Issue 127065 - [TESTING] Applying openoffice-4.1.2-patch1 for Windows
Summary: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
Status: CLOSED FIXED
Alias: None
Product: Security
Classification: Unclassified
Component: code (show other issues)
Version: unspecified
Hardware: All Windows, all
: P5 (lowest) Major
Target Milestone: ---
Assignee: orcmid
QA Contact:
URL: https://dist.apache.org/repos/dist/de...
Keywords: needhelp, security
Depends on:
Blocks:
 
Reported: 2016-08-04 17:16 UTC by orcmid
Modified: 2017-05-20 09:20 UTC (History)
1 user (show)

See Also:
Issue Type: TASK
Latest Confirmation in: ---
Developer Difficulty: ---


Attachments
0.0.0 ALPHA initial 4.1.2-patch1 README for Windows (11.37 KB, text/plain)
2016-08-04 17:22 UTC, orcmid
no flags Details
2016-08-03 Feedback from Pedro Lino (25.35 KB, application/vnd.oasis.opendocument.text)
2016-08-04 17:28 UTC, orcmid
no flags Details
2016-08-04 Feeback from Keith N. McKenna (18.43 KB, application/vnd.oasis.opendocument.text)
2016-08-04 17:59 UTC, orcmid
no flags Details
0.0.1 ALPHA updated 4.1.2-patch1 README for Windows (11.12 KB, text/plain)
2016-08-08 16:53 UTC, orcmid
no flags Details
0.1.0 BETA updated 4.1.2-patch1 README for Windows (14.90 KB, text/plain)
2016-08-12 21:44 UTC, orcmid
no flags Details

Note You need to log in before you can comment on or make changes to this issue.
Description orcmid 2016-08-04 17:16:48 UTC
This is for refinement of the README and the procedure for applying, confirming, and possibly reverting the DLL.  It is created here to provide a single place to track and advance the improvements until the procedure is given general distribution.  at that time, the material will be removed and the URL for locating it will change.

 - - - - - Original Request - - - - 

Testing of an Apache OpenOffice 4.1.2-patch1 procedure is requested.

The files to be used in testing are at 
<https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/binaries/Windows>.

The files to be tested and reviewed are

 * README-4.1.2-patch1-apply-Windows.txt
   The description of the procedure for applying a corrected
   library file to installed copies of Apache OpenOffice 4.1.2
   on Windows.  Read this first before deciding to download
   the Zip file and attempting the procedure.

 * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip
   The Zip archive containing the files to be used in the
   procedure.  There is a copy of the README within the
   archive as well.

 * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc
 * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.md5
 * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.sha256
   Files that provide a digital signature, an MD5 hash,
   and an SHA256 hash that can be used to verify the 
   integrity of the download and, in the case of the 
   digital signature, the authenticity and accuracy of
   the download.  

REQUESTED TESTING

 * [OPTIONAL] If you are able to check any of the .asc, 
   .md5, and .sha256 files against the .zip, report any 
   difficulties that may have been encountered.  

 * If you performed the procedure, report 
    * the version of Microsoft Windows and the type of 
      account used (administrator or standard user).
    * report whether the procedure succeeded 
    * if the procedure failed or met with difficulties,
      please summarize the problems and how you over-
      came any of them

 * [IMPORTANT] Identify any missing, incomplete or 
   confusing information in the README.  Describe what you 
   see as important improvements before making general
   release of the procedure for use by non-expert users of
   Apache OpenOffice on Windows.

The goal is to provide as much as we can to assist Windows users in applying this fix with confidence and success.  The experience of more-knowledgable users who appreciate the difficulties of non-experts is important in achieving that.

Thank you for any effort you invest and the feedback you provide.
Comment 1 orcmid 2016-08-04 17:22:23 UTC
Created attachment 85629 [details]
0.0.0 ALPHA initial 4.1.2-patch1 README for Windows

This is the original 0.0.0 README-4.1.2-patch1-apply-Windows.txt

(The version is not in the filename, but is in a line above the title in the text file.)
Comment 2 orcmid 2016-08-04 17:28:43 UTC
Created attachment 85630 [details]
2016-08-03 Feedback from Pedro Lino

This attachment and the following email message were received from Pedro Lino:

 - - - - - - - - -

	REQUESTED TESTING
	
	 * [OPTIONAL] If you are able to check any of the .asc,
	   .md5, and .sha256 files against the .zip, report any
	   difficulties that may have been encountered.
	


