Category: Technology

Berlin, July 25, 2018 – The Document Foundation celebrates five years of improvements to LibreOffice’s source code under Red Hat’s leadership, thanks to the adoption of automated tools such as Coverity Scan and Google OSS-Fuzz, and to the key contributions in the area of source code fuzzing of security specialists such as Antti Levomäki and Christian Jalio of Forcepoint.

“The combination of Coverity Scan, Google OSS-Fuzz and dedicated fuzzing by security specialists at Forcepoint has allowed us to catch bugs – which could have turned into security issues – before a release,” says Red Hat’s Caolán McNamara, a senior developer and the leader of the security team at LibreOffice.

Since 2013, Coverity Scan has helped to reduce the number of issues by several orders of magnitude (from 0.93 to 0.00093 per 1,000 lines of code). The score is significantly better than the FOSS software average of 0.65 and the proprietary software average of 0.71.

The Coverity Scan score is related to a static analysis to find source code defects and vulnerabilities. In static analysis, the code under examination is not executed. As such, the score does not represent an absolute value about quality and security of the software when executed on end user desktops.

More recently, developers have implemented fuzzing or fuzz testing, a technique that involves providing invalid, unexpected or random data as inputs to a program, which is then monitored for exceptions such as crashes or failing built-in code assertions, or for potential memory leaks. Fuzzing is able to catch issues just a few hours after they appear in the upstream source code repository, and help to solve bugs and potential security issues before they reach the end user.

#abetterlibreoffice

FOSDEM is a major event in the free and open source software world – thousands of FOSS supporters get together to discuss new features, work on bugs, make new contacts, and just have a great time.

This year, many members of the LibreOffice community were there too, and gave talks and presentations in the Open Document Editors devroom. We’ve added the videos to a playlist, embedded below, so enjoy browsing through them to see what’s to come in LibreOffice! (Click the button in the top-left to switch between videos in the playlist.)

On Friday, we have announced LibreOffice 5.4.5 and LibreOffice 6.0.1. In both cases, it has been an earlier than scheduled – and expected – release, to solve a couple of issues which were considered significant enough to change the usually predictable release schedule. The first issue was related to security, and we decided to release a patched version to reduce the risk for LibreOffice users (details are available on dedicated channels). The second issue was related to the increase of crashes on Windows of the just announced LibreOffice 6.0.

The chart on the left shows the increase of crashes after January 31 announcement and the subsequent decrease after February 9 announcement (right-clicking on the image will allow opening the original image, which is easier to read). It is important to underline the fact that the chart is generated by our test system, which is stressing the software, and does not reflect the actual number of crashes experienced by end users. On the other hand, we received several reports of unexpected crashes, which confirmed data provided by the test system.

Although both issues were reported while a large number of developers and other community members were in Brussels for FOSDEM and for a series of internal meetings, they were immediately tackled by developers – who provided the patches – and triggered a new release process: production of the binaries for the different operating systems, test of the binaries to verify that issues were solved, upload of the binaries on mirrors, preparation of web pages relevant for the announcement (changelogs on the wiki, and download pages on websites), and draft of the announcement text for the announce mailing list, the blog post and the press release distribution. From the decision to the release, the entire process was completed in less than two days, confirming the maturity of the LibreOffice project in front of unexpected events.

Document classification is one of LibreOffice 6.0 improved features. As the concept of classification is not well known outside enterprises and large organizations, to help marketing the feature we have produced this graphic to help community members with presentations. Of course, we have used LibreOffice Draw, and you are invited to localize the ODG file embedded into the attached Hybrid PDF file. The graphic complements the background, which provides additional information about classification.