On 03/23/2012 02:17 PM, Rob Weir wrote: > On Fri, Mar 23, 2012 at 5:11 PM, Girvin R. Herr > <[email protected]> wrote: >> Dave, >> Thanks for the quick, encouraging response. >> I thought this security patch was part of an Apache effort and sanction. I >> was not aware that it was produced by a 3rd party without Apache support. > > That's a logical leap without basis. It is possible for a small group > at Apache to have produced the patch and for there to be no policy > against Linux. In fact both statements are true. > > Remember, we're not a commercial software vendor. Apache is a > non-profit, run by volunteers. If volunteers wish to make a Linux > patch, then they will. And it appears they will. We've certainly > been building and testing OpenOffice 3.4 for Linux. If there are > volunteers for Solaris, BSD, OS/2 or whatever, those patches will also > appear. The Apache license allows anyone to take this code and build > it on whatever platform they want. > >> My apologies to all. I will still keep an eye on it, but I am relieved that >> the Linux omission was not a result of Apache policy. > > Again, policy has nothing to do with this. ...
Really? Then perhaps you can tell us were to find the linux patch. It's now April 18. AOO couldn't figure out a linux patch in all that time? Is there a different mirror than: <http://www.eng.lsu.edu/mirrors/apache//incubator/ooo/3.3/patches/cve-2012-0037/> with the linux patch(s)? Seems pretty sad that AOO are unable to provide a linux patch when the Windows and Mac patches were provided 21 March. Makes one wonder if Apache even plan to support linux AOO. Particularly given this statement: "Linux and other platforms should consult their distro or OS vendor for patch instructions." on <http://www.openoffice.org/security/cves/CVE-2012-0037.html>. BTW: <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0037> is still showing: CVE-2012-0037 (under review) "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. " Nor is there any mention of that CVE here: <https://incubator.apache.org/openofficeorg/security.html> So perhaps it really isn't something to worry about afterall. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
