RE: Regression tests?

2016-03-29 Thread Dennis E. Hamilton 
+1 Patricia.  Go for it.

> -Original Message-
> From: Patricia Shanahan [mailto:p...@acm.org]
> Sent: Tuesday, March 29, 2016 06:00
> To: dev@openoffice.apache.org
> Subject: Re: Regression tests?
> 
> Thanks for this extremely useful information - far too useful to only
> exist in a mail archive. Any objection to me creating a "Test Overview"
> Wiki page and populating it initially by pasting in the body of your
> message?
> 
> I am running with the unit tests disabled for two reasons. Currently,
> some of them fail in my environment for what I think are test artifact
> reasons rather than actual bugs. Additionally, given how slow builds
> are, I am reluctant to add anything to that process.
> 
> In general, I think we really need scripts or ant targets that just run
> various categories of tests.
> 
> Patricia
[ ... ]


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

RE: Release Manager for 4.2.0?

2016-03-29 Thread Dennis E. Hamilton 


> -Original Message-
> From: Damjan Jovanovic [mailto:dam...@apache.org]
> Sent: Tuesday, March 29, 2016 02:30
> To: Apache OO 
> Subject: Re: Release Manager for 4.2.0?
[ ... ]
> 
> Let's rather research where AOO uses openssl instead of guessing.
> 
> I find the use of openssl for document encryption and signing highly
> unlikely, as NSS was used there to make use of Firefox's root CA
> certificates, and allow configuring personal digital signatures using
> the Firefox GUI.
[orcmid] 

I am confident that is not the case for Windows, where the OS certificate store 
is used for private keys and for managing them, such as choosing their email 
usage.  Whether an NSS library is in the path in any manner is unclear.  I 
operate on configurations that do not have Firefox installed.
> 
> So which modules use openssl?
> 
> $ grep openssl */prj/build.lst
> oox/prj/build.lst:ooxoox : vos cppu cppuhelper comphelper sal
> offapi sax basegfx xmlscript tools vcl BOOST:boost OPENSSL:openssl
> LIBXSLT:libxslt NULL
> openssl/prj/build.lst:ssl  openssl  :  soltools external EXPAT:expat
> NULL
> openssl/prj/build.lst:ssl  openssl usr1   -   all
>ssl_mkout NULL
> openssl/prj/build.lst:ssl  openssl nmake  -   all
>ssl_openssl NULL
> python/prj/build.lst:pypython:SO:so_prereq solenv
> OPENSSL:openssl NULL
> redland/prj/build.lst:rld redland : stlport soltools
> LIBXML2:libxml2 LIBXSLT:libxslt OPENSSL:openssl NULL
> ucb/prj/build.lst:uc ucb : cppuhelper CURL:curl OPENSSL:openssl
> LIBXML2:libxml2 LIBXSLT:libxslt offapi sal salhelper ucbhelper udkapi
> comphelper SERF:serf tools NULL
> 
> Eliminating the openssl module itself from the above results, we have
> dependencies to it in oox, python, redland, and ucb.
> 
> Oox (used for OOXML, not ODF) uses it in the short
> lclCheckEncryptionData() function to detect encryption. It uses it
> exclusively for AES crypto.
> 
> Python could use it for just about anything, but we don't care because
> Python is itself optional.
> 
> Redland is an RDF library. It is used by unoxml. Not sure for what.
[orcmid] 

There are some manifest.rdf files included as boilerplate in ODF 1.2 packages.  
They are produced automatically.  I don't think they are consumed in any 
manner, but they might be parsed anyhow [;<).  They are included in signed 
packages and they are encrypted in encrypted packages.  They have no dependency 
in the ODF specification.  So far, they are there for mining of document 
metadata by external products.

PS: Handling of external entities in XML files can lead to use of internet 
transport.  Not certain what the use case might be.  It is not something that 
would be done with AOO-created XML inside ODF.

PPS: The access to external components from within ODF documents can involve 
Internet transport.  Won't this exercise the dependency from CURL that Don 
Lewis mentions?

