Re: Release Manager for 4.2.0?

[Keith N. McKenna]

>>
> 
> Hi all--
> 
> I am volunteering to be release manager for 4.2.0.  I have been involved
> in all the AOO releases since 3.40, and I'm familiar with the process.
> Like all of us involved with the project, I am a volunteer. Due to this,
> I can not provide an expected release date. Releases, as we know are
> community efforts. We'll release when we feel 4.2.0 is ready.
> 
> So, I will let this offer stand the weekend just in case someone else
> feels they'd LOVE to do this. If we don't have any objections to my
> being the next release manager over the next 72 hours, we can get
> started next week ironing out what needs to be done. We will need LOTS
> of help!
> 
> 
Kay that is great for volunteering. I also will help wherever I can.

Keith




signature.asc
Description: OpenPGP digital signature

Re: Release Manager for 4.2.0?

[Marcus]

Am 08/19/2016 07:41 PM, schrieb Kay sch...@apache.org:


On 01/28/2016 04:06 PM, Andrea Pescetti wrote:

As I wrote a few day ago, in theory it would be good to release
OpenOffice 4.2.0 in February. If it happens a bit later it wouldn't be a
big issue, but I believe that, in the constant balance between periods
where we are focused on talks (internal to OpenOffice and with the
enlarged community) and periods where we are more focused on the
OpenOffice product, it's time to start working again towards a release.

For 4.2.0 we need a Release Manager. I would prefer NOT to be the
Release Manager for 4.2.0 since I'm finding that in this period I can
help more productively with tasks that do not require constant
interaction than with tasks that require a constant monitoring of
project channels.

I am surely available to have a significant role in the 4.2.0 release,
especially with getting localization working again (actually, this mail
also serves as announcement that I am going to ask for higher privileges
on the Pootle server in order to check the translation workflow); but if
someone else steps in as a Release Manager we could deliver earlier.

So if anyone is interested feel free to discuss this on list, or to
contact me off-list if you prefer, or to discuss in person at FOSDEM
next weekend!

Regards,
   Andrea.



Hi all--

I am volunteering to be release manager for 4.2.0.  I have been involved
in all the AOO releases since 3.40, and I'm familiar with the process.
Like all of us involved with the project, I am a volunteer. Due to this,
I can not provide an expected release date. Releases, as we know are
community efforts. We'll release when we feel 4.2.0 is ready.

So, I will let this offer stand the weekend just in case someone else
feels they'd LOVE to do this. If we don't have any objections to my
being the next release manager over the next 72 hours, we can get
started next week ironing out what needs to be done. We will need LOTS
of help!


thanks for volunteering. I'll support you where I can and when my spare 
time allows it.


Marcus


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: configure error

[Patricia Shanahan]

On 8/19/2016 2:57 PM, Don Lewis wrote:
...

Hmn, I see that the error that you are seeing is coming from set_soenv
and not configure.  Did you rerun autoconf to regenerate configure after
the update?

...

A very good question. Reminder-to-self: Use the step-by-step 
instructions rather than relying on memory. Thanks.


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: configure error

[Don Lewis]

