@Rob, In fact, I posted to ooo-dev and ooo-users information on the significance of the vulnerability and ways to mitigate it.
I was unsuccessful in posting instructions, after several failed attempts, for applying the patch on Windows XP where the dialogs are different and have different consequences than described in the Windows-patch PDF, which gives instructions for Windows 7. (This has to do with an over-zealous spam filter on our lists and I could not get around it.) I have however put what I could on the Media Wiki as the basis for a possible FAQ, using <http://wiki.services.openoffice.org/wiki/Talk:Documentation/FAQ/Installation/How_Can_I_Install_the_Security_Patch_(CVE-2012-0037)>. I can't do anything about the fact that the need for a Linux patch has not been resolved. I can't do anything about the fact that the patch requires the confidence and experience of a power user to apply on any platform. I understand why that is; I can't do anything about it myself beyond attempt to provide supporting information and supplementary instructions. And I, am, of course, a volunteer here. I also don't see what that has to do with the relationship between the PPMC and ooo-security. That's about getting many eyes, not about where orcmid might exercise his heroic super powers. - Dennis -----Original Message----- From: Rob Weir [mailto:robw...@apache.org] Sent: Thursday, April 12, 2012 09:46 To: general@incubator.apache.org Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] Update of "April2012" by robweir) On Thu, Apr 12, 2012 at 12:32 PM, Dennis E. Hamilton <dennis.hamil...@acm.org> wrote: > I don't think the problem is with the size of the ooo-security list > membership. I think it is in the assumption that the [P]PMC has somehow > delegated the ability to make a release of any kind to the ooo-security team. > I don't mean slip-streaming fixes and working off the public SVN until that > happens. I mean developing and deploying all the rest of what accompanies an > advisory along with provision of a mitigation. > > The breakdowns were not in analyzing the reported vulnerability and the > proof-of-exploit that accompanied it. I assume that ooo-security acquitted > itself well in that regard as well as with the coordination with other > parties, including ones external to Apache, having common concerns. The > breakdown was in all of the non-security considerations and assumptions, even > though they needed to be developed in confidence. The PPMC would have > provided a proper arena for working that out. > > The PPMC has much to offer concerning the announcement of CVEs and the > appropriate coordination and form of patch releases/updates. Those with > valuable perspective on the deployment strategy and its support might have no > sense of the technical work that ooo-security members undertake. > Dennis, if the PPMC wishes to make any changes to the patch, or the documentation, or the announcement, or the website related this patch, they have had that ability for nearly a month now. But no one, including yourself, has offered one change. A lot of criticism, certainly, but no patches. The actions (or inaction) of the PPMC since this patch was announced proves the point. It was good enough, and no one -- including you -- has ventured to raise a finger to improve any of the patch materials. -Rob --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
