On 27 Mar, Andrea Pescetti wrote: > On 29/01/2016 Andrea Pescetti wrote: >> For 4.2.0 we need a Release Manager. I would prefer NOT to be the >> Release Manager for 4.2.0 since I'm finding that in this period I can >> help more productively with tasks that do not require constant >> interaction ... >> I am surely available to have a significant role in the 4.2.0 release > > A few days after writing this, almost 2 months ago, sudden events left > me incapacitated to make any significant contributions until very > recently. I'm still unable to make long-term commitments. > > Anyway, there are some issues we need to get done as a team before > appointing a release manager makes sense: > > 1) Enough code. Done. The merge of the recent gbuild work totally > justifies a 4.2.0 release. Also, in 4.1.2 we only included a tiny > fraction of the fixes that (at that time) were available on trunk. So > here we are already OK, and we've been OK for months.
Some of the external software that is bundled has security issues. I put together a patch for nss here: <https://bz.apache.org/ooo/show_bug.cgi?id=126891>. The version of libxml currently bundled also has a lot of known vulnerabilities. I'm currently testing a patch. These both need review and testing. The versions of openssl and curl badly need updating for the same reason, and there is one CVE for serf. There is a CVE for raptor-1.4.18, but I believe there was a cherry picked patch commited for that. There are likely to be vulnerabilites in the bundled version of silgraphite, but it has been unmaintained upstream for quite some time. Ideally we would switch to Graphite2, but the API is radically different and this looks difficult. The unattractive alternative is to look at the additional sanity checks added in recent Graphite2 commits and try to retrofit those into silgraphite. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