On 19 Aug, Patricia Shanahan wrote:
> 
> 
> On 8/19/2016 12:51 PM, Don Lewis wrote:
>> On 19 Aug, Patricia Shanahan wrote:
>>> I did an "svn update". Now configure is failing:
>>>
>>> 
>>> *  *
>>> *   Setting up the build environment variables.*
>>> *  *
>>> 
>>> checking solver path... default
>>> configure: writing config.status
>>> configure: creating ./config.status
>>> config.status: creating set_soenv
>>> config.status: creating Makefile
>>> Possible unintended interpolation of @HAMCREST_CORE_JAR in string at
>>> ./set_soenv line 1644.
>>> Global symbol "@HAMCREST_CORE_JAR" requires explicit package name (did
>>> you forget to declare "my @HAMCREST_CORE_JAR"?) at ./set_soenv line 1644.
>>> Execution of ./set_soenv aborted due to compilation errors.
>>
>> Either disable junit or add --with-hamcrest-core.
>>
>> This is why the Linux buildbots have been failing recently.
> 
> I tried adding the hamcrest option, and it just causes an additional 
> message:
> 
> configure: WARNING: unrecognized options: --with-hamcrest-core
> 
> Maybe I need a different configure version from the one checked in under 
> https://svn.apache.org/repos/asf/openoffice/trunk
> 
> Here are my full configure parameters:
> 
> Patricia@Jan2014Desktop /cygdrive/c/OpenOfficeDev/Trunk/main
> $ more run_configure.sh
> SDK_PATH="/cygdrive/c/Program Files/Microsoft SDKs/Windows/v7.0"
> ./configure \
>  --with-frame-home="$SDK_PATH" \
>  --with-psdk-home="$SDK_PATH" \
>  --with-midl-path="$SDK_PATH/bin" \
>  --disable-directx \
>  --with-ant-home="/cygdrive/c/ant" \
>  
> --with-dmake-url="http://dmake.apache-extras.org.codespot.com/files/dmake-4.12.tar.bz2;
>  
> \
>  
> --with-epm-url="http://www.msweet.org/files/project2/epm-3.7-source.tar.gz; 
> \
>  --enable-pch \
>  --disable-atl \
>  --disable-activex \
>  --without-junit \
>  --with-hamcrest-core \
>  --with-jdk-home="/cygdrive/c/Program Files (x86)/Java/jdk1.7.0_79"

Strange ...

I haven't played with it, but --with-hamcrest-core should specify the
location of the hamcrest-core .jar file unless you have it installed in
one of the places that configure looks for it.  You shouldn't need
hamcrest since you are specifying --without-junit.

I ran into configure problems when I updated after the junit/hamcrest
change and all I did was remove -with-junit from my configure command
line.

Hmn, I see that the error that you are seeing is coming from set_soenv
and not configure.  Did you rerun autoconf to regenerate configure after
the update?




-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

[PROPOSAL] General Availability of ApacheOpenOffice 4.1.2-patch1 Hotfixes

[Dennis E. Hamilton]

[BCC PMC, FYI QA]

At this time, the preparation and dev@/qa@ confirmation of the AOO 4.1.2-patch1 
Hotfixes has quieted.

I propose that the current binaries be placed into general availability.  I am 
initiating lazy consensus to end not before Tuesday, 2016-08-23T22:00Z. 

MATERIALS TO BE AVAILABLE

 * The file hotfix.html at 
   
   will be made available at 
   

 * The directory folder 
   
   will be made available as a subdirectory of 
   .

ANNOUNCEMENT OF AVAILABILITY

  * The CVE-2016-1513 advisory, 
,
will be reissued to include availability of the hotfix and 
refer users to the hotfix.html page in the archive 4.1.2-patch1
location.

  * There will be an accompanying announcement on dev@, users@,
and in the two bugzilla issues related to the defect that the
hotfix applies to.

WHAT TO REVIEW

You can find everything to be made available by starting with the hotfix.html 
page at 
.

IGNORE the Source column.  The source release has already occurred, and those 
links will not be valid until deployment of hotfix.html to the archive location.

The README files are the next materials to examine.  There you can learn more 
about the hotfix for each of the four platforms: Windows, MacOSX, Linux32, and 
Linux64.  Follow any of the procedures that you want to verify.


 - Dennis

   







-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: configure error

[Patricia Shanahan]

On 8/19/2016 12:51 PM, Don Lewis wrote:

On 19 Aug, Patricia Shanahan wrote:

I did an "svn update". Now configure is failing:


*  *
*   Setting up the build environment variables.*
*  *

checking solver path... default
configure: writing config.status
configure: creating ./config.status
config.status: creating set_soenv
config.status: creating Makefile
Possible unintended interpolation of @HAMCREST_CORE_JAR in string at
./set_soenv line 1644.
Global symbol "@HAMCREST_CORE_JAR" requires explicit package name (did
you forget to declare "my @HAMCREST_CORE_JAR"?) at ./set_soenv line 1644.
Execution of ./set_soenv aborted due to compilation errors.


Either disable junit or add --with-hamcrest-core.

This is why the Linux buildbots have been failing recently.


