Bug 158715 - Periodically call home to check for need for update due to security vulnerability
Summary: Periodically call home to check for need for update due to security vulnerabi...
Status: UNCONFIRMED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Installation (show other bugs)
Version:
(earliest affected)
Inherited From OOo
Hardware: All All
: medium enhancement
Assignee: Not Assigned
URL:
Whiteboard:
Keywords: needsDevAdvice, topicInfra
Depends on:
Blocks: Automatic-Updater
  Show dependency treegraph
 
Reported: 2023-12-14 21:04 UTC by Eyal Rozenberg
Modified: 2024-03-31 09:38 UTC (History)
9 users (show)

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Eyal Rozenberg 2023-12-14 21:04:44 UTC
Occasionally, a security vulnerability is discovered in LibreOffice - like today:

https://debugpointnews.com/libreoffice-vulnerabilities-dec-2023/?amp=1

when this happens, users need to be informed that the vulnerability exists; and even more importantly - when a new version is released which addresses, users need to be encouraged to upgrade.

For that to happen, LO needs to "call home" with appropriate frequency and check for these conditions. It already calls home today to check for new versions, so the mechanism is mostly in place, but it needs to be adjusted to cater to these situations as well.
Comment 1 Eyal Rozenberg 2023-12-14 21:18:51 UTC
Adding some ESC members. On the marketing channel, there seems to be a desire for the ESC to consider this possibility or other avenues for mitigating the security risks for users.
Comment 2 Heiko Tietze 2023-12-15 09:49:52 UTC
We show the update bubble if a new release is available (limited to Windows). But aren't more safety warnings pointless given that AOo is still a number, just to pick one example?

UX-wise I could imagine an infobar with "learn more" link to the release notes when an update is available. Not sure if the package managers accept this.
Comment 3 Rene Engelhard 2023-12-15 10:02:00 UTC
Calling home is a problem. In general it is already questionable but here even more.

Distris don't usually update to a new version. The patches are back ported. Calling home to libre office had no matching info.

Here specifically for Debian:https://lists.debian.org/debian-security-announce/2023/msg00270.html (and 7.6.4~rc1-1 for development)
Comment 4 Rene Engelhard 2023-12-15 10:09:37 UTC
And even if you don't read that list, you will just get it via apt(get) in this case.

People who don't follow either should not administer systems.
Comment 5 Caolán McNamara 2023-12-15 10:34:54 UTC
For the appstore provided case the updates are assumed to get installed by that usual mechanism so the issue shouldn't really apply there.

And for distro provided builds, the same sort of logic applies, the maintainer there does the security backports and the os updates take care of it rather than the individual application.

So its the "direct download" case that is left over. There is the current notification for an update, but that whole update thing wasn't ever really in great shape, in that it just says there is an update available at best. What we should have is something far more automatic, so the esc has fairly regularly put "Finish MAR-based autoupdater" into the list of ideas to get a budget to implement, like https://wiki.documentfoundation.org/Development/Budget2021 but in recent years that pipeline has basically stalled.

In recent days, allotropia have some various commits, like https://cgit.freedesktop.org/libreoffice/core/commit/?id=13595f6220095d120e13ccb6fbfac1de4c803fe7 which suggest a possible renewed interest to get that implemented/improved
Comment 6 John Mills 2023-12-15 10:37:10 UTC
Be real guys, you know that millions of users will be stuck on unsupported and vulnerable versions of LibreOffice. This is bad for users and the reputation OF TDF. 

A user should be made aware to update to a supported and secure version and not "orphaned", or else you need an update mechanism like a web browser such as Firefox or Chrome where these security items are corrected in the background.
Comment 7 Stephan Bergmann 2023-12-15 12:54:54 UTC
(In reply to Caolán McNamara from comment #5)
> In recent days, allotropia have some various commits, like
> https://cgit.freedesktop.org/libreoffice/core/commit/
> ?id=13595f6220095d120e13ccb6fbfac1de4c803fe7 which suggest a possible
> renewed interest to get that implemented/improved

Yes, see <https://lists.freedesktop.org/archives/libreoffice/2023-December/091309.html> "Resurrecting --enable-online-update-mar".
Comment 8 Eyal Rozenberg 2023-12-15 17:16:43 UTC
(In reply to Rene Engelhard from comment #3)
> Calling home is a problem. In general it is already questionable but here
> even more.