Checked md5 and sha256. No problem. Assuming advanced users will be doing this, they probably have the tools to check. Such tool is not included in any program included in the Windows OS.

 


	 * If you performed the procedure, report
	    * the version of Microsoft Windows and the type of
	      account used (administrator or standard user).
	    * report whether the procedure succeeded
	    * if the procedure failed or met with difficulties,
	      please summarize the problems and how you over-
	      came any of them
	


Tested under Windows 7 x64 SP1 using an admin account. Procedure was successful. I would recommend to rename the file from dll.new to dll in the unzip folder (step 16) and _after_ that copy it to \OpenOffice 4\program\ (step 15)

This allows the file to retain the date. If the file is renamed after moving to \OpenOffice 4\program\ it will change date/time to the current date/time.(Obviously the Created date is not modified but from a user perspective that is not evident)

Following the same logic, it would be wiser to copy tl.dll.old to the patch folder (or any non-system folder) and if needed rename the file to tl.dll _before_ copying to \OpenOffice 4\program\ when reverting the patch.

 


	 * [IMPORTANT] Identify any missing, incomplete or
	   confusing information in the README.  Describe what you
	   see as important improvements before making general
	   release of the procedure for use by non-expert users of
	   Apache OpenOffice on Windows.
	


There are some typos (and a confusing sentence) in the readme file. Please check the attached ODT (created with the patched AOO)

Hope this helps,

Pedro
Comment 3 orcmid 2016-08-04 17:35:21 UTC
(In reply to orcmid from comment #2)
> Created attachment 85630 [details]
> 2016-08-03 Feedback from Pedro Lino
> 
> This attachment and the following email message were received from Pedro
> Lino:
> 
>  - - - - - - - - -
> 
> 	REQUESTED TESTING
> 	
> 	 * [OPTIONAL] If you are able to check any of the .asc,
> 	   .md5, and .sha256 files against the .zip, report any
> 	   difficulties that may have been encountered.
> 
> Checked md5 and sha256. No problem. Assuming advanced users will be doing
> this, they probably have the tools to check. Such tool is not included in
> any program included in the Windows OS.
> 
> 	 * If you performed the procedure, report
> 	    * the version of Microsoft Windows and the type of
> 	      account used (administrator or standard user).
> 	    * report whether the procedure succeeded
> 	    * if the procedure failed or met with difficulties,
> 	      please summarize the problems and how you over-
> 	      came any of them
> 
> Tested under Windows 7 x64 SP1 using an admin account. Procedure was
> successful. I would recommend to rename the file from dll.new to dll in the
> unzip folder (step 16) and _after_ that copy it to \OpenOffice 4\program\
> (step 15)
> 
> This allows the file to retain the date. If the file is renamed after moving
> to \OpenOffice 4\program\ it will change date/time to the current
> date/time.(Obviously the Created date is not modified but from a user
> perspective that is not evident)
> 
> Following the same logic, it would be wiser to copy tl.dll.old to the patch
> folder (or any non-system folder) and if needed rename the file to tl.dll
> _before_ copying to \OpenOffice 4\program\ when reverting the patch.

I did not notice the date change situation when I applied the procedure.  I think the date is preserved in the File Explorer listing. I will double-check the date business.

> 	 * [IMPORTANT] Identify any missing, incomplete or
> 	   confusing information in the README.  Describe what you
> 	   see as important improvements before making general
> 	   release of the procedure for use by non-expert users of
> 	   Apache OpenOffice on Windows.
> 	
> There are some typos (and a confusing sentence) in the readme file. Please
> check the attached ODT (created with the patched AOO)

Thank you, Pedro.

Thanks for the spell-checking too!  

Yes, the comment about quickstarter was misplaced and should go where there is mention of turning it off.