I tried adding the hamcrest option, and it just causes an additional 
message:


configure: WARNING: unrecognized options: --with-hamcrest-core

Maybe I need a different configure version from the one checked in under 
https://svn.apache.org/repos/asf/openoffice/trunk


Here are my full configure parameters:

Patricia@Jan2014Desktop /cygdrive/c/OpenOfficeDev/Trunk/main
$ more run_configure.sh
SDK_PATH="/cygdrive/c/Program Files/Microsoft SDKs/Windows/v7.0"
./configure \
--with-frame-home="$SDK_PATH" \
--with-psdk-home="$SDK_PATH" \
--with-midl-path="$SDK_PATH/bin" \
--disable-directx \
--with-ant-home="/cygdrive/c/ant" \

--with-dmake-url="http://dmake.apache-extras.org.codespot.com/files/dmake-4.12.tar.bz2; 
\


--with-epm-url="http://www.msweet.org/files/project2/epm-3.7-source.tar.gz; 
\

--enable-pch \
--disable-atl \
--disable-activex \
--without-junit \
--with-hamcrest-core \
--with-jdk-home="/cygdrive/c/Program Files (x86)/Java/jdk1.7.0_79"

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: svn commit: r1756954 [1/2] - in /openoffice/trunk/main: ./ openssl/

[Don Lewis]

On 19 Aug, To: dev@openoffice.apache.org wrote:
> On 19 Aug, Dennis E. Hamilton wrote:
>> Great commit messages!
>> 
>>> -Original Message-
>>> From: truck...@apache.org [mailto:truck...@apache.org]
>>> Sent: Friday, August 19, 2016 11:28
>>> To: comm...@openoffice.apache.org
>>> Subject: svn commit: r1756954 [1/2] - in /openoffice/trunk/main: ./
>>> openssl/
>>> 
>>> Author: truckman
>>> Date: Fri Aug 19 18:28:06 2016
>>> New Revision: 1756954
>>> 
>>> URL: http://svn.apache.org/viewvc?rev=1756954=rev
>>> Log:
>>> Update the bundled version of OpenSSL from 0.9.8zh to 1.0.2h which
>>> fixes many vulnerabiliies and adds support for newer, more secure
>>> ciphers and versions of the protocol.
>>> 
>>> Note: OpenSSL version 1.0.2h contains two known minor vulnerabilites,
>>> CVE-2016-2177 and CVE-2016-2178, which will be fixed in the next
>>> OpenSSL release.  Their potential impact is low enough that that
>>> various Linux distros have chosen not to apply the upstream patches
>>> to the versions that they distribute.
>>> 
>>> On Windows, there is an optional new dependency on NASM,
>>> .  If NASM is not available, then the C
>>> implementations of the low-level crypto code will be used instead
>>> of the optimized assembly language versions.  Since OpenOffice is
>>> not a heavy user of this code, the impact should be minor.  If NASM
>>> is installed, but its location is not in $PATH, the directory
>>> containing nasm.exe should be passed to configure using --with-nasm-
>>> home.
>>> 
>> [ ... ]
>> [orcmid] 
>> 
>> Does the NASM code do the right thing with regard to CPU model
>> detection?  It sounds like there may be dependencies on instructions
>> that may not be on all processors for which Apache OpenOffice is
>> supported.  I am thinking in particular about processors on which
>> Windows XP will run but Windows 7 and later will not because of
>> hardware protection requirements and, I suspect, extended instruction
>> sets.
> 
> It is supposed to select the appropriate version of the code at runtime
> based on the CPU feature bits that tell whether the machine supports the
> newer SSE* and AVX instructions.  I should be able to give this a try in
> the next few days.

I'm pretty sure the old version of OpenSSL also had optimized assembly
language code as well.  What's interesting is that the VS 7 assembler
wasn't choking on any of the newer instructions but on a couple of
ordinary looking MOV instructions.


