LWN: Comments on "Waiting for AOO"

Waiting for AOO

smurf — Tue, 15 Aug 2017 02:43:36 +0000

> Don't use it for critical/production work.

… which applies to every other AOO version.

Waiting for AOO

jepler — Mon, 14 Aug 2017 20:34:08 +0000

4.1.4 RC 1 has now been released by AOO. https://forum.openoffice.org/en/forum/viewtopic.php?f=107...

Waiting for Godot

jtc — Fri, 11 Aug 2017 00:33:19 +0000

I think Jon's title is a joking reference to the famous absurdist/existentialist play.

Own mistakes

moltonel — Thu, 10 Aug 2017 11:59:33 +0000

> Not really, as most people use LO these days

The Apache foundation at least belives that there is still a significant share of AOO users. We could argue about actual numbers, but it still looks sizable. And most importantly, I expect current AOO users to generally have poor security awareness and therefore be prime targets for malware-type attacks. Fewer but more attackable targets still qualifies as "tempting".

Own mistakes

smurf — Thu, 10 Aug 2017 10:12:28 +0000

> tempting target

Not really, as most people use LO these days – thus developing an exploit that doesn't affect the vast majority of users (I hope) isn't interesting.

Own mistakes

moltonel — Thu, 10 Aug 2017 10:00:04 +0000

Looks like security through obscurity to me : "Let's not mention that the overdue patch release contains a security fix, so that the black hats don't find out about it." It's a good thing that black hats rely on meeting minutes rather than git logs or automated tools to find exploitable bugs... Sigh.

I'm surprised we don't hear of more actively exploited AOO bugs, given that it has remained mostly static for years and must be a tempting target.

Subscriber links

jospoortvliet — Tue, 08 Aug 2017 22:19:19 +0000

Smart ones do ;-)

Waiting for AOO

chfisher — Mon, 07 Aug 2017 19:32:29 +0000

There is a "New Thought" maxim that runs" "If it occurs to you, it's yours to do."

Seems applicable here.

Own mistakes

tialaramex — Mon, 07 Aug 2017 13:03:01 +0000

Amending the minutes to remove unpalatable elements prior to agreeing them at the next meeting - while I don't like it from a transparency point of view - is unremarkable.

But Apache policy is to only put up the report (from groups like AOO) when the minutes are approved. _Then_ after they'd been published (so that the Wayback Machine has a copy even, so we're not talking about 30 seconds) the minutes were altered. So either the originally published minutes aren't the ones agreed by the board, or these aren't, and I don't much care which because either way I can't trust their records.

It also doesn't achieve any supposed security goal, bad guys don't have to accept that you've rescinded your previous announcement and are now claiming not to have security problems, they can read the original version. It's the same mistake as when people figure that they'll "undo" the damage from publishing their private keys to github by asking github to purge the data. It's a Pandora's box, you can't unopen it, that's just not how information works. The only thing achieved was to mislead researchers foolish enough to believe the ASF about their own projects.

Waiting for AOO

donbarry — Sun, 06 Aug 2017 23:39:57 +0000

Not that it's likely to happen, but let's be honest, it's not "can't", it's "won't". Of course they can make statements about the quality or suitability of external projects.

Waiting for AOO

cornelio — Sun, 06 Aug 2017 20:31:45 +0000

That just won't happen (redirecting to LO).

LO and AOO are for all purposes different projects and the Apache Software Foundation can't make any claims on the quality or suitability of external projects. What could happen, if they don't release new code, is that the project would be moved to the "Attic" in which case the software would still be made available with a note that it is being EOL'ed.

Own mistakes

smurf — Sat, 05 Aug 2017 07:48:37 +0000

Well, these were not posted with a "draft" mark and there was no other change at all.

Perhaps somebody got cold feet because of liability issues – if you knowingly distribute defective software, your unreadably-large legal disclaimer may not be able to bail you out …

Did anybody ask the meeting's chair for comment?

