Re: [Forum] Upgrade signature string
Signature is checked in includes/ucp/ucp_register.php - Mail original - De: "Andrea Pescetti" À: dev@openoffice.apache.org Envoyé: Samedi 30 Juillet 2016 10:56:02 Objet: Re: [Forum] Upgrade signature string FR web forum wrote: > Some specific scripts to modified. Easy to hack. > If I can help, give me an SSH access. I have access to the server but I have no idea where the signature string is checked. I can surely debug it and find it out, but if you are available I can send you in private a copy of the current codebase, then you tell me what file(s) should be changed and I'll change it/them accordingly. Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Officially releasing a patch for CVE-2016-1513
Patricia Shanahan wrote: For the end user, this is incredibly, painfully more complicated than downloading and installing a new version. It is. We must make clear that this is a "convenience" update made available to power users, but at the same time state clearly that this (non-critical) vulnerability will be fixed in the next release. Now the patch is applied to all active branches, so whatever we release will surely contain the fix. Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
RE: Officially releasing a patch for CVE-2016-1513
> -Original Message- > From: Patricia Shanahan [mailto:p...@acm.org] > Sent: Sunday, July 31, 2016 21:37 > To: dev@openoffice.apache.org > Subject: Re: Officially releasing a patch for CVE-2016-1513 > > > > On 7/31/2016 5:17 PM, Dennis E. Hamilton wrote: > > > > > >> -Original Message- > >> From: Kay sch...@apache.org [mailto:ksch...@apache.org] > >> Sent: Sunday, July 31, 2016 14:42 > >> To: dev@openoffice.apache.org > >> Subject: Re: Officially releasing a patch for CVE-2016-1513 > >> > >> OK, I think I'm done with the LInux64 bit area as well. > >> > >> And see below > >> > >> > >> On 07/31/2016 01:10 PM, Marcus wrote: > > [ ... ] > >>> I'm preparing the hotfix webpage. For this I've some questions: > >>> > >>> 1. Do we want to provide zip files for every platform or just single > >>> files for the library and other files? > >> > >> H... I assumed we would just be point people directly at > >> /dist/release/openoffice/patches. > >> (Right now, these are in /dist/dev/openoffice/patches.) > >> > >> It would be easiest to just setup the hotfix page with three links > per > >> distro. > >> > >> Linux32 > >> * link to Linux32.README > >> * link to linux32 libtl.so > >> * link to linux32 libtl.so.asc (sig) > >> > >> etc. > >> > >> If not, the READMEs I wrote will need to change. > > [orcmid] > > > > I recommend there should be single-file (e.g., Zip) distributions, > just like all other binaries. That gives just one thing to download. > The MD5, SHA512, and ASC signatures should be on the whole package and > stay in the dev/ and release/ folders, just as they are on download > pages. (The ASC signatures on the individual library-file binaries > should be inside the package.) I suspect, on the dev/ side, we might > need copies of the READMEs alongside the archives, and revised more > regularly, so they can be reviewed and revised easily as we get QA and > trial use. When we move over to release/ we might want to do the same, > even though the README is in the archive, so that people can read it > without downloading the package. > > > > Finally, please use README.txt, etc., so that line-ending adjustments > will happen properly when folks move these in and out of SVN and also > out of archive files. This will also help browsers when folks retrieve > these directly from the repository. > > > > PS: If we are concerned about the README.txt outside of the archive > being authenticated, it can have an embedded PGP signature. (Then the > final archive-internal one would be a copy of the signed README.txt -- > no biggie, nice chain of custody). > > > > [ ... ] > > For the end user, this is incredibly, painfully more complicated than > downloading and installing a new version. [orcmid] Indeed it is. I think there is no question how daunting this might be and we must be very careful with this. The README.txt cannot be comprehensive for what a casual user might require, and a power user of OpenOffice might not be much of a power user of Windows. That has to be taken into account. Is there a suggestion lurking in the observation? - Dennis > > - > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Officially releasing a patch for CVE-2016-1513