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: svn commit: r1756954 [1/2] - in /openoffice/trunk/main: ./ openssl/

[Don Lewis]

On 19 Aug, Dennis E. Hamilton wrote:
> Great commit messages!
> 
>> -Original Message-
>> From: truck...@apache.org [mailto:truck...@apache.org]
>> Sent: Friday, August 19, 2016 11:28
>> To: comm...@openoffice.apache.org
>> Subject: svn commit: r1756954 [1/2] - in /openoffice/trunk/main: ./
>> openssl/
>> 
>> Author: truckman
>> Date: Fri Aug 19 18:28:06 2016
>> New Revision: 1756954
>> 
>> URL: http://svn.apache.org/viewvc?rev=1756954=rev
>> Log:
>> Update the bundled version of OpenSSL from 0.9.8zh to 1.0.2h which
>> fixes many vulnerabiliies and adds support for newer, more secure
>> ciphers and versions of the protocol.
>> 
>> Note: OpenSSL version 1.0.2h contains two known minor vulnerabilites,
>> CVE-2016-2177 and CVE-2016-2178, which will be fixed in the next
>> OpenSSL release.  Their potential impact is low enough that that
>> various Linux distros have chosen not to apply the upstream patches
>> to the versions that they distribute.
>> 
>> On Windows, there is an optional new dependency on NASM,
>> .  If NASM is not available, then the C
>> implementations of the low-level crypto code will be used instead
>> of the optimized assembly language versions.  Since OpenOffice is
>> not a heavy user of this code, the impact should be minor.  If NASM
>> is installed, but its location is not in $PATH, the directory
>> containing nasm.exe should be passed to configure using --with-nasm-
>> home.
>> 
> [ ... ]
> [orcmid] 
> 
> Does the NASM code do the right thing with regard to CPU model
> detection?  It sounds like there may be dependencies on instructions
> that may not be on all processors for which Apache OpenOffice is
> supported.  I am thinking in particular about processors on which
> Windows XP will run but Windows 7 and later will not because of
> hardware protection requirements and, I suspect, extended instruction
> sets.

It is supposed to select the appropriate version of the code at runtime
based on the CPU feature bits that tell whether the machine supports the
newer SSE* and AVX instructions.  I should be able to give this a try in
the next few days.


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

RE: svn commit: r1756954 [1/2] - in /openoffice/trunk/main: ./ openssl/

[Dennis E. Hamilton]

Great commit messages!

> -Original Message-
> From: truck...@apache.org [mailto:truck...@apache.org]
> Sent: Friday, August 19, 2016 11:28
> To: comm...@openoffice.apache.org
> Subject: svn commit: r1756954 [1/2] - in /openoffice/trunk/main: ./
> openssl/
> 
> Author: truckman
> Date: Fri Aug 19 18:28:06 2016
> New Revision: 1756954
> 
> URL: http://svn.apache.org/viewvc?rev=1756954=rev
> Log:
> Update the bundled version of OpenSSL from 0.9.8zh to 1.0.2h which
> fixes many vulnerabiliies and adds support for newer, more secure
> ciphers and versions of the protocol.
> 
> Note: OpenSSL version 1.0.2h contains two known minor vulnerabilites,
> CVE-2016-2177 and CVE-2016-2178, which will be fixed in the next
> OpenSSL release.  Their potential impact is low enough that that
> various Linux distros have chosen not to apply the upstream patches
> to the versions that they distribute.
> 
> On Windows, there is an optional new dependency on NASM,
> .  If NASM is not available, then the C
> implementations of the low-level crypto code will be used instead
> of the optimized assembly language versions.  Since OpenOffice is
> not a heavy user of this code, the impact should be minor.  If NASM
> is installed, but its location is not in $PATH, the directory
> containing nasm.exe should be passed to configure using --with-nasm-
> home.
> 
[ ... ]
[orcmid] 

Does the NASM code do the right thing with regard to CPU model detection?  It 
sounds like there may be dependencies on instructions that may not be on all 
processors for which Apache OpenOffice is supported.  I am thinking in 
particular about processors on which Windows XP will run but Windows 7 and 
later will not because of hardware protection requirements and, I suspect, 
extended instruction sets.



-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: configure error

[Don Lewis]

On 19 Aug, Patricia Shanahan wrote:
> I did an "svn update". Now configure is failing:
> 
> 
> *  *
> *   Setting up the build environment variables.*
> *  *
> 
> checking solver path... default
> configure: writing config.status
> configure: creating ./config.status
> config.status: creating set_soenv
> config.status: creating Makefile
> Possible unintended interpolation of @HAMCREST_CORE_JAR in string at 
> ./set_soenv line 1644.
> Global symbol "@HAMCREST_CORE_JAR" requires explicit package name (did 
> you forget to declare "my @HAMCREST_CORE_JAR"?) at ./set_soenv line 1644.
> Execution of ./set_soenv aborted due to compilation errors.

