[Libreoffice-qa] ESC meeting agenda: 2023-09-28 16:00 CEST

Eyal Rozenberg eyalroz1 at gmx.com
Fri Sep 29 08:20:27 UTC 2023 

The minutes item about the UI/UX aspect of dealing with security
vulnerabilities is something that, in the last design meeting, John and
myself specifically asked to be brought up at the ESC - assuming it
would be part of a larger discussion of this matter. I want to thank
Heiko for bringing the subject up and I'm glad this was discussed, but
Miklos' response suggests that the ESC is considering this as
weakly-related future enhancement rather than part of the response to
the (past and) current vulnerability.

About what we are currently doing:

1. I have not been prompted to upgrade to 7.6.2. Granted, I'm on Linux,
but that's still a significant percentage of our users; have Windows
users been prompted to upgrade? Even if they otherwise don't care about
upgrades?

2. When looking at "Check for updates..." I am told: "LibreOffice 7.6.2
is available" - not even a mention of the security issue, let alone a
warning that an update is highly advisable because of it, a link to
guidance about the vulnerability etc. Most users will probably not
bother: "Why should I switch from 7.6.0.3 to 7.6.2? It's not even a
second-level version number change. My LibreOffice works fine, let's not
waste time on this."

3. So, LibreOffice 7.4 is out of official support. Have old-LO-version
users been warned by the app about the security vulnerability? If not
specifically, have they been actively and intrusively warned on June
12th that they should upgrade LO, to avoid potential security
vulnerabilities? IIANM, the answer is negative.

Note that I am not suggesting we auto-update without user consent. That
is for others to decide (never auto-update, opt-in to auto-update,
auto-update by default with opt-out). But security warnings, while
auto-update is not in effect, are important. Of course some people might
want to opt out of any call-home behavior, even for security warnings,
and that should be respected as well.