> 
> Ucb apparently uses it for webdav. It doesn't call openssl APIs, but
> links to openssl because it uses serf.
[orcmid] 

WebDAV servers can require negotiation of HTTP authentication.  That may be the 
reason for this.  WebDAV protocol is atop HTTP.

> 
> Serf needs openssl and is only used by ucb.
> 
> Damjan
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
> For additional commands, e-mail: dev-h...@openoffice.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

DO NOT OPEN OR DOWNLOAD 000000889723.zip

2016-03-29 Thread Dennis E. Hamilton 
A direct post to ooo-commits @incubator.apache.org (and delivered via commits@ 
openoffice.apache.org) consists of a Zip having serious malicious content.

If you are subscribed to the commits list, please delete the message that has 
no subject and the attachment 00889723.zip without inspecting it.  If you 
have anti-virus/malware software that checks your incoming email and 
attachments, please honor its detection.

We will look to see how to obtain better filtering on the commits@ list, which 
technically is only used by the SVN system to report commits made to the Apache 
OpenOffice code base.

 - Dennis


> -Original Message-
> From: Support [mailto:supp...@accrodustyle.com]
> Sent: Tuesday, March 29, 2016 00:43
> To: ooo-comm...@incubator.apache.org
> Subject: Spam (24.531):
> 
> 

[orcmid] 
Original message headers:

Return-path: 

[ ... last hop information deleted for personal privacy reasons ...]
X-Virus-Scanned: by MailRoute
X-Spam-Flag: YES
X-Spam-Score: 24.531
X-Spam-Level: 
X-Spam-Status: Yes, score=24.531 tagged_above=- required=7
tests=[AV:Sanesecurity.Malware.25963.JsHeur.UNOFFICIAL=4,
BODY_URI_ONLY=1, DKIM_INVALID=1, DKIM_SIGNED=-0.1,
HEADER_FROM_DIFFERENT_DOMAINS=0.001, KAM_BADPHP=2.5, L_AV_Any=2,
L_AV_SS_Malware=14, MR_PERM_ANY=0.01, MR_PERM_MAILING_LIST=0.01,
MR_ZIP_ATTACH=0.1, T_DKIM_INVALID=0.01] autolearn=disabled
Authentication-Results: 004.las.mailroute.net. (mroute_mailscanner);
dkim=fail (1024-bit key) reason="fail (body has been altered)"
header.d=accrodustyle.com
Received: from in-004.las.mailroute.net ([199.89.4.7])
by localhost (004.las.mailroute.net. [127.0.0.1]) (mroute_mailscanner, 
port 10024)
with LMTP id PqRwBWfRHWKn for ;
Tue, 29 Mar 2016 07:36:58 + (UTC)
X-Envelope-From: 

Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
by in-004.las.mailroute.net (Postfix) with SMTP id 3qZ2fL54sHz5vQf
for ; Tue, 29 Mar 2016 07:36:58 + (UTC)
Received: (qmail 38011 invoked by uid 500); 29 Mar 2016 07:36:58 -
Mailing-List: contact commits-h...@openoffice.apache.org; run by ezmlm
Precedence: bulk
List-Help: 
List-Unsubscribe: 
List-Post: 
List-Id: 
Reply-To: dev@openoffice.apache.org
Delivered-To: mailing list comm...@openoffice.apache.org
Received: (qmail 38002 invoked by uid 500); 29 Mar 2016 07:36:57 -
Delivered-To: apmail-incubator-ooo-comm...@incubator.apache.org
Received: (qmail 37999 invoked by uid 99); 29 Mar 2016 07:36:57 -
Received: from pnap-us-west-generic-nat.apache.org (HELO 
spamd2-us-west.apache.org) (209.188.14.142)
by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 29 Mar 2016 07:36:57 +
Received: from localhost (localhost [127.0.0.1])
by spamd2-us-west.apache.org (ASF Mail Server at 
spamd2-us-west.apache.org) with ESMTP id 723E61A0400
for ; Tue, 29 Mar 2016 07:36:57 + 
(UTC)
X-X-Spam-Flag: NO
X-X-Spam-Score: 4.355
X-X-Spam-Level: 
X-X-Spam-Status: No, score=4.355 tagged_above=-999 required=6.31
tests=[DKIM_SIGNED=0.1, FROM_12LTRDOM=0.1,
HEADER_FROM_DIFFERENT_DOMAINS=0.001, KAM_BADPHP=2.5,
RCVD_IN_BRBL_LASTEXT=1.644, T_DKIM_INVALID=0.01] autolearn=disabled
Authentication-Results: spamd2-us-west.apache.org (amavisd-new);
dkim=fail (1024-bit key) reason="fail (body has been altered)"
header.d=accrodustyle.com
Received: from mx1-lw-us.apache.org ([10.40.0.8])
by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 
10024)
with ESMTP id Or1ruTzSVX-E for ;
Tue, 29 Mar 2016 07:36:55 + (UTC)
Received: from ns313532.ip-188-165-229.eu (ns313532.ip-188-165-229.eu 
[188.165.229.126])
by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with 
ESMTP id 43DE65F238
for ; Tue, 29 Mar 2016 07:36:55 + 
(UTC)
Received: by ns313532.ip-188-165-229.eu (Postfix, from userid 502)
id 43705A09B3; Tue, 29 Mar 2016 09:42:49 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.10.3 ns313532.ip-188-165-229.eu 43705A09B3
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=accrodustyle.com;
s=default; t=1459237370;
bh=Eo9WOLFgJtBfiADgN8XGm8tToJQXbXNFgLSmmndGwKc=;
h=To:Subject:Date:From:Reply-To:From;
b=wmLoa3ny72OeTds8mDMFkv6PYF2zf87yiTDioDcM9vGzt7eD+/V4o67gTFexhR+AC
 ASOCniuf621i2dsZX733m9ejyTrTUqFb9APnPkmYlBYERDs0LNLBhybbxwVhxWYFSF
 Fyvxxafsqb7co9yqqs2g5DLUC7rZfbN4nhezC8lc=
To: ooo-comm...@incubator.apache.org
Subject: Spam (24.531):
X-PHP-Originating-Script: 502:post.php(4) : regexp code(1) : eval()'d code(17) 
: eval()'d code
Date: Tue, 29 Mar 2016 09:42:49 +0200
From: "Support" 
Reply-To: "Support" 
Message-ID: 
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="b1_00758c1f

Re: Regression tests?

2016-03-29 Thread Patricia Shanahan 
Thanks for this extremely useful information - far too useful to only 
exist in a mail archive. Any objection to me creating a "Test Overview" 
Wiki page and populating it initially by pasting in the body of your 
message?


I am running with the unit tests disabled for two reasons. Currently, 
some of them fail in my environment for what I think are test artifact 
reasons rather than actual bugs. Additionally, given how slow builds 
are, I am reluctant to add anything to that process.


In general, I think we really need scripts or ant targets that just run 
various categories of tests.


Patricia

On 3/29/2016 5:18 AM, Damjan Jovanovic wrote:

We have many different types of tests. The documentation on them is
sparse, scattered and outdated; a Wiki page is sorely needed.

Unit tests are used by a few modules, run during the build (unless you
pass --disable-unit-tests to ./configure), cause the build to fail if
they fail (though I've noticed segmentation faults in tests are
apparently ignored), but they cannot rely on the entire AOO
environment to be available, only their module to have been built.
Previously we used cppunit for this, but have since moved to Google
Test. This is best for low-level self-contained functionality. They
are always in C/C++.

"Subsequent tests" are tests run after AOO is built. These use Junit
and are written in Java. IIRC they're off by default, you have to
define the environment variable OOO_SUBSEQUENT_TESTS when you run
"build" on the module you want to run them on, but some extra Google
Tests also run with that variable. I don't really know much about
them.

The qa tests are integration tests in the test/ directory (same
directory level as main/). They do not run during the build, and have
to be invoked separately, but can be invoked on an arbitrary AOO
instance, so you can easily run the same tests against different AOO
versions. You have to leave your computer unattended while they run,
as the tests move and click the mouse, type buttons on the keyboard,
and use the clipboard. There are several test categories: the bvt
(basic verification test) is a default set of basic tests, fvt
(functional verification test) has a lot more, pvt (performance
verification tests) measures performance, etc. Because each test opens
a new AOO instance and exits afterwards, they take ages: 10 minutes
for bvt, 1 hour for fvt. You can read more on
https://wiki.openoffice.org/wiki/QA/test_automation_guide#Getting_started_with_command_line

In main/smoketestoo_native there is a "smoketest" written in
StarBasic, that tests various functionality. It began to be refactored
as a qa test, and has been copied there now and runs as a bvt test.