Either disable junit or add --with-hamcrest-core.

This is why the Linux buildbots have been failing recently.


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

configure error

[Patricia Shanahan]

I did an "svn update". Now configure is failing:


*  *
*   Setting up the build environment variables.*
*  *

checking solver path... default
configure: writing config.status
configure: creating ./config.status
config.status: creating set_soenv
config.status: creating Makefile
Possible unintended interpolation of @HAMCREST_CORE_JAR in string at 
./set_soenv line 1644.
Global symbol "@HAMCREST_CORE_JAR" requires explicit package name (did 
you forget to declare "my @HAMCREST_CORE_JAR"?) at ./set_soenv line 1644.

Execution of ./set_soenv aborted due to compilation errors.





-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: upgrading bundled openssl

[Don Lewis]

On 15 Aug, Marcus wrote:
> Am 08/15/2016 10:16 PM, schrieb Don Lewis:
>> I started working on upgrading the bundled version of openssl to 1.0.2h.
>> So far I've discovered that building in on Windows requires nasm.  That
>> will need to be documented in the build requirements / procedures.  I
>> think I need to add a check to configure to look for it and bail out if
>> nasm isn't installed, but I haven't gotten that far yet.  The Windows
>> buildbot will need to have nasm installed.
> 
> puh, so many dependencis and it's still increasing. ;-)
> 
> Thanks for working this out.

I figured out how to make nasm an optional dependency, so the openssl
update commit I just made won't immediately break our Windows buildbot.

The upcoming serf upgrade also has a new dependency issue.  It has
changed to using scons as its build system, which has its own
dependencies, python and m4.  I haven't yet decided what to do about
that.



-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: Release Manager for 4.2.0?

[Patricia Shanahan]

On 8/19/2016 10:41 AM, Kay sch...@apache.org wrote:


On 01/28/2016 04:06 PM, Andrea Pescetti wrote:

As I wrote a few day ago, in theory it would be good to release
OpenOffice 4.2.0 in February. If it happens a bit later it wouldn't be a
big issue, but I believe that, in the constant balance between periods
where we are focused on talks (internal to OpenOffice and with the
enlarged community) and periods where we are more focused on the
OpenOffice product, it's time to start working again towards a release.

For 4.2.0 we need a Release Manager. I would prefer NOT to be the
Release Manager for 4.2.0 since I'm finding that in this period I can
help more productively with tasks that do not require constant
interaction than with tasks that require a constant monitoring of
project channels.

I am surely available to have a significant role in the 4.2.0 release,
especially with getting localization working again (actually, this mail
also serves as announcement that I am going to ask for higher privileges
on the Pootle server in order to check the translation workflow); but if
someone else steps in as a Release Manager we could deliver earlier.

So if anyone is interested feel free to discuss this on list, or to
contact me off-list if you prefer, or to discuss in person at FOSDEM
next weekend!

Regards,
  Andrea.



Hi all--

I am volunteering to be release manager for 4.2.0.  I have been involved
in all the AOO releases since 3.40, and I'm familiar with the process.
Like all of us involved with the project, I am a volunteer. Due to this,
I can not provide an expected release date. Releases, as we know are
community efforts. We'll release when we feel 4.2.0 is ready.

So, I will let this offer stand the weekend just in case someone else
feels they'd LOVE to do this. If we don't have any objections to my
being the next release manager over the next 72 hours, we can get
started next week ironing out what needs to be done. We will need LOTS
of help!


This looks ideal to me. I would like to learn the release processes, and
try to document them as completely as possible. I would prefer to learn
by watching and helping someone who already knows how it is done, than
by jumping in the deep end and splashing about.

I have an agenda of constructing an emergency release procedure but it
will be easier if I can first see how the normal process goes.

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

RE: Ready to setup release build machines?