On 07/31/2016 05:17 PM, Dennis E. Hamilton wrote: > > >> -Original Message- >> From: Kay sch...@apache.org [mailto:ksch...@apache.org] >> Sent: Sunday, July 31, 2016 14:42 >> To: dev@openoffice.apache.org >> Subject: Re: Officially releasing a patch for CVE-2016-1513 >> >> OK, I think I'm done with the LInux64 bit area as well. >> >> And see below >> >> >> On 07/31/2016 01:10 PM, Marcus wrote: > [ ... ] >>> I'm preparing the hotfix webpage. For this I've some questions: >>> >>> 1. Do we want to provide zip files for every platform or just single >>> files for the library and other files? >> >> H... I assumed we would just be point people directly at >> /dist/release/openoffice/patches. >> (Right now, these are in /dist/dev/openoffice/patches.) >> >> It would be easiest to just setup the hotfix page with three links per >> distro. >> >> Linux32 >> * link to Linux32.README >> * link to linux32 libtl.so >> * link to linux32 libtl.so.asc (sig) >> >> etc. >> >> If not, the READMEs I wrote will need to change. > [orcmid] > > I recommend there should be single-file (e.g., Zip) distributions, just like > all other binaries. That gives just one thing to download. The MD5, SHA512, > and ASC signatures should be on the whole package and stay in the dev/ and > release/ folders, just as they are on download pages. (The ASC signatures on > the individual library-file binaries should be inside the package.) I > suspect, on the dev/ side, we might need copies of the READMEs alongside the > archives, and revised more regularly, I was Ok up to this statement. Are you saying INCLUDE the readmes in the zip package but leave them outside of where they now are? If we want signed zip files, can't we just leave the files we have now in: https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/binaries/ but zip them up as well, inlcuding the READMEs? Or, are you saying at distribution time, remove the libraries and their sigs Btu leave the README files? We have these in their own labeled area -- 4.1.2-patch1 -- so I don't see a problem with just leaving everything there. > so they can be reviewed and revised easily as we get QA and trial use. When > we move over to release/ we might want to do the same, even though the README > is in the archive, so that people can read it without downloading the package. > > Finally, please use README.txt, etc., so that line-ending adjustments will > happen properly when folks move these in and out of SVN and also out of > archive files. This will also help browsers when folks retrieve these > directly from the repository. > > PS: If we are concerned about the README.txt outside of the archive being > authenticated, it can have an embedded PGP signature. (Then the final > archive-internal one would be a copy of the signed README.txt -- no biggie, > nice chain of custody). > > [ ... ] > > > - > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org > -- MzK "Time spent with cats is never wasted." -- Sigmund Freud - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
RE: Officially releasing a patch for CVE-2016-1513
> -Original Message- > From: Kay Schenk [mailto:kay.sch...@gmail.com] > Sent: Monday, August 1, 2016 15:43 > To: dev@openoffice.apache.org > Subject: Re: Officially releasing a patch for CVE-2016-1513 > > > On 07/31/2016 05:17 PM, Dennis E. Hamilton wrote: > > > > > >> -Original Message- > >> From: Kay sch...@apache.org [mailto:ksch...@apache.org] > >> Sent: Sunday, July 31, 2016 14:42 > >> To: dev@openoffice.apache.org > >> Subject: Re: Officially releasing a patch for CVE-2016-1513 > >> > >> OK, I think I'm done with the LInux64 bit area as well. > >> > >> And see below > >> > >> > >> On 07/31/2016 01:10 PM, Marcus wrote: > > [ ... ] > >>> I'm preparing the hotfix webpage. For this I've some questions: > >>> > >>> 1. Do we want to provide zip files for every platform or just single > >>> files for the library and other files? > >> > >> H... I assumed we would just be point people directly at > >> /dist/release/openoffice/patches. > >> (Right now, these are in /dist/dev/openoffice/patches.) > >> > >> It would be easiest to just setup the hotfix page with three links > per > >> distro. > >> > >> Linux32 > >> * link to Linux32.README > >> * link to linux32 libtl.so > >> * link to linux32 libtl.so.asc (sig) > >> > >> etc. > >> > >> If not, the READMEs I wrote will need to change. > > [orcmid] > > > > I recommend there should be single-file (e.g., Zip) distributions, > just like all other binaries. That gives just one thing to download. > The MD5, SHA512, and ASC signatures should be on the whole package and > stay in the dev/ and release/ folders, just as they are on download > pages. (The ASC signatures on the individual library-file binaries > should be inside the package.) I suspect, on the dev/ side, we