We can either have security updates, or not-calling-home, but not both (except for users who have other means of regular updates of installed apps).

Naturally, we should offer an opt-out of calling home, during installation. But like I said, we already call home today (for versions you download from libreoffice.org)

(In reply to Caolán McNamara from comment #5)
> For the appstore provided case the updates are assumed to get installed by
> that usual mechanism so the issue shouldn't really apply there.

Not good enough IMHO, like John Mills says. We should discourage users from continuing to use a version when a security update is known to be available. Not prevent them from it, and we can let users opt out of from the nagging-discouragement, but we can't rely on our users being vigilant and even making a single easy choice, because enough of them will get it wrong for one reason or another, at least once. The nagging or discouragement should get most of those to get it right the next time.

(In reply to Rene Engelhard from comment #4)
> People who don't follow either should not administer systems.

But most LibreOffice users do administer their systems, or fail to administer them. They are Windows users with their private desktop/laptop machines.
Comment 9 Rene Engelhard 2023-12-15 17:24:27 UTC
> But most LibreOffice users do administer their systems, or fail to administer them. They are Windows users with their private desktop/laptop machines.

Private machines need administering, too. If they cannot do so they should not do so and  their machines taken away from them until they show they can (and do.)
Comment 10 John Mills 2023-12-15 17:46:58 UTC
(In reply to Rene Engelhard from comment #9)
> > But most LibreOffice users do administer their systems, or fail to administer them. They are Windows users with their private desktop/laptop machines.
> 
> Private machines need administering, too. If they cannot do so they should
> not do so and  their machines taken away from them until they show they can
> (and do.)

How about if this is a child's PC or an older person who isn't great with technology? How about a person with a learning disability who uses LibreOffice but isn't a a system admin. To say take away their PC is frankly insulting and not the attitude that TDF promotes.
Comment 11 Rene Engelhard 2023-12-15 17:50:22 UTC
> How about if this is a child's PC

Parents' job. Or if the child is old enough (s)he can start doing it.

> or an older person who isn't great with technology?

Their problem. Then they need to learn basics. Or just stop it.

> To say take away their PC is frankly insulting and not the attitude that TDF promotes.

And you promote people who have machines which are a threat to other people. Should not happen.
Comment 12 John Mills 2023-12-15 19:14:12 UTC
(In reply to Rene Engelhard from comment #11)
> > How about if this is a child's PC
> 
> Parents' job. Or if the child is old enough (s)he can start doing it.
> 
> > or an older person who isn't great with technology?
> 
> Their problem. Then they need to learn basics. Or just stop it.
> 
> > To say take away their PC is frankly insulting and not the attitude that TDF promotes.
> 
> And you promote people who have machines which are a threat to other people.
> Should not happen.

Are you trolling Rene or serious? I can't tell, this heartless nature is extremely troubling when you don't care for ensuring LibreOffice is safe by design and execution.
Comment 13 Rene Engelhard 2023-12-15 19:29:26 UTC
> Are you trolling Rene or serious?

serious.

> when you don't care for ensuring LibreOffice is safe by design and execution.

That's a bogus accusation.
I do. 

That's why I maintain it in Debian and that's why I prepared the stable updates I mentioned in my link. As do other distributors. No need to do anything here on Linux. There's no need to phone home for security updates, it actually is harmful ("but I have 7.4.7 patched with security issues, but the application says 'get 7.6.4'")

Windows might be different but here 99.9% are in the "I can't admin my machine properly" category.