[Dennis E. Hamilton]

> -Original Message-
> From: Kay Schenk [mailto:kay.sch...@gmail.com]
> Sent: Friday, August 19, 2016 09:09
> To: dev@openoffice.apache.org
> Subject: Re: Ready to setup release build machines?
> 
> 
> 
> On 08/12/2016 12:22 PM, Dennis E. Hamilton wrote:
> > I thought that the basic requirement is that the release manager(s) do
> any builds on a machine under their [exclusive] individual control.
> That also means satisfying baseline requirements for release builds
> though.  That pretty much requires use of a VM if the main development
> system of a release manager is aligned with different tools and
> dependencies.
> 
> I don't find any requirement like this vis a vis building by the release
> manager per se. The release is voted on by the community. So, in a
> sense, building/testing is the responsibility of all who vote on a
> release.
> 
> See: www.apache.org/dev/release-publishing.html
[orcmid] 

That page is rather obsolete.  For example, we have two branches on 
dist.apache.org, one of which is for dev (and where we put release candidates) 
and the other is release where we move any approved candidates.  The dist ... 
release contents are automatically mirrored to archive.apache.org which seems 
to be the proper place to refer to these (although there is mirroring to 
consider, but not for 4.1.2-patch1).

The release page does not address binaries.  I saw the business about where 
official binaries are to be built somewhere and must find it.

Since we put binaries through a form of this process (usually concurrently) 
there does need to be some sort of provenance on those binaries.


> 
> >
> > I am not so certain about putting up shared release-build VMs on non-
> ASF infrastructure though.
> 
> Our "official", "required" release artifact is the source code for a
> release.
> 
> >
> > One advantage to using ASF infrastructure is to bring code signing
> into the fold.  That seems rather important down the road.
> 
> We have been signing ALL release artifacts -- including all the binaries
> -- since AOO 3.4. So code signing of everything we release is already
> part of this process.
[orcmid] 

The use of PGP signatures on our release artifacts is a different matter than 
code signing that is recognized by the operating system and is part of the 
installer, not a detached signature that users must check manually.  The 
signatures I meant are *embedded* in the artifacts, including .msi, .dll, and 
.exe files.

I was thinking of this form of signed installs.  That is a big deal for 
Windows, where the OS will check them automatically, and they are also reported 
in the Properties for the signed artifact.  It also applies to all of the DLLs 
and such that are loaded with the install.  I believe that Andrea has the 
private key that was issued for that but we have not managed to use it to sign 
the code.  This is usually done as part of building distributable binaries.

That private key is precious and is not to be shared.  Ideally, it would belong 
to root@ but I don't think we have a process for that.  

 
> 
> We require a production environment accessible by the release manager
> and helpers because producing distribution binaries in another location
> (seperate developer machine), signing and then uploading ALL the
> binaries to SourceForce by individuals is a horrendous undertaking.
> Ariel Constenla-Haile provided binaries for the 3.4 release and I'm sure
> he can attest to this. If we can set up a production environment under
> ASF infrastructure, of course this would be ideal. But, I see no reason
> why this environment couldn't have shell access by AOO developers who
> are likely to do code signing.
> 
> 
[ ... ]


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: Ready to setup release build machines?

[Kay Schenk]

On 08/12/2016 12:22 PM, Dennis E. Hamilton wrote:
> I thought that the basic requirement is that the release manager(s) do any 
> builds on a machine under their [exclusive] individual control.  That also 
> means satisfying baseline requirements for release builds though.  That 
> pretty much requires use of a VM if the main development system of a release 
> manager is aligned with different tools and dependencies.

I don't find any requirement like this vis a vis building by the release
manager per se. The release is voted on by the community. So, in a
sense, building/testing is the responsibility of all who vote on a release.

See: www.apache.org/dev/release-publishing.html

> 
> I am not so certain about putting up shared release-build VMs on non-ASF 
> infrastructure though. 

Our "official", "required" release artifact is the source code for a
release.

> 
> One advantage to using ASF infrastructure is to bring code signing into the 
> fold.  That seems rather important down the road.

We have been signing ALL release artifacts -- including all the binaries
-- since AOO 3.4. So code signing of everything we release is already
part of this process.

