On Mon, 2011-08-15 at 11:05 +0100, Caolán McNamara wrote: > Since 5dd2784030e00fa1857b30ee8c5da62e221bfd32 (inherited change) the > default encryption and checksum algorithms used in our .odt export > changed, e.g. sha1 to sha256. They changed for settings of "ODF >= > 1.2". > > What it means in practice is that encrypted document exported from >= > 3.5/3.6 won't be openable in older versions, e.g. <= 3.4 > > There is a UseSHA1InODF12 and UseBlowfishInODF12 setting which is > currently disabled. > > Such a change shouldn't go unnoticed anyway. So... > a) is this a good thing that should be welcomed, with a "users using > older version of LibreOffice/OpenOffice.org should upgrade and/or hassle > their vendors for patched versions with support for these backported"
IMO, we may have to backport this since, if the experience of the 3.4.x releases is repeated in the 3.5.x releases, we won't reach stabilization in the first couple of .x releases. So there will be a period we have 3.4 and 3.5 releases in parallel where we'll be recommending 3.4 over 3.5. Alternatively, we could provide in 3.5 a way to encrypt it using sha1, for backward compatibility. The downside is that sha1 is considered to be insecure - the very reason ODF has switched to sha256 in the first place. Or, we could disable sha256 in the 3.5.x releases until it reaches the point of stabilization and we start recommending it over 3.4. But I think, ultimately this would depend on the magnitude of code change required to backport it to 3.4.... Just my opinion. Kohei -- Kohei Yoshida, LibreOffice hacker, Calc <[email protected]> _______________________________________________ LibreOffice mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/libreoffice