Own mistakes

gdt — Sat, 05 Aug 2017 02:12:15 +0000

If these minutes came to me for approval I too would have squashed "at least one security fix in the under-development-release". It's not the role of board minutes to notify clients of security issues; they are not a forum clients can be expected to monitor for this information. Due to an unfortunate operation of the law, board members often have only an "accept or reject item" option for altering board minutes, so I would have sadly asked for "reject" and perhaps asked the chair for more acuity from their staff when noting this topic in the future. I wouldn't read much into the deletion, beyond a board operating normally.

Own mistakes

amk — Fri, 04 Aug 2017 20:55:01 +0000

Minutes are often posted in a draft form and then accepted at a subsequent meeting. It's possible that in the discussion of accepting the minutes, someone said "no, what was actually meant was..." and the final version of the minutes revised accordingly. Confirming that would require more investigation of the ASF's committee processes, though, so that's just my passing suggestion.

Waiting for AOO

mauricio — Fri, 04 Aug 2017 15:24:08 +0000

Millions of bytes?

Subscriber links

tao — Fri, 04 Aug 2017 11:30:16 +0000

Ahhhh, I wish record companies had this refreshing outlook on sharing.

Subscriber links

corbet — Fri, 04 Aug 2017 00:34:39 +0000

HN can drive a lot of traffic; a link that sits on the front page for a while can bring tens of thousands of non-subscribing readers to LWN. Experience suggests that some of them will subsequently choose to subscribe. I wouldn't want to see all of our subscriber content there, but an occasional link does us nothing but good as far as I can tell.

Waiting for AOO

pabs — Fri, 04 Aug 2017 00:30:58 +0000

corbet has said in multiple HN comments that it is fine.

Waiting for AOO

cesarb — Fri, 04 Aug 2017 00:17:18 +0000

It seems common enough (https://hn.algolia.com/?query=SubscriberLink&sort=byD...), though only corbet can tell for sure.

It would have been better to post the link directly to their mailing list, but unfortunately doing so as a first-time poster would be treated as a provocation. HN is a neutral place.

Waiting for AOO

k8to — Thu, 03 Aug 2017 23:53:46 +0000

Do subscriber links posted to hackernews as top level stories really fall into the intended usage pattern for subscriber links? Legitimately asking, it doesn't fall into what I'd expect to be appropriate, personally.

Waiting for AOO

cesarb — Thu, 03 Aug 2017 22:46:10 +0000

...or they are not LWN subscribers, and nobody posted a SubscriberLink somewhere they could find yet.

Last year I had posted a SubscriberLink to a LWN article about AOO to HN; I'm doing it again right now, so if they read HN and my post reaches the front page there, we might be able to see them here again.

Waiting for AOO

xtifr — Thu, 03 Aug 2017 21:22:52 +0000

One thing has definitely changed: the last time LWN wrote a critical piece about the project, we had some AOOers drop by to repeatedly complain about what a bunch of meanies we all were for criticizing them instead of volunteering to help them out. This time? Crickets...

I don't know if this means that they've simply decided LWN is simply a den of irredeemable evil, not worthy of their offers of salvation, or if they simply lack the manpower to even try to promote their project, or if they've just thrown in the towel, and are trying to find a face-saving way to admit it. In any case, it's an interesting development.

Waiting for AOO

csigler — Thu, 03 Aug 2017 17:16:45 +0000

> Honi soit qui mal y pense …

"Let them eat AOO...?" ;-D

Waiting for AOO

dsommers — Thu, 03 Aug 2017 16:37:54 +0000

Unfortunately, this implies "The Law of Someone" ... which means: When SOMEONE ought to do something, nothing ever happens.

Sad, but too often true :/

Waiting for AOO

roc — Thu, 03 Aug 2017 11:52:24 +0000

I'm sure that's wise. Then someone else needs to do it!

Waiting for AOO

bangert — Thu, 03 Aug 2017 11:47:51 +0000

That is sensible. Here is the patch:

Seems like it would be a good thing for someone ~~at LibreOffice~~ to run a set of ~~their~~LibreOffice's exploitable-bug testcases against AOO, report the failures to AOO, and notify the Apache board and the public that they have done so (not necessarily identifying specific bugs), noting that this would also be very easy for an attacker to do. Then either AOO releases an update with fixes, improving things for their users, or they don't, putting even more pressure on the Apache board to do the right thing.