Eyal

On 29/09/2023 10:52, Xisco Fauli wrote:
> Hello,
>
> This particular issue only affects users using LibreOffice 7.4,
> LibreOffice 7.5 and LibreOffice 7.6 since the Webp support was added in
> LibreOffice 7.4. See https://wiki.documentfoundation.org/ReleaseNotes/7.4
>
> For those users still using LibreOffice 7.4, the official support of
> this branch ended in June 12, 2023 ( See
> https://wiki.documentfoundation.org/ReleasePlan/7.4 ) so if they are
> still using it, we can't force them to upgrade their version to a newer
> one. They have been suggested to upgrade it for a while now, even before
> this vulnerability was known.
>
> For 7.5 and 7.6 users, the autoupdater has been already bumped to 7.5.7
> and 7.6.2 respectively so users will be suggested to upgrade the next
> time they launch LibreOffice. It's also up to them to upgrade it or not.
> Marketing is also spreading the word in different channels about the
> importance of this release ( see
> https://blog.documentfoundation.org/blog/2023/09/26/lo-762-and-lo-757/ )
>
> For the future, it's possible there will be an automatic updater
> mechanism in place, see the ESC minutes from yesterday (
> https://lists.freedesktop.org/archives/libreoffice/2023-September/091022.html "The UI/UX aspect of how to deal with security vulnerabilities" topic)
>
> Regards
>
> On 28/9/23 23:26, Eyal Rozenberg wrote:
>> But Sophie, from the dev point of view, the problem is actually not
>> solved - until LO has a mechanism for pushing intrusive notifications of
>> required critical updates (with an opt-out for people who don't want
>> that). Some might disagree with this position, but it is certainly a
>> matter for discussion in the ESC.
>>
>> Also, the ESC has not mapped out for us the potential for exploiting the
>> vulnerability with LO (with and without "social engineering" of user
>> behavior). While that is not critical, it would be useful both for
>> identifying, retroactively, LO exploitation as the culprit in case of
>> actual malicious intrusions; and for those rare cases where an upgrade
>> is impossible for some reason.
>>
>> Eyal
>>
>>
>>
>>
>> On 28/09/2023 23:23, sophi wrote:
>>> Hi Eyal, John,
>>>
>>> Just to give some information on this peculiar episode. The CVE happened
>>> just before the conference where most of the team was traveling, not
>>> easy to do a respin in those conditions.
>>>
>>> What Miklos meant is that in the *dev* point of view it was solved, a
>>> fix has been provided thanks to Caolan, that's all developers can do
>>> "they move on to the next issue". So nothing more on their side to talk
>>> about. It doesn't mean they don't care about users, they have done their
>>> job in fixing the issue, the rest is not in their power. It's up to us,
>>> you, me.
>>>
>>> Then it's up to release engineering, UX and marketing to act. What RE
>>> did from Monday to today because there was some problem with a Mac
>>> version.
>>>
>>> We have discussed today inside the team how we could better served our
>>> users when this type of issue emerged. Security is a difficult topic to
>>> talk about, there is not only the fix, but how it's embargoed for other
>>> products, etc.
>>>
>>> I think the best way now to go on positively on this is to have a
>>> discussion between marketing, UX and RE: should we have a pop-up in the
>>> product advertising about security fix, should we have a special
>>> communication campaign. Most of the time, there is an embargo and we
>>> release security fixes without communication because of that, what
>>> should we do?
>>>
>>> Please, open the discussion on the marketing list, all points of view
>>> and ideas are valuable, but don't shout to our developers, they provided
>>> a fix very quickly, up to us to know how to communicate it now. This was
>>> a new situation that needs to be addressed, your opinion about users is
>>> very much valid, how should we go from there now?
>>>
>>> Cheers
>>> Sophi
>>>
>>> Le 28/09/2023 à 21:36, Eyal Rozenberg a écrit :
>>>> I second John's sentiment.
>>>>
>>>> For the vast majority of LibreOffice users, this security problem is
>>>> _not_ fixed. And that is because they run versions of LibreOffice with
>>>> the vulnerability but without the fix; and have not been made aware of
>>>> the vulnerability and the release-with-a-fix.
>>>>
>>>> I would claim that we are responsible to make our users thus aware.
>>>> Now,
>>>> it's true that a user is not likely to allow this particular exploit to
>>>> be taken advantage of, since that would mean directing LO at a
>>>> malicious
>>>> .webp somewhere. But - we have over 200 million users IIANM. If
>>>> malicious .webp's turn up on the web, it's quite likely some of our
>>>> users may do this by mistake; and we would bear some of the
>>>> responsibility for the consequences of such an outcome - after we've
>>>> told our users that they are in the capable hands of "security experts"
>>>> (to quote our website).
>>>>
>>>> Also, what if, next time, the vulnerability is easier to exploit? Do we
>>>> even have the mechanism to push at least a warning about the need to
>>>> update LO?
>>>>
>>>>
>>>> Eyal
>>>>
>>>> PS 1: I have widened the CC of this exchange, as this question relates
>>>> to how we present LibreOffice to users; our claims regarding the
>>>> quality
>>>> of this product; and the implicit and explicit guarantees we make to
>>>> users.
>>>>
>>>> PS 2: Many of us are not able to attend ESC sessions - in general, and
>>>> especially in the middle of a work day. And when this is the case we
>>>> send an email asking for relevant issues to be considered.
>>>> Personally, I
>>>> struggle to attend even the design meetings (where I believe I can
>>>> be of
>>>> more use).
>>>>
>>>>
>>>>
>>>>
>>>> On 28/09/2023 11:44, John Mills wrote:
>>>>> Hello Miklos,
>>>>>
>>>>> Is it an acceptable statement just to say that "we" move on? Yes, the
>>>>> issue is now resolved for those people that download the newest
>>>>> version
>>>>> of LibreOffice. However what about the many millions of users that
>>>>> will
>>>>> not update or have no idea that they are now susceptible to this high
>>>>> rated CVE?
>>>>>
>>>>> This is not a compelling strategy and does not serve the best
>>>>> interests
>>>>> of these users. I think it is poor for the reputation of
>>>>> LibreOffice and
>>>>> the Document Foundation that there are many millions of unpatched
>>>>> instances being used that could negatively impact people like this.
>>>>>
>>>>> Perhaps this particular CVE is on the scale of things considered not
>>>>> that critical, however what is the strategy if there was ever an
>>>>> exploit
>>>>> that significantly impacted LibreOffice? How would this be made
>>>>> known to
>>>>> our user and corrected?
>>>>>
>>>>> With best regards,
>>>>>
>>>>> John
>>>>>
>>>>> Sent from Yahoo Mail on Android
>>>>> <https://mail.onelink.me/107872968?pid=nativeplacement&c=Global_Acquisition_YMktg_315_Internal_EmailSignature&af_sub1=Acquisition&af_sub2=Global_YMktg&af_sub3=&af_sub4=100000604&af_sub5=EmailSignature__Static_>
>>>>>
>>>>>     On Thu, 28 Sept 2023 at 8:13 am, Miklos Vajna
>>>>>     <vmiklos at collabora.com> wrote:
>>>>>     Hi Eyal,
>>>>>
>>>>>     On Wed, Sep 27, 2023 at 08:31:04PM +0300, Eyal Rozenberg
>>>>>     <eyalroz1 at gmx.com <mailto:eyalroz1 at gmx.com>> wrote:
>>>>>      > I would like to ask you to discuss the situation with the
>>>>> recent CVE:
>>>>>      > https://bugs.documentfoundation.org/show_bug.cgi?id=157231
>>>>> <https://bugs.documentfoundation.org/show_bug.cgi?id=157231>
>>>>>
>>>>>     It was already discussed 2 weeks ago. If you have specific
>>>>> questions,
>>>>>     please ask on the developer list or take part in the ESC call
>>>>> yourself.
>>>>>
>>>>>     In short: the problem is fixed, it's released, we move on.
>>>>>
>>>>>
>>>>>     Regards,
>>>>>
>>>>>     Miklos
>>>>>
>>>

More information about the Libreoffice-qa mailing list