We also have a spreadsheet test running as an fvt test, which can be
used to verify things work by examining a specially formatted
spreadsheet that uses spreadsheet functions or macros to obtain
results. You can see examples in
test/testuno/source/fvt/uno/sc/formula/TestFormulaDocs.java

It's worth noting that these testing frameworks need some attention.
The refactoring effort while IBM was still contributing left things
unfinished. Some test code disappeared, breaking some unit tests and
subsequent tests. Many tests (about 2 bvt tests and 25 fvt tests) have
been failing for a while. The smoketest in test/ needs to use the
document built in main/smoketestoo_native during the build instead of
its private copy (but the test/ directory is designed to be separate
from the build - should it build the document using Java functions
instead?). Also these Java qa tests seem new and some are unfinished -
were they ported from somewhere (smoketest?)?

Damjan

On Tue, Mar 29, 2016 at 5:53 AM, Patricia Shanahan  wrote:

I have a few simple changes I would like to check in. Before doing that, I
would normally run regression tests against my working copy. In any case, as
one of the few people who are building on Windows, I should test early, test
often.

What tests do people normally run to check that changes do not have
unintended consequences?

Thanks,

Patricia

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: Regression tests?

2016-03-29 Thread Damjan Jovanovic 
We have many different types of tests. The documentation on them is
sparse, scattered and outdated; a Wiki page is sorely needed.

Unit tests are used by a few modules, run during the build (unless you
pass --disable-unit-tests to ./configure), cause the build to fail if
they fail (though I've noticed segmentation faults in tests are
apparently ignored), but they cannot rely on the entire AOO
environment to be available, only their module to have been built.
Previously we used cppunit for this, but have since moved to Google
Test. This is best for low-level self-contained functionality. They
are always in C/C++.

"Subsequent tests" are tests run after AOO is built. These use Junit
and are written in Java. IIRC they're off by default, you have to
define the environment variable OOO_SUBSEQUENT_TESTS when you run
"build" on the module you want to run them on, but some extra Google
Tests also run with that variable. I don't really know much about
them.

The qa tests are integration tests in the test/ directory (same
directory level as main/). They do not run during the build, and have
to be invoked separately, but can be invoked on an arbitrary AOO
instance, so you can easily run the same tests against different AOO
versions. You have to leave your computer unattended while they run,
as the tests move and click the mouse, type buttons on the keyboard,
and use the clipboard. There are several test categories: the bvt
(basic verification test) is a default set of basic tests, fvt
(functional verification test) has a lot more, pvt (performance
verification tests) measures performance, etc. Because each test opens
a new AOO instance and exits afterwards, they take ages: 10 minutes
for bvt, 1 hour for fvt. You can read more on
https://wiki.openoffice.org/wiki/QA/test_automation_guide#Getting_started_with_command_line

In main/smoketestoo_native there is a "smoketest" written in
StarBasic, that tests various functionality. It began to be refactored
as a qa test, and has been copied there now and runs as a bvt test.

We also have a spreadsheet test running as an fvt test, which can be
used to verify things work by examining a specially formatted
spreadsheet that uses spreadsheet functions or macros to obtain
results. You can see examples in
test/testuno/source/fvt/uno/sc/formula/TestFormulaDocs.java

It's worth noting that these testing frameworks need some attention.
The refactoring effort while IBM was still contributing left things
unfinished. Some test code disappeared, breaking some unit tests and
subsequent tests. Many tests (about 2 bvt tests and 25 fvt tests) have
been failing for a while. The smoketest in test/ needs to use the
document built in main/smoketestoo_native during the build instead of
its private copy (but the test/ directory is designed to be separate
from the build - should it build the document using Java functions
instead?). Also these Java qa tests seem new and some are unfinished -
were they ported from somewhere (smoketest?)?