Talk, including mine, remains cheap.

Waiting for AOO

mfrancis — Thu, 03 Aug 2017 11:26:33 +0000

LibreOffice policy – if unwritten – has been to gently but firmly discourage contributors from talking negatively about AOO, on the basis that it is unhelpful, and certainly to avoid doing anything that could be construed as the project itself doing so in public.

LO wins over users by behaving like a professional and competent project, and developers by being a genuinely friendly and accessible community to get involved in. The sort of publicity that would result from sticking an oar into this situation publicly just wouldn't be that useful or interesting on either front.

Own mistakes

smurf — Thu, 03 Aug 2017 09:21:37 +0000

These are the changes:

 
 6. Committee Reports

    Summary of Reports

     The following reports required further discussion:
[…]

     F. Apache Apex Project [Thomas Weise / Shane]
 
        See Attachment F
 
-       Marvin: possible public disclosure of security issue was not
-       in the report
-
-       Mark: the "worst" of the issues were resolved but minor
-       security issues appear to be unresolved; the PMC has been
-       unresponsive for three months
-
-       @Shane: "encourage" the PMC to be responsive to security
-       issues
-
[…]
 
 RELEASES
 ========
 
 The current release is Apache OpenOffice 4.1.3 and was published on 
 2016-Oct-12.
 
 Apache OpenOffice 4.1.4 is planned for release in 2017 Q1 for further 
-maintenance and available security fixes.
+maintenance.
 
 Apache OpenOffice 4.2.0 is planned for this year - but without to name a 
 specific time frame - to include new features and bigger enhancements 
-but of course more bugfixes and security fixes if needed.
+but of course more bug fixes.
 
[…]
 
 A number of previously-active committers have returned to activity 
 as part of the response to the previous-quarter public discussion
 of what AOO retirement would look like.
 
 Next Steps: Improving the mentoring of newcomers and expanding the 
 capacity to address major issues as part of new releases.
 
-Handling of Security
---------------------
-There will be at least one security fix in the under-development 
-release 4.1.4.
-
-
 Branding
 --------
[…]

I agree that this is telling. The minutes of meetings are supposed to be immutable!

Waiting for AOO

smurf — Thu, 03 Aug 2017 08:45:58 +0000

Honi soit qui mal y pense …

Waiting for AOO

rahvin — Wed, 02 Aug 2017 22:43:53 +0000

It took them a year to get a critical exploit patched that took LO a day and they haven't done a release since. Given the amount of development going on at OO the only thing you can call it is Abandonware. What's astonishing to me is the complete lack of action on the part of the board as mentioned in the first comment. Every single one of those 100K downloads a month is a potential issue that will tarnish the Apache brand and tarnish it badly.

This is literally the kind of thing that destroys brands as they are in effect deliberately providing software with known exploits with no acknowledgement of that.

Waiting for AOO

rahvin — Wed, 02 Aug 2017 22:35:56 +0000

I concur, continuing to allow an known insecure product with no capability to fix those security issues should be evidence enough to shut down the downloads and redirect to LO until the issue is solved by development improving or shutting down the project. Everyone of those downloads will potentially destroy the Apache name for someone unaware that OO is essentially abandonware. Until Apache can fix the issue they should halt binary downloads and redirect to LO.

Waiting for AOO

roc — Wed, 02 Aug 2017 20:53:04 +0000

Seems like it would be a good thing for someone at LibreOffice to run a set of their exploitable-bug testcases against AOO, report the failures to AOO, and notify the Apache board and the public that they have done so (not necessarily identifying specific bugs), noting that this would also be very easy for an attacker to do.

Then either AOO releases an update with fixes, improving things for their users, or they don't, putting even more pressure on the Apache board to do the right thing.

Waiting for AOO

dark_knight — Wed, 02 Aug 2017 17:34:23 +0000

The text the OP quoted was likely originally typed by a US writer. In the US (and in plenty of other countries too), the comma is used as a thousands separator, while the dot is used as a decimal mark: https://en.wikipedia.org/wiki/Decimal_mark

Being pedantic, "214,000,000 million" is incorrect either way.

