Interview Apache OpenOffice 4.1.4 finally shipped on October 19, five months later than intended, but the software is still a bit buggy.
The resource-starved open-source project had been looking to release the update around Apache Con in mid-May, but missed the target, not altogether surprising given persistent concerns about a lack of community enthusiasm and resources for the productivity suite.
Among those working on the project, there's awareness things could be better. "I believe the 4.1.4 shows us, that we have to do a better job in QA," observed AOO contributor Raphael Bircher in a developer mailing list post.
A followup comment by Patricia Shanahan touches on the scarcity of development talent available to the project. "I don't like the idea of changes going out to millions of users having only been seriously examined by one programmer – even if I'm that programmer," Shanahan wrote, adding that more active programmers are needed on the security team.
Version 4.1.4 did fix four security vulnerabilities, and that's one less than the five that appear to be outstanding for the software, based on two reported in the November 2016 minutes of Apache Foundation Board of Directors' meeting and three reported in the April 2017 minutes.
However, the math adds up once you remove one reported issue that turned out not to be a problem.
"Those numbers represent the total number of reports (valid and invalid) received for each project," said Mark Thomas, a member of the Apache Software Foundation security team, in an email to The Register. "Not all reports are valid so it is expected that the number of issues announced is lower."
The four fixes, published a week after the release announcement, were:
- CVE-2017-3157: Arbitrary file disclosure in Calc and Writer
- CVE-2017-9806: Out-of-Bounds Write in Writer's WW8Fonts Constructor
- CVE-2017-12607: Out-of-Bounds Write in Impress' PPT Filter
- CVE-2017-12608: Out-of-Bounds Write in Writer's ImportOldFormatStyles
Asked whether the AOO has enough people looking at its code to keep it secure, Thomas said there's nothing about the project that causes him grave concern.
"Open source projects always want more resources," said Thomas during a phone interview. "They never have enough. From a board point of view, the criteria we look at are whether there are three or more active PMC [Project Management Committee] members, because that's the minimum number to vote a release out the door."
Thomas said that while AOO is not the most active Apache Software Foundation project, neither is it the least active. And he observed that the project has been recruiting more contributors. He considers the 4.1.4 release to be a sign that AOO can still deliver.
But that also means a significant number of people – 77,000-plus, according to SourceForge stats – have downloaded the macOS version which contains a significant bug: if Apache OpenOffice is used to create a diagram in a Calc spreadsheet, the file becomes corrupted when saved.
The project developers have been discussing how to handle the issue for the past two weeks.
Concerns about the state of AOO appear to be what in August prompted Brett Porter, Apache Software Foundation chairman at the time, to ask whether it would be an option in a planned statement about the state of AOO to "discourage downloads"?
That's not generally a goal among software developers unless things are very bad indeed.
Yet, according to Jim Jagielski, a member of the Apache OpenOffice Project Management Committee, things are better than naysayers suggest.
"There is renewed interest and involvement in the project," he said in an email to The Register. "To be honest, part of the issue has been that many involved with the project have had to spend a lot of time and resources 'fighting' the ongoing FUD related to AOO, which meant limited time in doing development. As you can see, we are pushing 4.1.4 and are working on test builds of 4.2.0 for Linux, Windows and macOS."
Jagielski said those working on the project hope to maintain support for older platform versions that have been abandoned by other office suites. "Of course, this also means maintaining older build systems and platforms," he said. "But we think it is worth it."
Beyond releasing 4.1.4, Jagielski said the project team is documenting its build environment and streamlining its release cycle.
Is it time to unplug frail OpenOffice's life support? Apache Project asked to mull it overREAD MORE
As for the macOS bug, it's proving to be a challenge to fix.
"Unfortunately, the build-fix that addresses this regression caused another," Jagielski explained. "Again, this is due to AOO trying to maintain backwards compatibility with very old versions of OS X (10.7!) and sometimes small variations in libraries can cause some weird interactions."
While AOO and the ASF formulate a formal statement of direction for the project, Jagielski said more or less that all's well.
"AOO is not, and isn't designed to be, the 'super coolest open source office suite with all the latest bells and whistles,'" Jagielski continued. "Our research shows that a 'basic,' functional office suite, which is streamlined with a 'simple' and uncluttered, uncomplicated UI, serves an incredible under-represented community.
"Other office suites are focusing on the 'power user' which is a valuable market, for sure, but the real power and range for an open-source office suite alternative is the vast majority which is the 'rest of us. Sometimes we all forget how empowering open source is to the entire world." ®
Sponsored: Ransomware has gone nuclear