LibreOffice does care too, that's why those issues were fixed and announced. There's also update ttbomk.
Comment 14 Rene Engelhard 2023-12-15 19:47:09 UTC
for avoidance of doubt: "patched for" of course.
Comment 15 John Mills 2023-12-15 20:35:26 UTC
(In reply to Rene Engelhard from comment #13)
> > Are you trolling Rene or serious?
> 
> serious.
> 
> > when you don't care for ensuring LibreOffice is safe by design and execution.
> 
> That's a bogus accusation.
> I do. 
> 
> That's why I maintain it in Debian and that's why I prepared the stable
> updates I mentioned in my link. As do other distributors. No need to do
> anything here on Linux. There's no need to phone home for security updates,
> it actually is harmful ("but I have 7.4.7 patched with security issues, but
> the application says 'get 7.6.4'")
> 
> Windows might be different but here 99.9% are in the "I can't admin my
> machine properly" category.
> 
> LibreOffice does care too, that's why those issues were fixed and announced.
> There's also update ttbomk.

I'm not questioning your personal opinion as such. The issue is mainly for Windows users that are an order of magnitude larger than both Linux and MacOS. Currently there is no mechanism to ensure they are on a safe and supported versions of LibreOffice.

They are "orphaned" there is no way even to inform them that LibreOffice is a potential risk that could compromise their whole system. It is unacceptable to simply state they should update. Find a way to tell them that then maybe they might do.
Comment 16 V Stuart Foote 2023-12-15 21:05:26 UTC
As noted comment 5 and comment 7, the major Windows user bases will be the primary beneficiaries  of Stephen B.'s work to revisit and fully implement the initial Mozilla MAR work of bug 68274

UX-design may need to decide on UI and default/opt-out methods for incremental updates delivered via MAR. Which could end up fully cross platform, at least for the TDF distributed builds.

As Eyal suggested, security notification on 'call home' using the current "update available" methods is feasible and could be as simple as flagging those releases that patch published security vulnerabilities.

But distro maintainers, and packaged installers (Flatpack, PortableApps, snap, AppImage) are responsible for their own bundling.  If they strip out/disable the "update available" methods the "call home" alerts will fail. Not LOs or TDF decision.

Best project can do is improve notification/alerts in the TDF and App store builds and make the process appealing for the other packaging to use.
Comment 17 V Stuart Foote 2023-12-15 21:11:11 UTC
s/Stephen/Stephan

Sorry Stephan, like the 10th time I've done that to you.
Comment 18 Mike Kaganski 2023-12-15 21:14:45 UTC
(In reply to Eyal Rozenberg from comment #8)
> (In reply to Caolán McNamara from comment #5)
> > For the appstore provided case the updates are assumed to get installed by
> > that usual mechanism so the issue shouldn't really apply there.
> 
> Not good enough IMHO, like John Mills says.

Note that appstore-provided versions have it *good enough*. Please avoid confusing appstore versions, and things like MSIs.
Comment 19 Eyal Rozenberg 2023-12-16 09:24:10 UTC
(In reply to Mike Kaganski from comment #18)
> Note that appstore-provided versions have it *good enough*. Please avoid
> confusing appstore versions, and things like MSIs.

I disagree, perhaps in two respects.

First, it depends on the appstore's update mechanism. Is the user prompted to update at all? And even if they are - it is probably a prompt which says something like "12 applications can be updated", which gives you no sense of urgency about security problems.


Second, about LO itself. With an appstore in the back, or anything which calls home, it should be possible for LO to know that the current version has a security vulnerability. And when this happens, I think the user should see more than an "update available" icon. It should be something more dramatic. A red bar, a warning dialog which pops up etc.

And I'll again say that users should be able to opt out of all of this stuff in case they really don't want to be bothered; but I'm certain that for the majority of our users the benefit of such nuisance when a security vulnerability is discovered far outweighs the detriment. Right now things don't seem too dramatic, because the exploit requires the user to actually go get the malicious code and run it; but another time it may be something more severe when we really want users to update fast and not be stuck with vulnerable versions.
Comment 20 Mike Kaganski 2023-12-16 10:15:15 UTC
(In reply to Eyal Rozenberg from comment #19)

Appstore versions are *expected* to be managed by appstores. If users rely on that, it's the appstore packahe author's responsibility to mark the next update as "urgent", so that appstore updates it ASAP. It is *not* expected that apps managed by appstores start telling "update is available".