> 
> Hope this helps,
> 
> Pedro







I also note that 

 * there are two list items (3) in the procedure.  That will be corrected.

 * the final location of the material is incorrect, and that will be repaired also.

 - Dennis

PS: The .odt attachment appears on the qa@ list mailings and that archive.  I think it may be good to create a bugzilla issue on this testing so anyone can post and also access attachments.  I will do that today.
Comment 4 orcmid 2016-08-04 17:45:25 UTC
2016-08-03 Feedback from Keith N. McKenna [some repetition of text from the [TESTING] request abridged].

 - - - - - - - - - - - - -

> REQUESTED TESTING
> 
> * [OPTIONAL] If you are able to check any of the .asc, .md5, and
> .sha256 files against the .zip, report any difficulties that may have
> been encountered.
> 
[knmc]
checked the zip against all of the signatures with the following results:
.md5 matched
.sha256 matched
.asc failed with error not enough information to verify signature.

> * If you performed the procedure, report * the version of Microsoft
> Windows and the type of account used (administrator or standard
> user). * report whether the procedure succeeded * if the procedure
> failed or met with difficulties, please summarize the problems and
> how you over- came any of them
> 
[knmc]
performed the procedure successfully on Windows 7 home premium 64 bit
using an administrator account.
Also performed the procedure successfully on the same system using an
standard user account. This was however tedious as most of the steps to
apply the patched .dll required entering the administrator password.

> * [IMPORTANT] Identify any missing, incomplete or confusing
> information in the README.  Describe what you see as important
> improvements before making general release of the procedure for use
> by non-expert users of Apache OpenOffice on Windows.
> 
[knmc]
In section 10 of the procedure section the line "Open the folder
selected in step (7)" should read "Open the folder selected in step (8)"

On the whole I found the README difficult to follow with information out
of sequence and extraneous information such as not accepting help from
unsolicited phone calls. Not bad information, just out of place in a
process document. Now that I have some available time I will get out my
"blue pencil" and mark-up the document.

One improvement for the average user would be to automate the process
with a .bat file that could find the proper folders and do the copy and
rename procedures.

> The goal is to provide as much as we can to assist Windows users in
> applying this fix with confidence and success.  The experience of
> more-knowledgable users who appreciate the difficulties of
> non-experts is important in achieving that.
> 
[ ... ]
Comment 5 orcmid 2016-08-04 17:49:22 UTC
(In reply to orcmid from comment #4)
> 2016-08-03 Feedback from Keith N. McKenna [some repetition of text from the
> [TESTING] request abridged].
> 
>  - - - - - - - - - - - - -
> 
> > REQUESTED TESTING
> > 
> > * [OPTIONAL] If you are able to check any of the .asc, .md5, and
> > .sha256 files against the .zip, report any difficulties that may have
> > been encountered.
> > 
> [knmc]
> checked the zip against all of the signatures with the following results:
> .md5 matched
> .sha256 matched
> .asc failed with error not enough information to verify signature.

Had you installed my PGP key (in the current KEYS file)?  
How did you download the .asc file?

[ ... ]
> [knmc]
> In section 10 of the procedure section the line "Open the folder
> selected in step (7)" should read "Open the folder selected in step (8)"
> 
> On the whole I found the README difficult to follow with information out
> of sequence and extraneous information such as not accepting help from
> unsolicited phone calls. Not bad information, just out of place in a
> process document. Now that I have some available time I will get out my
> "blue pencil" and mark-up the document.

Note that someone has already spell-checked the document and I will do so in the future.

And all suggestions are welcome.

> 
> One improvement for the average user would be to automate the process
> with a .bat file that could find the proper folders and do the copy and
> rename procedures.

Oh duhhhhhhhhhh!

Yes, there is no reason a .bat file can't be included in the package.  With "Run as Administrator" that should also relieve the pain for folks on non-Administrator accounts who are able to provide/select administrator credentials.

I would leave the longer instructions, perhaps in an Appendix, for those who prefer the manual procedure or who otherwise have reservations/problems about running a script.

Something to work on over the next day or two while also gaining more results from the current testing.

