Three concerns, in addition to the ones Gianluca expressed already: 1. The extensions.services.openoffice.org site is not working reliably and is not operated by ASF. Any in-product access to the site has to work well and deal with unavailability.
2. I repeat my security concern over the increase of the product attack surface when such downloading and installation is done internal to operation of the product or its installer (which may already require elevated privileges) without coming up with stronger means for authenticating extension downloads. (The dictionary case is for data, so that is not quite so scary. Authentication still matters.) 3. Any automatic update mechanism is a further concern. A security review activity is apparently missing from the development and feature-decision process. That is not going to serve us well considering that this is a consumer product directed toward non-expert and household users. It must be assumed that our turn will come. -----Original Message----- From: Andre Fischer [mailto:a...@a-w-f.de] Sent: Thursday, November 24, 2011 05:29 To: ooo-dev@incubator.apache.org Subject: Re: GPL'd dictionaries (was Re: ftp.services.openoffice.org?) Hi all, The last open item on the IP clearance wiki page is the removal of the dictionary module from the AOO source code. In order to provide a developer build in the near future that does not contain category-x licensed code we need a short term solution. The central question is if we have to really remove the dictionaries at all. I did not see a definitive answer, so to be on the safe side I assume that the dictionary module should be removed. This leaves the question of a replacement. One relatively straight forward way seems to be to use the extensions that can be found at http://extensions.services.openoffice.org/en/dictionaries. Two ways of using these extensions come to (my) mind: A. Download the extension (assuming that the right locale can be detected) automatically from the extension repository during installation. B. As last step of the installation, pop up a web page that, among other things, tells the user that there is a dictionary extension that can be installed and what its license is. Variant A has the better usability but may not be acceptable from a legal view. Variant B would allow to display additional information and could offer other (dictionary) extensions as well but would require more work to be implemented. One problem with both variants is that extensions.services.openoffice.org already seems to have load problems. When everybody who installs Apache OpenOffice has to access this server then its load would increase dramatically with a new release. Unless there are objections I will remove the dictionary module now, to clear the way for a category-x free developer build (or whatever its name should be). For the 3.4 release we have to decide on and implement a replacement. Best regards, Andre