If a user opts out from an automatic update mechanism of the appstore, they know what they are doing. It is an explicit act, and there should not be another guess like "they decided to not update automatically, but we know better that they need our reminder".

And no, appstore versions are *not* expected to even show an "update available" icon. If they do, it's a bug.
Comment 21 Eyal Rozenberg 2023-12-16 11:03:33 UTC
(In reply to Mike Kaganski from comment #20)
> (In reply to Eyal Rozenberg from comment #19)
> 
> Appstore versions are *expected* to be managed by appstores.

When it comes to users' security, we should s/expected to/hoped to/ . IMHO we need to take some extra precaution beyond the point of what should be somebody else's responsibility. 

> If users rely
> on that, it's the appstore packahe author's responsibility to mark the next
> update as "urgent", so that appstore updates it ASAP.

And who's to say the app store even supports that? I'm no expert, but on my Linux distribution, I don't get different notifications for "urgent" package updates.

> It is *not* expected
> that apps managed by appstores start telling "update is available".

Ok, but I would argue it should be expected that when an app knows it has a security vulnerability, it tells the user that.

> If a user opts out from an automatic update mechanism of the appstore, they
> know what they are doing.

1. Some app stores may not even have automatic updates. 

2. It is rarely a reasonable assumption that users know what they are doing. Or perhaps I should say: In a large body of users of varying levels of computer use literacy, for every action or inaction - many users do not know what they are doing when engaging in it. Maybe they're clueless, maybe their mouse slipped, maybe they weren't paying attention, maybe they misread, maybe somebody else touched their computer and didn't care what they doing etc.
Comment 22 Rene Engelhard 2023-12-16 11:09:31 UTC
> And who's to say the app store even supports that? I'm no expert, but on my Linux distribution, I don't get different notifications for "urgent" package updates.

Then you do it wrong. There is definitely software doing so. (I don't know which one exact since I don't since a daily routine here is apt update && apt upgrade).

Your security-announcement list of your distro also is a choice, then you get even emailed when a package gets updated for security.

And if you only have security updates configured for your distro you can assume any update == urgent. In any case, you should just check regularily for updates anyway and just install them
Comment 23 Mike Kaganski 2023-12-16 11:42:54 UTC
There is a race between "there are means to get unintrusive UX" (e.g., users asked to provide LO on Windows Store / Apple Store, just because it provides a nice and unintrusive autoupdate mechanism); "there is a way to avoid any unwanted data exchange over Internet" (as in "I hate when my apps call home"), security awareness (which is your point creating this issue), etc.

I would say, that I completely support implementing the proposal *in packages distributed by TDF* - which excludes all appstores / distro packages. I do know, that Windows store does support urgent packages. If a package management system doesn't, it's something to improve in that system, or to avoid using that system.
Comment 24 Eyal Rozenberg 2023-12-16 13:17:41 UTC
(In reply to Rene Engelhard from comment #22)
> Then you do it wrong.

I do the default thing on Devuan / Debian.

> There is definitely software doing so. (I don't know
> which one exact since I don't since a daily routine here is apt update &&
> apt upgrade).

Rene, I believe you are approaching this the wrong way. If you're talking about it to a single person (like me) then you can say: "Just do XYZ", and assume I am capable of it and am making a conscious choice. With masses of users, it just doesn't work that way. If I dug a pit in the road and put up a sign saying "beware the pit", people would fall in. It will not help that I can say "oh, but they should have read the sign, it was very clear". They still fall in the pit, and we want them not to fall in the pit.

> Your security-announcement list of your distro also is a choice, then you
> get even emailed when a package gets updated for security.