> 
> > The goal is to provide as much as we can to assist Windows users in
> > applying this fix with confidence and success.  The experience of
> > more-knowledgable users who appreciate the difficulties of
> > non-experts is important in achieving that.
> > 
> [ ... ]
Comment 6 orcmid 2016-08-04 17:59:24 UTC
Created attachment 85631 [details]
2016-08-04 Feeback from Keith N. McKenna

More feedback, with markup, from Keith N. McKenna
Repetition of material from previous notes abridged

 - - - - - - - - - - - - - - - - - -

Dennis E. Hamilton wrote:

>> -----Original Message----- From: Keith N. McKenna
[ ... ]
>> [knmc] checked the zip against all of the signatures with the
>> following results: .md5 matched .sha256 matched .asc failed with
>> error not enough information to verify signature.
> [orcmid]
> Had you installed my PGP key (in the current KEYS file)?
[knmc]
I imported the entire KEYS from the link provided.
[/knmc]
> How did you download the .asc file?
I used the .asc file from the zip archive.
The problem was that your key has not been certified by anyone. I
changed the owner trust in Kleopatra for your key to require only one
certification and then certified your key with mine. Once I did that the
check passed fine.
[/knmc]
>> [knmc] In section 10 of the procedure section the line "Open the
>> folder selected in step (7)" should read "Open the folder selected
>> in step (8)"
>> 
>> On the whole I found the README difficult to follow with
>> information out of sequence and extraneous information such as not
>> accepting help from unsolicited phone calls. Not bad information,
>> just out of place in a process document. Now that I have some
>> available time I will get out my "blue pencil" and mark-up the
>> document.
> [orcmid]
> 
> Note that someone has already spell-checked the document and I will
> do so in the future.
> 
> And all suggestions are welcome.
> 
[knmc]
I have also included an odt version of the document with recorded
changes, both some spell checking changes, moving some things around,
and other suggested changes.
[/knmc]
>> 
>> One improvement for the average user would be to automate the
>> process with a .bat file that could find the proper folders and do
>> the copy and rename procedures.
> [orcmid]
> 
> Oh duhhhhhhhhhh!
> 
> Yes, there is no reason a .bat file can't be included in the package.
> With "Run as Administrator" that should also relieve the pain for
> folks on non-Administrator accounts who are able to provide/select
> administrator credentials.
> 
> I would leave the longer instructions, perhaps in an Appendix, for
> those who prefer the manual procedure or who otherwise have
> reservations/problems about running a script.
> 
[knmc]
Let me try my hand at rewriting the manual instructions. I used to write
process sheets for a living be interesting to see if my engineering
skills are still up to the task.
[/knmc]

[ ... ]
Comment 7 orcmid 2016-08-04 20:51:14 UTC
(In reply to orcmid from comment #6)
> Created attachment 85631 [details]
> 2016-08-04 Feeback from Keith N. McKenna
> Dennis E. Hamilton wrote:
> > Had you installed my PGP key (in the current KEYS file)?
> [knmc]
> I imported the entire KEYS from the link provided.
> [/knmc]
> > How did you download the .asc file?
> I used the .asc file from the zip archive.
> The problem was that your key has not been certified by anyone. I
> changed the owner trust in Kleopatra for your key to require only one
> certification and then certified your key with mine. Once I did that the
> check passed fine.
> [/knmc]

That is an ordinary situation.  If the certificate is not trusted by the person who is checking with it, and it is not trusted by enough people in that individuals Web-of-Trust (WoT), it will show that the certificate is not trusted or is not fully trusted.

So long as the signature verifies, the remaining question is how much the person does the checking trusts that the certificate is from a known party.  

For all of use who have signed files as part of the 4.1.2-patch1 work, this will happen.  One way to confirm that it is signed by a project committer is to find the person with specified @apache.org email address on this list:
<http://people.apache.org/keys/committer/>.  Then match the fingerprint there with the fingerprint of the certificate used to verify the signature.

Given a particular Apache ID (the name in name@apache.org) one can also look up that ID at <http://people.apache.org/phonebook.html> for the committer name, and then more information.

