Security News > 2023 > September > LibreOffice: Stability, security, and continued development

LibreOffice: Stability, security, and continued development
2023-09-07 05:30

LibreOffice is based on the source code of OpenOffice, a project that, according to LibreOffice marketing co-lead Italo Vignoli, was marked by questionable decisions around development and quality assurance.

To address the mountain of inherited technical debt, the LibreOffice developers undertook a heavy source code cleanup and refactoring process, which lasted throughout the development of LibreOffice 3.x and 4.x. "This effort was coupled with the creation of an infrastructure to serve the developers, with the implementation of tools such as Gerrit for code review, Git for continuous integration, a battery of Tinderboxes, Bugzilla for quality assurance, OpenGrok for source code research, Weblate for localization, as well as testing for performance and crash analysis," he explained.

The solution is not without bugs and security vulnerabilities but, according to Vignoli, going by the numbers based on the MITRE CVE database, LibreOffice is an order of magnitude better on the vulnerability front than closed source alternatives.

"On the downstream side, open-source projects that integrate components developed by The Document Foundation, e.g., import filters for some proprietary formats, rely on the professionalism of LibreOffice developers. In fact, all libraries are used first by LibreOffice, so development respects the same quality process. The same is true, of course, for software based on the LibreOffice Technology platform, and thus for the mobile and cloud versions of LibreOffice released by companies in the ecosystem, which are then the same ones that contribute to the development of the desktop version."

"In the case of LibreOffice, in addition to publishing extensive documentation on the development and security process - which is not a problem for content but is a problem for a project where most of the contributions are on a voluntary basis - it would be necessary to guarantee support for each version for 5 years from the date of release. With two major releases and a dozen minor releases per year, this is effectively untenable."

Until the requirements imposed by the Cyber Resilience Act are clear, TDF will not be making changes to LibreOffice development activities.


News URL

https://www.helpnetsecurity.com/2023/09/07/libreoffice-security-development/