might > need copies of the READMEs alongside the archives, and revised more > regularly, > > I was Ok up to this statement. Are you saying INCLUDE the readmes in the > zip package but leave them outside of where they now are? If we want > signed zip files, can't we just leave the files we have now in: > > https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/binaries/ > > but zip them up as well, inlcuding the READMEs? > Or, are you saying at distribution time, remove the libraries and their > sigs Btu leave the README files? > We have these in their own labeled area -- 4.1.2-patch1 -- so I don't > see a problem with just leaving everything there. > [orcmid] I'll do what I mean by example when I upload the Windows case by tomorrow morning, at the latest. Then it will be easier to talk about it. - Dennis > > so they can be reviewed and revised easily as we get QA and trial use. > When we move over to release/ we might want to do the same, even though > the README is in the archive, so that people can read it without > downloading the package. > > > > Finally, please use README.txt, etc., so that line-ending adjustments > will happen properly when folks move these in and out of SVN and also > out of archive files. This will also help browsers when folks retrieve > these directly from the repository. > > > > PS: If we are concerned about the README.txt outside of the archive > being authenticated, it can have an embedded PGP signature. (Then the > final archive-internal one would be a copy of the signed README.txt -- > no biggie, nice chain of custody). > > > > [ ... ] > > > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > > For additional commands, e-mail: dev-h...@openoffice.apache.org > > > > -- > > MzK > > "Time spent with cats is never wasted." >-- Sigmund Freud > > - > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Interested in volunteering with Apache
To Whom It May Concern, Hello. My goal is to get into the technical writing field. I have a BS degree in civil engineering that I completed at California State University, Long Beach and did some graduate coursework in environmental engineering from San Diego State University. I also studied and intern abroad in Austria and Germany respectively. I'm interested in volunteering because I want to gain some experience related to technical writing to build up my portfolio and felt compelled to introduce myself to you all. Attached is my resume and also just started a blog related to technical writing, life, innovations, and book reviews, but its a project in the making for now and will soon get its own domain name to replace the ".wordpress.com". Here's the link to my personal blog: https://theoutlawthinker.wordpress.com/ When you click on the "Portfolio" tab on my blog, it will link you to my LinkedIn account that some samples of my writing. Hope to hear from you soon. Thank you very much. Sincerely, Woody Arnold, EIT (619)817-1043 woodyarnol...@yahoo.com Woody Arnold Resume 1 (1).docx Description: MS-Word 2007 document - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Interested in volunteering with Apache
Welcome. The current writing project is constructing instruction files for applying a patch. The process is fairly complicated, and needs to be explained clearly for end users with limited technical skills. Perhaps you could review the drafts and see if you can suggest any improvements? Can you use subversion to check out files? Thanks, Patricia On 8/1/2016 3:48 PM, Woody Arnold wrote: To Whom It May Concern, Hello. My goal is to get into the technical writing field. I have a BS degree in civil engineering that I completed at California State University, Long Beach and did some graduate coursework in environmental engineering from San Diego State University. I also studied and intern abroad in Austria and Germany respectively. I'm interested in volunteering because I want to gain some experience related to technical writing to build up my portfolio and felt compelled to introduce myself to you all. Attached is my resume and also just started a blog related to technical writing, life, innovations, and book reviews, but its a project in the making for now and will soon get its own domain name to replace the ".wordpress.com". Here's the link to my personal blog: https://theoutlawthinker.wordpress.com/ When you click on the "Portfolio" tab on my blog, it will link you to my LinkedIn account that some samples of my writing. Hope to hear from you soon. Thank you very much. Sincerely, Woody Arnold, EIT (619)817-1043 woodyarnol...@yahoo.com - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