This is probably not something that should be in the README, but it would be handy to have something about it on the WikiMedia or elsewhere.
Comment 8 orcmid 2016-08-05 17:43:07 UTC
(In reply to orcmid from comment #7)
[ ... Concerning what happens when a .asc signature file is verified]
> So long as the signature verifies, the remaining question is how much the
> person does the checking trusts that the certificate is from a known party.  
> 
> For all of use who have signed files as part of the 4.1.2-patch1 work, this
> will happen.  One way to confirm that it is signed by a project committer is
> to find the person with specified @apache.org email address on this list:
> <http://people.apache.org/keys/committer/>.  Then match the fingerprint
> there with the fingerprint of the certificate used to verify the signature.
> 
> Given a particular Apache ID (the name in name@apache.org) one can also look
> up that ID at <http://people.apache.org/phonebook.html> for the committer
> name, and then more information.
> 
> This is probably not something that should be in the README, but it would be
> handy to have something about it on the WikiMedia or elsewhere.

Carl Marcum did more digging into the signature checking.  He is working with command-line gpg software and actions such as certifying that one trusts in the identity of the person who has the key used for signing are in that context.

This is very much a side topic and very specialized.  It does figure in what is the practice at the ASF in establishing both integrity and authenticity of a download.

> -----Original Message-----
> From: Carl Marcum [mailto:cmarcum@apache.org]
> Sent: Friday, August 5, 2016 03:30
> To: dev@openoffice.apache.org
> Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> 
> On 08/04/2016 06:52 PM, Marcus wrote:
> > Am 08/05/2016 12:26 AM, schrieb Kay Schenk:
> >> On 08/04/2016 02:21 PM, Marcus wrote:
[ ... ]
> >>>>    * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc
> >>>
> >>> I don't know if this is OK or still bad:
> >>>
> >>> gpg --verify apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc
> >>> apache-openoffice-4.1.2-patch1-apply-Win_x86.zip
> >>> gpg: Signature made Tue 02 Aug 2016 06:24:08 AM CEST using RSA key
> ID
> >>> D456628A
> >>> gpg: Good signature from "keybase.io/orcmid (confirmed identifier)
> >>> <orcmid@keybase.io>"
> >>> gpg:                 aka "orcmid (Dennis E.
> Hamilton)<orcmid@msn.com>"
> >>> gpg:                 aka "orcmid Apache (code
> >>> signing)<orcmid@apache.org>"
> >>> gpg:                 aka "Dennis E. Hamilton (orcmid)
> >>> <dennis.hamilton@acm.org>"
> >>> gpg: WARNING: This key is not certified with a trusted signature!
> >>> gpg:          There is no indication that the signature belongs to
> the
> >>> owner.
> >>
> >> I get this on sig checks also. There's probably a step we're missing
> to
> >> specify "trust" locally.
> >>
> >> See:
> >> http://www.apache.org/dev/release-signing.html
> >
> 
> signing Dennis' key locally worked for me.
> On Linux I use:
> gpg --default-key 9553BF9A --sign-key D456628A
> 
> If the key you want to sign it with is already the default key you can
> omit the "--default-key 9553BF9A" part.
> Sometimes you may have to prefix the ID's with "0x" to denote hex.
> 
> If you trust this is Dennis' key you can send his key back with your sig
> now attached and it will have more trust.
> gpg --send-key 0xD456628A
> 
> If a few people do it the warning should go away. Web-of-trust  :)
> 
> Carl
[orcmid] 

The warning will go away for us who have created a mutual Web-of-Trust but it won't help those who are not in that circle or have not somehow determined to trust in it themselves.  This is still useful advice about how to do it.

PS: I don't think the dist-level KEYS file is updated automatically, so the release KEYS set needs to be refreshed to work.  (We can check that by waiting for a while to see if Carl's trust of Dennis's key shows up.)
Comment 9 orcmid 2016-08-08 16:53:43 UTC
Created attachment 85636 [details]
0.0.1 ALPHA updated 4.1.2-patch1 README for Windows

This is the replacement README that is now included at the download location and in the Zip package at <https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/binaries/Windows>.  Only the README has changed.