Damjan

On Tue, Mar 29, 2016 at 5:53 AM, Patricia Shanahan  wrote:
> I have a few simple changes I would like to check in. Before doing that, I
> would normally run regression tests against my working copy. In any case, as
> one of the few people who are building on Windows, I should test early, test
> often.
>
> What tests do people normally run to check that changes do not have
> unintended consequences?
>
> Thanks,
>
> Patricia
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
> For additional commands, e-mail: dev-h...@openoffice.apache.org
>

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: Release Manager for 4.2.0?

2016-03-29 Thread Damjan Jovanovic 
On Mon, Mar 28, 2016 at 10:59 PM, Don Lewis  wrote:
> On 28 Mar, Pedro Giffuni wrote:
>> Hi Don;
>>
>>> On 28 Mar, Pedro Giffuni wrote:
>>> > In reply to Don,
>>>
>>> >> The versions of openssl and curl badly need updating for the same
>>> >> reason, and there is one CVE for serf.
>>> >
>>> > FreeBSD casually keeps some backported updates for the same openssl
>>> > version AOO uses:
>>> >
>>> > https://svnweb.freebsd.org/base/stable/9/crypto/openssl/?view=log
>>> >
>>> > It should be pretty straightforward to take them from there and use
>>> them
>>> > into
>>> > main/openssl with minor adaptions.
>>>
>>> That would fix only part of the problem.  The other part of the problem
>>> is that the version of openssl that we currently bundle doesn't
>>> implement the newer and more secure protocols and ciphers.  The older
>>> and less secure ones are gradually getting disabled on the server side.
>>>
>>> For instance, my only copy of Windows is XP, and the last version of IE
>>> released for XP can no longer connect to some web sites because they
>>> have disabled all of the protocols that IE supports.
>>>
>>
>> That is a valid concern, however I am unsure about what in OpenOffice
>> uses the new cyphers. I think OpenSSL is used for signing documents:
>> when we update OpenSSL will AOO automatically accept more signing
>> options? I would expect browsers will bring their own SSL
>> implementations.
>
> I don't know what OpenOffice uses it for, either, but I would expect
> that it also gets used for downloading extensions.  I hadn't even
> thought about signatures.  That's something I haven't exercised it at
> all.

Let's rather research where AOO uses openssl instead of guessing.

I find the use of openssl for document encryption and signing highly
unlikely, as NSS was used there to make use of Firefox's root CA
certificates, and allow configuring personal digital signatures using
the Firefox GUI.

So which modules use openssl?

$ grep openssl */prj/build.lst
oox/prj/build.lst:ooxoox : vos cppu cppuhelper comphelper sal
offapi sax basegfx xmlscript tools vcl BOOST:boost OPENSSL:openssl
LIBXSLT:libxslt NULL
openssl/prj/build.lst:ssl  openssl  :  soltools external EXPAT:expat NULL
openssl/prj/build.lst:ssl  openssl usr1   -   all
   ssl_mkout NULL
openssl/prj/build.lst:ssl  openssl nmake  -   all
   ssl_openssl NULL
python/prj/build.lst:pypython:SO:so_prereq solenv
OPENSSL:openssl NULL
redland/prj/build.lst:rld redland : stlport soltools
LIBXML2:libxml2 LIBXSLT:libxslt OPENSSL:openssl NULL
ucb/prj/build.lst:uc ucb : cppuhelper CURL:curl OPENSSL:openssl
LIBXML2:libxml2 LIBXSLT:libxslt offapi sal salhelper ucbhelper udkapi
comphelper SERF:serf tools NULL

Eliminating the openssl module itself from the above results, we have
dependencies to it in oox, python, redland, and ucb.

Oox (used for OOXML, not ODF) uses it in the short
lclCheckEncryptionData() function to detect encryption. It uses it
exclusively for AES crypto.

Python could use it for just about anything, but we don't care because
Python is itself optional.

Redland is an RDF library. It is used by unoxml. Not sure for what.

Ucb apparently uses it for webdav. It doesn't call openssl APIs, but
links to openssl because it uses serf.

Serf needs openssl and is only used by ucb.

Damjan

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org