[Libreoffice] default ODF encryption/checksum algorithms changed in master. Good thing ?

Kohei Yoshida kohei.yoshida at suse.com
Mon Aug 15 06:33:27 PDT 2011


On Mon, 2011-08-15 at 11:05 +0100, Caolán McNamara wrote:
> Since 5dd2784030e00fa1857b30ee8c5da62e221bfd32 (inherited change) the
> default encryption and checksum algorithms used in our .odt export
> changed, e.g. sha1 to sha256. They changed for settings of "ODF >=
> 1.2".
> 
> What it means in practice is that encrypted document exported from >=
> 3.5/3.6 won't be openable in older versions, e.g. <= 3.4
> 
> There is a UseSHA1InODF12 and UseBlowfishInODF12 setting which is
> currently disabled.
> 
> Such a change shouldn't go unnoticed anyway. So...
> a) is this a good thing that should be welcomed, with a "users using
> older version of LibreOffice/OpenOffice.org should upgrade and/or hassle
> their vendors for patched versions with support for these backported"

IMO, we may have to backport this since, if the experience of the 3.4.x
releases is repeated in the 3.5.x releases, we won't reach stabilization
in the first couple of .x releases.  So there will be a period we have
3.4 and 3.5 releases in parallel where we'll be recommending 3.4 over
3.5.

Alternatively, we could provide in 3.5 a way to encrypt it using sha1,
for backward compatibility.  The downside is that sha1 is considered to
be insecure - the very reason ODF has switched to sha256 in the first
place.

Or, we could disable sha256 in the 3.5.x releases until it reaches the
point of stabilization and we start recommending it over 3.4.

But I think, ultimately this would depend on the magnitude of code
change required to backport it to 3.4....

Just my opinion.

Kohei

-- 
Kohei Yoshida, LibreOffice hacker, Calc
<kohei.yoshida at suse.com>



More information about the LibreOffice mailing list