We require a production environment accessible by the release manager
and helpers because producing distribution binaries in another location
(seperate developer machine), signing and then uploading ALL the
binaries to SourceForce by individuals is a horrendous undertaking.
Ariel Constenla-Haile provided binaries for the 3.4 release and I'm sure
he can attest to this. If we can set up a production environment under
ASF infrastructure, of course this would be ideal. But, I see no reason
why this environment couldn't have shell access by AOO developers who
are likely to do code signing.



> 
>  - Dennis 
> 
>> -Original Message-
>> From: Andrea Pescetti [mailto:pesce...@apache.org]
>> Sent: Tuesday, August 9, 2016 10:29
>> To: dev@openoffice.apache.org
>> Subject: Ready to setup release build machines?
>>
>> Seeing the issue from a purely technical point of view (i.e., imagining
>> for a while that there is no cost associated and no Infra around), how
>> far are we from having an "Apache OpenOffice build farm" where we can
>> build releases?
>>
>> Note: this is not a buildbot. Buildbots are meant to check that the
>> build is not broken. They do create install sets, but for example the
>> Linux builds wouldn't be as compatible as the ones we build on CentOS 5.
>> What I mean here is VMs able to build a release.
>>
>> I think that within two-three weekends I could theoretically be able to
>> setup a Linux-based VM host and two KVM-based VMs running CentOS 5 (32
>> and 64 bit) that would be able to build releases and that could have
>> shared access (i.e., not only me but other active PMC members). But this
>> would only cover a small subset of users.
>>
>> What about Windows? Would someone be able, under the same hypothesis, to
>> add a Windows VM to the stack? This would bring us much closer to full
>> coverage.
>>
>> And what about Mac? If I recall correctly, one is tied with Apple
>> hardware for MacOS X. What would be a way to bring Mac builds under
>> "collective" control?
>>
>> Regards,
>>Andrea.
>>
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
>> For additional commands, e-mail: dev-h...@openoffice.apache.org
> 
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
> For additional commands, e-mail: dev-h...@openoffice.apache.org
> 

-- 

MzK

"Time spent with cats is never wasted."
   -- Sigmund Freud

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [PATCH DOWNLOAD] Draft for the hotfix webpage

[Marcus]

Am 08/19/2016 01:09 AM, schrieb Dennis E. Hamilton:



-Original Message-
From: Marcus [mailto:marcus.m...@wtnet.de]
Sent: Thursday, August 18, 2016 14:40
To: dev@openoffice.apache.org
Subject: Re: [PATCH DOWNLOAD] Draft for the hotfix webpage

Am 08/15/2016 11:40 PM, schrieb Dennis E. Hamilton:



-Original Message-
From: Marcus [mailto:marcus.m...@wtnet.de]
Sent: Monday, August 15, 2016 13:43
To: dev@openoffice.apache.org
Subject: Re: [PATCH DOWNLOAD] Draft for the hotfix webpage

Am 08/15/2016 09:10 PM, schrieb Dennis E. Hamilton:



-Original Message-
From: Kay sch...@apache.org [mailto:ksch...@apache.org]
Sent: Monday, August 15, 2016 08:59
To: dev@openoffice.apache.org
Subject: Re: [PATCH DOWNLOAD] Draft for the hotfix webpage

On 08/13/2016 02:16 PM, Marcus wrote:

As we have now the patched library file and Readme for all

platforms,

IMHO not much more is needed to go public with the hotfix.

Therefore

I've created a draft version of the hotfix download webpage:

http://dist.apache.org/repos/dist/dev/openoffice/4.1.2-

patch1/hotfix.html


Please review and tell me your feedback.

[orcmid]

I have a number of items.  I can fix the URLs in (2) below after I

have updated the Windows set.


 1. This is worded as if it is the advisory.  I assume this is,

rather, something that should be linked to from an update of the
advisory.  I request that it be a description of the HotFix.  It

could

link to the advisory, of course.  RECOMMENDATION: Have the emphasis

be

on this describing release of the hotfix for CVE-2016-1513.

OK, seems indeed not clear enough.


 2. Download and Installation.  Currently, this page is at
.  It has *ABSOLUTE* URLs to the binaries and

source

and the various hashes.  WHEN GENERAL DISTRIBUTION OCCURS, this page

and

all of the binaries and source pages will be at

.


Please remember that it's just a draft of what is available at the
moment. ;-) That's why the URLs for source and binaries differ

already.