Waiting for AOO

luya — Wed, 02 Aug 2017 17:26:37 +0000

For those reasons, the Vancouver Public Library quietly switched from Apache OpenOffice to LibreOffice.

Own mistakes

tialaramex — Wed, 02 Aug 2017 17:13:52 +0000

"that text has been removed from the official version on the Apache site."

This itself is also not good. If you post "official" records but then quietly edit them over time, I have no choice but to assume bad faith in all the records I'm shown by you. Why should I believe anything Apache board members claim was "minuted" but which in fact it turns out they might have just edited into their records days, weeks or years later? One of the things I particularly watch for in modern news media (where no physical artefact captures whatever "mistakes" are published as once happened with newspapers) is whether when they inevitably correct a mistake they _acknowledge_ that or they instead just silently change things.

Example: https://www.vox.com/identities/2017/7/31/16068972/tradema... is a story about trademarking slurs and other marks or identifiers we'd maybe rather see less of. But originally someone (the author? a sub-editor? it's not usual to tell the audience in the news media) decided on a headline about copyright. Except copyright is entirely separate law - even if I have met supposed "IP lawyers" who didn't know that - and it would be ludicrous to try to claim "copyright" for the simple geometric figure of a swastika. Sure enough the headline was corrected. But far more importantly to me, the updated article _acknowledges_ that it was previously wrong.

Own your mistakes. This is (closer to LWN topicality) an important lesson for new programmers, especially people who are self taught or have never worked in a team before. If the reality is you pushed out a release that doesn't even compile, and then you spotted the typo six minutes later, that's fine, that's what the git repo should show. Don't come to me asking if there's a way to change history so that it seems as if it didn't happen that way. How does that help anybody? Own the mistake. Say to yourself "I am human and I screw up sometimes" and remember that when you see somebody else screw up too.

And on the topic of this particular article you need to own bigger mistakes too. It doesn't matter if the Apache board genuinely believed in 2014 that this was a good idea, it should now be obvious to everyone that it wasn't. Board members allowing it to continue can't fall back to "Well we didn't know...", because they do now. Every day that they have the evidence in front of them that the project is failing and do nothing they're _culpable_ for that as members of the board. Daren't tell Jim he's wrong? Then you're in the wrong job, resign. Don't really have the time to spend on this stuff? Resign. If Apache is, as it has sometimes claimed, a vibrant community with plenty of people ready and willing to step forward then losing bad board members only strengthens Apache. If in fact the whole thing is rotten it's better to find out through a formal process (the whole board resigns and the organization ceases to exist) than a gradual drip-drip of rumours and insinuations.

Waiting for AOO

smoogen — Wed, 02 Aug 2017 17:07:41 +0000

Downloads of software is a fairly useless number for any software these days. There is a surprising amount of adware that seems to just download links. Some of this is because the company connected with the adware is trying to show "look we boosted your downloads so use our marketing!" and sometimes it is the opposite.. your computer network is slow and we can fix it if you run this software. Other cases, software is repeatedly downloaded because it keeps a network link busy enough to not get budget cut. And there are probably a slew of other reasons where maybe only 1-10% of that 100,000 downloads are 'legitimate'.

The usual way to really test that is by having programs which activate when the software is run and 'check updates' or some similar tool. The order of automatic update checks are usually 2-3 orders of magnitude smaller than the download counts show. I don't think either AOO or LOO have this though and a lot of people see that as spyware which I can understand.

Waiting for AOO

micka — Wed, 02 Aug 2017 16:34:13 +0000

Well, that's the same thing, though I wonder what the second comma is for...

Waiting for AOO

kiko — Wed, 02 Aug 2017 16:03:39 +0000

s/214,000,000 million/214 million/ perhaps

Waiting for AOO

vbabka — Wed, 02 Aug 2017 16:03:35 +0000

This is very irresponsible of them, with respect to the number of downloads. They should finally realize this and just redirect people to LO. Continuing like this hurts the Apache Foundation credibility as well as the open source community as a whole.