It's effectively a choice if you're offered it. The installer doesn't offer it. Plus, again, you're thinking about security-conscious user who takes the time to read such mailing lists. Many users aren't.

> And if you only have security updates configured for your distro you can
> assume any update == urgent. 

But if I don't, then I can't.
Comment 25 Rene Engelhard 2023-12-16 13:29:33 UTC
> I do the default thing on Devuan / Debian.

Then you got the fix via your apt update / apt upgrade routine everyone should have. (here: 7.4.7-1 -> 7.4.7-1+deb12u1 for Debian stable). No need to phone home to get possibly told "upgrade to 7.6.4", because that's totally wrong because that one doesn't exist on official Debian stable (it is in stable-backports, versioned 7.6.4~rc1-1, which is definitely identical to 7.6.4. Do users know? Maybe not. Do users need to know? No.)

> But if I don't, then I can't.

That is the default thing on Debian. You don't get any updates other than security via the default sources list (except "urgent" updates via -updates maybe).

Point releases might be something else, but even then in "normal" cases you don't get version updates either.

I don't know about Devuan, but...

You are contradicting your own point.
Comment 26 Heiko Tietze 2023-12-18 11:02:04 UTC
Good arguments on all sides, and we obviously will not find a solution that fits all.

How about an extension that checks on a daily basis whether some new version is available and informs the user via infobar? Could be done via wiki page with limited access, I guess.
Comment 27 John Mills 2023-12-18 11:28:13 UTC
(In reply to Heiko Tietze from comment #26)
> Good arguments on all sides, and we obviously will not find a solution that
> fits all.
> 
> How about an extension that checks on a daily basis whether some new version
> is available and informs the user via infobar? Could be done via wiki page
> with limited access, I guess.

Hi Heiko, security is an area that you can't leave to the possibility a person is running an extension. You either do it or you don't. The two options I see for Windows and Mac users is an info bar that informs the user that your version of LibreOffice is at risk and you should upgrade or you go the Mozilla route and just update in the background, but provide an option to opt out of this if you want.
Comment 28 Eyal Rozenberg 2023-12-18 11:43:10 UTC
(In reply to Heiko Tietze from comment #26)
> How about an extension

I believe that rules it out already... we need something effective for the majority of users, who are less savvy; not for those who would browser extensions and choose this one.
Comment 29 Heiko Tietze 2023-12-19 07:56:49 UTC
(In reply to John Mills from comment #27)
> security is an area that you can't leave to the possibility
> a person is running an extension.

We ship and install extensions by default. Could be done here as well. Extensions are easy to patch out - for non-TDF builds, easy to modify, and allow much more flexibility than core programming.
Comment 30 John Mills 2023-12-19 09:24:55 UTC
(In reply to Heiko Tietze from comment #29)
> (In reply to John Mills from comment #27)
> > security is an area that you can't leave to the possibility
> > a person is running an extension.
> 
> We ship and install extensions by default. Could be done here as well.
> Extensions are easy to patch out - for non-TDF builds, easy to modify, and
> allow much more flexibility than core programming.

That's an interesting point, thanks Heiko, I think that might inform that there is a security breach, it won't update a users computer however. I believe that for the most part a user should be running the latest supported version of LibreOffice to mitigate situations like this.
Comment 31 Eyal Rozenberg 2023-12-19 20:38:35 UTC
(In reply to Heiko Tietze from comment #29)
> We ship and install extensions by default. Could be done here as well.
> Extensions are easy to patch out - for non-TDF builds, easy to modify, and
> allow much more flexibility than core programming.

I have no objection, although the choice between an in-core and bundled-extension is something which developers be more knowledgeable about.

(In reply to John Mills from comment #30)
> I think that might inform that
> there is a security breach, it won't update a users computer however.

Depends on how it's configured I suppose. Plus - this bug is about the warning, not about auto-update that's on by default.
Comment 32 Heiko Tietze 2024-01-26 08:23:29 UTC
Ultimately a topic for dev and infra, removing UX keyword.

My take: WF, if the MAR updater is fully functional.