On Thu, Apr 12, 2012 at 2:54 PM, Dennis E. Hamilton <dennis.hamil...@acm.org> wrote: > @Rob, > > In fact, I posted to ooo-dev and ooo-users information on the significance of > the vulnerability and ways to mitigate it. >
Yes, after the official security bulletin went out to those same lists. Thanks. > I was unsuccessful in posting instructions, after several failed attempts, > for applying the patch on Windows XP where the dialogs are different and have > different consequences than described in the Windows-patch PDF, which gives > instructions for Windows 7. (This has to do with an over-zealous spam filter > on our lists and I could not get around it.) I have however put what I could > on the Media Wiki as the basis for a possible FAQ, using > <http://wiki.services.openoffice.org/wiki/Talk:Documentation/FAQ/Installation/How_Can_I_Install_the_Security_Patch_(CVE-2012-0037)>. > The security bulletin is in SVN. You can use the CMS or check in the fix directly. Or post to BZ as a patch. There is no need for a spam filter on the lists to get in your way. > I can't do anything about the fact that the need for a Linux patch has not > been resolved. I can't do anything about the fact that the patch requires > the confidence and experience of a power user to apply on any platform. I > understand why that is; I can't do anything about it myself beyond attempt to > provide supporting information and supplementary instructions. > There are others in the PPMC who could do these things if they thought it was important to do so. In fact, the definition of "important" is pretty much synonymous with "it gets someone to take action". > And I, am, of course, a volunteer here. > > I also don't see what that has to do with the relationship between the PPMC > and ooo-security. That's about getting many eyes, not about where orcmid > might exercise his heroic super powers. > But I hope you see my point. If neither you nor anyone else on the PPMC has thought it important to address these issues in the month since the patch has been public, then I do not think that the same PPMC members would have addressed these concerns if the security team gave them a heads up a day or two earlier. Or a week earlier. Evidently even a month is not even enough. -Rob > - Dennis > > -----Original Message----- > From: Rob Weir [mailto:robw...@apache.org] > Sent: Thursday, April 12, 2012 09:46 > To: general@incubator.apache.org > Subject: Re: Extraordinary OpenOffice security patch (Was: [Incubator Wiki] > Update of "April2012" by robweir) > > On Thu, Apr 12, 2012 at 12:32 PM, Dennis E. Hamilton > <dennis.hamil...@acm.org> wrote: >> I don't think the problem is with the size of the ooo-security list >> membership. I think it is in the assumption that the [P]PMC has somehow >> delegated the ability to make a release of any kind to the ooo-security >> team. I don't mean slip-streaming fixes and working off the public SVN >> until that happens. I mean developing and deploying all the rest of what >> accompanies an advisory along with provision of a mitigation. >> >> The breakdowns were not in analyzing the reported vulnerability and the >> proof-of-exploit that accompanied it. I assume that ooo-security acquitted >> itself well in that regard as well as with the coordination with other >> parties, including ones external to Apache, having common concerns. The >> breakdown was in all of the non-security considerations and assumptions, >> even though they needed to be developed in confidence. The PPMC would have >> provided a proper arena for working that out. >> >> The PPMC has much to offer concerning the announcement of CVEs and the >> appropriate coordination and form of patch releases/updates. Those with >> valuable perspective on the deployment strategy and its support might have >> no sense of the technical work that ooo-security members undertake. >> > > Dennis, if the PPMC wishes to make any changes to the patch, or the > documentation, or the announcement, or the website related this patch, > they have had that ability for nearly a month now. But no one, > including yourself, has offered one change. A lot of criticism, > certainly, but no patches. The actions (or inaction) of the PPMC since > this patch was announced proves the point. It was good enough, and no > one -- including you -- has ventured to raise a finger to improve any > of the patch materials. > > -Rob > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
