OSS-Fuzz: Five months later, and rewarding projects

Posted May 9, 2017 14:21 UTC (Tue) by torquay (guest, #92428)
Parent article: OSS-Fuzz: Five months later, and rewarding projects

OSS-Fuzz has found numerous security vulnerabilities ... 33 in LibreOffice

By extension, how many of these 33 are also in Apache OpenOffice, which will never get fixed?

OSS-Fuzz: Five months later, and rewarding projects

Posted May 9, 2017 17:47 UTC (Tue) by MatejLach (guest, #84942) [Link] (4 responses)

Sadly, I know of a number of places that never heard of LibreOffice and still install OpenOffice on their machines.
It would be more beneficial for the community if Apache just gave everything it has acquired from Oracle and IBM in relation to OpenOffice to LibreOffice, (or at the very least, implemented a redirect to LO).

What do they get from keeping a zombie alive?

OSS-Fuzz: Five months later, and rewarding projects

Posted May 9, 2017 19:58 UTC (Tue) by bronson (subscriber, #4806) [Link] (2 responses)

Look at it from their point of view. "What do we get if we kill off this zombie? Nothing?"

OSS-Fuzz: Five months later, and rewarding projects

Posted May 9, 2017 20:49 UTC (Tue) by xtifr (guest, #143) [Link] (1 responses)

Really? Seems to me that at a bare minimum, they'd get back whatever on-going administrative costs they have for the project. This may be small, but I'm sure it's non-zero. And beyond that, they'd get a *huge* amount of goodwill, which is something companies often spend hundreds of millions of dollars on. The fact that they're continuing to support this horrible, botched failure is a continuing embarrassment which angers hundreds, if not thousands, of people.

Compare to what they lose if they *do* kill it: both of the active AOO devs get mad, as do the few dozen of users who don't want to switch (rather than simply not knowing they have the option of switching). And, of course, all of them can simply take their source code and maintain it on their own (after a possible rename, since Apache should most emphatically *not* give them the name).

Shuttering the project looks like *almost* pure win for them. :)

OSS-Fuzz: Five months later, and rewarding projects

Posted May 10, 2017 0:00 UTC (Wed) by tialaramex (subscriber, #21167) [Link]

Pride matters. Key people at Apache fought to make this possible, it is embarrassing for them to say "Oh, everybody else was right, we're the wrong entity to own this project, we haven't been able to make it work, everything transpired as we were told it would, our mistake". So they're damned if they'll do that.

You will see this at for-profit corporations too. Consider Symantec right now. Senior executives at the company responded to problems in 2015 by throwing an employee under the bus. "Bad apple" Symantec management seemed to say, shrugging, "what can you do?" to which the answer is "Provide sufficient oversight, that's what you're paid for". In 2017 with yet more problems discovered they have realised that more human sacrifices won't get the job done, and tried putting money on the table, giving up some trifling contracts with third parties and blaming the third parties for their problems. This did not go over as well as they seem to have hoped. But none of the multi-millionaire executives appear to have considered that maybe they're the problem. That's not a thought which has crossed their minds. Nobody being paid tens of millions of dollars wants to believe it's for any reason other than their superb leadership and blameless execution of the task at hand. And so Symantec sleep-walks into millions of dollars more write-offs and failures, none of which their annual report will correctly blame on the well-paid executive team. It will be declared a mystery, the unpredictable operation of unknowable markets, and not a result of management incompetence at all.

OSS-Fuzz: Five months later, and rewarding projects

Posted May 18, 2017 10:08 UTC (Thu) by davidgerard (guest, #100304) [Link]

A zombie with a known security hole since January (and the ASF editing posted board minutes to remove mention of the issue after the horse had bolted) and a vanished release manager. I'm sure it'll be fine, fine.