Date: prev next · Thread: first prev next last
2023 Archives by date, by thread · List index

Likewise 3 and no obvious pattern regarding their content.


 LibreOffice - Free and open source office suite: LibreOffice Website<>
 Respects your privacy, and gives you back control over your data​
From: James Harking <>
Sent: 29 September 2023 08:03
To: TDF Marketing <>
Subject: Fwd: [libreoffice-marketing] Re: [Libreoffice-qa] ESC meeting agenda: 2023-09-28 16:00 CEST

Is anyone else having a number of TDF mails arriving in their SPAM folder?

I have had 3 recently.


---------- Forwarded message ---------
From: John Mills <>
Date: Thu, 28 Sept 2023, 10:22 pm
Subject: [libreoffice-marketing] Re: [Libreoffice-qa] ESC meeting agenda:
2023-09-28 16:00 CEST
To: <>, Eyal Rozenberg <>, <>
Cc: LibreOffice Promotion <>, <>, TDF Directors <>

Hi Sophie,
I firstly would like to state that I am in no way negating the hard work
the developers make to LibreOffice.
My point is rather that the current model of software releases does not,
from what I can tell, serve to provide a compelling user experience when a
security incident occurs.
I expect that 90+ % of LibreOffice users will now be stuck on an insecure
version of the software. Perhaps Linux users have an advantage if their
distribution provides rolling updates.
However for Mac and Windows users there is no mechanism to inform that a
high priority CVE has been found that potentially impacts their safety
while using LibreOffice. With browser software such as Mozilla Firefox and
Google Chrome I am continuously moved to a patched version.
As a user of Microsoft office 365, for my job, the situation is the same as
my browser. I find the inability with LibreOffice to adequately inform
millions of users that a security vulnerability could compromise their
system very problematic. This could cause significant reputational damage
to The Document Foundation if a very critical security issue was discovered.
I personally would like to see some option to receive security updates
continuously, be that with LibreOffice auto updating like Microsoft office
365 or at the minimum some type of notification within LibreOffice that I
should consider upgrading due to a security vulnerability.
There will be many millions of users who have no knowledge of this issue
and will continue to use versions of LibreOffice that could be many years
old. I believe that TDF has a duty of care to ensure where possible that
our users are running software that is as secure as we know.
Best regards,
Sent from Yahoo Mail on Android

  On Thu, 28 Sept 2023 at 9:24 pm, sophi<> wrote:   Hi
Eyal, John,

Just to give some information on this peculiar episode. The CVE happened
just before the conference where most of the team was traveling, not
easy to do a respin in those conditions.

What Miklos meant is that in the *dev* point of view it was solved, a
fix has been provided thanks to Caolan, that's all developers can do
"they move on to the next issue". So nothing more on their side to talk
about. It doesn't mean they don't care about users, they have done their
job in fixing the issue, the rest is not in their power. It's up to us,
you, me.

Then it's up to release engineering, UX and marketing to act. What RE
did from Monday to today because there was some problem with a Mac version.

We have discussed today inside the team how we could better served our
users when this type of issue emerged. Security is a difficult topic to
talk about, there is not only the fix, but how it's embargoed for other
products, etc.

I think the best way now to go on positively on this is to have a
discussion between marketing, UX and RE: should we have a pop-up in the
product advertising about security fix, should we have a special
communication campaign. Most of the time, there is an embargo and we
release security fixes without communication because of that, what
should we do?

Please, open the discussion on the marketing list, all points of view
and ideas are valuable, but don't shout to our developers, they provided
a fix very quickly, up to us to know how to communicate it now. This was
a new situation that needs to be addressed, your opinion about users is
very much valid, how should we go from there now?


Le 28/09/2023 à 21:36, Eyal Rozenberg a écrit :
I second John's sentiment.

For the vast majority of LibreOffice users, this security problem is
_not_ fixed. And that is because they run versions of LibreOffice with
the vulnerability but without the fix; and have not been made aware of
the vulnerability and the release-with-a-fix.

I would claim that we are responsible to make our users thus aware. Now,
it's true that a user is not likely to allow this particular exploit to
be taken advantage of, since that would mean directing LO at a malicious
.webp somewhere. But - we have over 200 million users IIANM. If
malicious .webp's turn up on the web, it's quite likely some of our
users may do this by mistake; and we would bear some of the
responsibility for the consequences of such an outcome - after we've
told our users that they are in the capable hands of "security experts"
(to quote our website).

Also, what if, next time, the vulnerability is easier to exploit? Do we
even have the mechanism to push at least a warning about the need to
update LO?


PS 1: I have widened the CC of this exchange, as this question relates
to how we present LibreOffice to users; our claims regarding the quality
of this product; and the implicit and explicit guarantees we make to

PS 2: Many of us are not able to attend ESC sessions - in general, and
especially in the middle of a work day. And when this is the case we
send an email asking for relevant issues to be considered. Personally, I
struggle to attend even the design meetings (where I believe I can be of
more use).

On 28/09/2023 11:44, John Mills wrote:
Hello Miklos,

Is it an acceptable statement just to say that "we" move on? Yes, the
issue is now resolved for those people that download the newest version
of LibreOffice. However what about the many millions of users that will
not update or have no idea that they are now susceptible to this high
rated CVE?

This is not a compelling strategy and does not serve the best interests
of these users. I think it is poor for the reputation of LibreOffice and
the Document Foundation that there are many millions of unpatched
instances being used that could negatively impact people like this.

Perhaps this particular CVE is on the scale of things considered not
that critical, however what is the strategy if there was ever an exploit
that significantly impacted LibreOffice? How would this be made known to
our user and corrected?

With best regards,


Sent from Yahoo Mail on Android

    On Thu, 28 Sept 2023 at 8:13 am, Miklos Vajna
    <> wrote:
    Hi Eyal,

    On Wed, Sep 27, 2023 at 08:31:04PM +0300, Eyal Rozenberg
    < <>> wrote:
     > I would like to ask you to discuss the situation with the
recent CVE:

    It was already discussed 2 weeks ago. If you have specific questions,
    please ask on the developer list or take part in the ESC call

    In short: the problem is fixed, it's released, we move on.



Sophie Gautier
GSM: +33683901545
IRC: soph
Foundation coordinator
The Document Foundation

To unsubscribe e-mail to:
Posting guidelines + more:<>
List archive:<>
Privacy Policy:<>

To unsubscribe e-mail to:
Posting guidelines + more:<>
List archive:<>
Privacy Policy:<>

To unsubscribe e-mail to:
Posting guidelines + more:
List archive:
Privacy Policy:


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.