Of course all URLs will change when everything is available at dist/

and

no longer dev/.

RECOMMENDATION: In the Download&Installation table, make all URLS
*RELATIVE* to the HotFix page, since when it is staged to release and
then to archive, the links will always work.

NOTE. When we make general distribution, we stage the HotFix

HTML page and the binaries subfolder to



using SVN copies.  In 24-48 hours or so that material will show up
automatically on archive.apache.org and we can make the general
distribution announcement.  The dist.apache.org materials can be

removed

when that happens.  WARNING. The Windows material is not ready, and

some

renaming will happen.  That should all be done by the end of Tuesday
(GMT).

The current location of the hotfix webpage is of course is not the

final

one. It will be there where the other webpages are: at w.oo.o.

I've just put it into SVN to have it not yet on the public OO

website.

[orcmid]

LOL.  I thought that is where you wanted to keep it [;<).  Because it

is so specific to this HotFix, I think it would be great to leave it
with the downloads and the archive.apache.org site, but link to it from
openoffice.org.





 3. Next Step under Download and Installation.  The README for

Windows addresses the way to Unzip and provides important information
about how the extract is into a folder of a default-determined name.

I

don't know if the others provide comparable information and/or

operating

from a terminal is assumed.

Yes, more (Linux) or less (Mac) it should be comparable.


 4. How to verify the download&installation.  Verifying the

Zip is

sufficient.  The table does not identify the files those check cases

are

from so it is not at all clear what value this is.  RECOMMENDATION:

If

it is valuable, we should include the additional hashes inside the

Zips,

and provide the size and time stamp information in the individual

README

files.

Yes, right. "Old file" and "New file" is for sure not exact enough

which

file it is about. And the other file-based data can be moved to the
Readme's, too.

   >   That way there is no redundancy and the information is

maintained in

   >   exactly one place.


Ahm, no. ;-) At the moment we have it at a single place. When we

split

it into the 4 Readme's then we have 4 places to maintain.


But at the end you are right. The webpage contains some details that
should be moved to the respective Readme.

I'll finish the changes when I'm back from a trip on Thursday or

Friday.

I want to change my mind:
Let's skip these changes and keep this in mind for the next time. I just
would do the Readme changes - that I've already suggested in a previous
mail - for Mac and both Linux *outside* of the ZIP file.

And then 

Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows

[Marcus]

Am 08/19/2016 01:09 AM, schrieb Dennis E. Hamilton:



-Original Message-
From: Keith N. McKenna [mailto:keith.mcke...@comcast.net]
Sent: Thursday, August 18, 2016 14:46
To: q...@openoffice.apache.org; dev@openoffice.apache.org
Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows


[ ... ]

[knmc]
As we move forward to a general distribution here  is an odt revision of
the readme that can be used to generate an html, pdf, or text versions.
All versions are attached but may not come through to the list. They can
all be accessed from the following link.

All feedback is both welcomed and encouraged.

[orcmid]

The .odt and the .txt file come through as attachments.

Do you have specific recommendations about what should be done with these?

I notice that there are problems with the .txt file layout not having hard line 
breaks.  The name changes and dates in 0.2.0 are not reflected.  The .odt also 
needs layout work.  There's too much white space and I have not looked closely 
enough to figure out why.

I know we differ on formatting and some document organization matters.  I am 
not going to address them at this point.

I am going to 1.0.0 now, essentially with the 0.2.0 except for the change of 
version number and removal of the limitation to testing use.  I did the other 
repair you suggested.  I think Marcus is ready on the other binaries, so 
something will happen tomorrow (Friday).

I'm not certain what the final inch is just yet, but it looks like everything 
is ready enough.


I haven't read the updates from Keith yet. But when they have no real 
news and are just formulation and layout updates, then I suggest to let 
us go live with text and binaries we have now.


We can think about to update them after that with no hurry anymore. The 
announcement about the source patch was ~1 month ago. We shouldn't wait 
any longer with the binary patches.


Sorry Keith. ;-)

Marcus


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

FOSDEM hacking

[Patricia Shanahan]

Maybe simplifying the Windows build process for AOO could be a FOSDEM 
hacking challenge?


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org