Here are the additional comments that accompany the announcement of this change for QA and developer testing.

 - - - - - - - - - - - -

Alpha version 0.0.1 of README-4.1.2-patch1-apply-Windows.txt has been introduced into the files (and the .zip) at 
<https://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/binaries/Windows>.

This version reflects suggestions by Marcus Lange, Pedro Lino, and Keith McKenna.  Suggestions that are not (yet) implemented will be discussed in replies to their messages and on the bugzilla issue at 
<https://bz.apache.org/ooo/show_bug.cgi?id=127065>.


By its nature, this material is intended for users operating on Windows.  In some cases, incompatible forms are used on the Subversion server where the above files are situated.  Version 0.0.1 attempts to accommodate for this incompatibility.  In continuing to verify the procedure, please indicate whether there are (now) difficulties using the text files, especially on Windows.

Users of Linux systems may have difficulties with some utilities for which the Windows versions of the same tool (e.g., md5sum) do not produce Linux-acceptable line endings.  It is useful to know if that is still the case.  The files have been confirmed to be usable using the utilities built for use on Windows.

For future versions, the use of HTML instead of text will be considered.  HTML does not have white-space incompatibility problems across different platforms. The HTML will also be digitally-signed as a means of verifying its authenticity.

In addition to possibly using HTML as a better form for cross-platform use of text, attention will now move toward introducing scripts that automatically apply the change, replacing all of steps 9-18.

Meanwhile, it is valuable to continue testing that the replacement file produces no regression or introduction of any defects not seen using an unmodified Apache OpenOffice 4.1.2.
Comment 10 orcmid 2016-08-12 21:44:07 UTC
Created attachment 85637 [details]
0.1.0 BETA updated 4.1.2-patch1 README for Windows

The Beta level for 4.1.2-patch1 on Windows now includes scripts for automatically applying the patch and also backing-out the patch if necessary.

The files are still available at 
http://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/binaries/Windows

and will continue to be improved there until general distribution occurs.

Here is the text of the message announcing the 0.1.0 BETA:

 - - - - - - - - - - -

BETA 0.1.0 WITH AUTOMATED SCRIPTS IS NOW AVAILABLE

The scripts make life much easier, since users don't have to go hunting for anything and digging around in operating-system locations.

You should be able to go through the procedure that uses the automated steps pretty easily.

It is very important to know the difficulties that arise or whether there were none.

The material is available at 
<http://dist.apache.org/repos/dist/dev/openoffice/4.1.2-patch1/binaries/Windows>.

 - Dennis



> -----Original Message-----
> From: Dennis E. Hamilton [mailto:dennis.hamilton@acm.org]
> Sent: Wednesday, August 10, 2016 18:01
> To: dev@openoffice.apache.org
> Cc: qa@openoffice.apache.org
> Subject: RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> 
> Beta version 0.1.0 is now nearing completion.
> 
> It will include two scripts, one for applying the patch, the other for
> reverting the patch.
> 
> The .zip will also have a copy of the original 4.1.2 tl.dll as well as
> the new one.  These are used in the procedures to verify the files that
> are present in the OpenOffice configuration in order to apply the patch
> and also to remove it.
> 
> Next steps:
>  * Additional path testing of the two scripts and verification that
> operation on Windows XP and on Windows 10 work as expected.
[orcmid] 

Done
 
It is also much easier to work through the patch checks using the scripts.
> 
>  * Updating of the README to reflect the availability of the batch-file
> scripts as well as the manual procedure if ever needed.
[orcmid] 

Done

> 
>  * Although the Zips already carry executable code (i.e., DLLs) there
> may be some Antivirus push-back where the policy is to not allow .zip
> files with scripts in them.  The README will also have to address that
> possibility.
[orcmid] 

I forgot that at the last minute.  I will put that into the next version.  Meanwhile, those who check these procedures should report any AV objections they ran into.

 - - - - - - - - - - - -
Comment 11 Marcus 2017-05-20 09:20:40 UTC
The patch was already distributed and is also included in release 4.1.3.