extraordinary patch was made
> available, as a courtesy to the ecosystem, based on the severity of the reported
> vulnerability and the ease of exploiting it.  The patch was made available under
> ALv2, and distribution was done via the Apache mirrors, although this did
> not constitute an official release.

This is pretty gray territory. Normally neither a podling nor a TLP
should ever publish binaries for distribution without all the relevant
source code and without going through the standard voting procedure.

> Because of the required secrecy around the preparation of such security patches,
> a minimum number of Apache members were involved in vetting this release, though
> we did try to touch all bases by involving mentors, Infra and Legal Affairs.

I'm inclined to trust the judgement of people involved here.

It should be noted though that even though the /dist/incubator/ooo
space was used to distribute these patches, they were and are not
officially blessed by the Incubator PMC on behalf of the ASF.

Should a similar case arise in the future, I'd prefer if a clearly
separate area under /dist or some other place was used to prevent
confusing these with official Apache releases.


Jukka Zitting

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message