Dear Libre Office team

Alexander_Y_Lee · October 13, 2015, 12:48pm

Hi,
I am Libre office user on Mac OS. Above all, I really appreciate to you guys' adventure and entrepreneurship to develop this kind of useful Open source software that is extremely helpful for Mac OS user. Documents written through MS office are always the source of problem to handle based on Mac OS. However, after I used your S/W, then it became much easier and I can get rid of burden regarding those stuff.

The reason why I write this letter is to ask you about the security of this software, I think since it is open source, so I am worrying about the security and possibility of being attacked by hacker and virus. I am very sensitive toward security and I do not want my documents sent to the hacker later. Can I make myself easy about the concern?

And, does this software work independently like MS office and is it Off-line program? or Does it work through cloud service system, API, and Online based system?

I wish you will not misunderstand my message, I just want to confirm the structure of the program regarding security that is my priority concern. And, separated from my question, I sincerely respect your effort.

Hope to receive your reply.

Thanks for your development.

Best wishes,

Alexander

nasrin_khaksar · October 13, 2015, 2:13pm

hi.
in my view point libreoffice is extremely great in different aspects.
like: performance, compatability with microsoft and even documents and
files from other softwares, compatibility for different operating
systems, and even security!
people in this group are mostly kind, intimate, friendly and many of
them helped me in solving my problems.
i appreciate document foundation for there efferts and there great
programs and also from its users for there supporting for other users
specially for not experienced users like me.
i use libreoffice since version 4.3.0 thats accessible for blinds
without needing java jre and java access briedge.
this program is very favorite in all over the world and in many countries.
i hope thats help.
best wishes. from: zahra.

Cley_Faye · October 13, 2015, 2:30pm

Hi,

I'll try to address these specific points.

Yes, LibreOffice is an open source project. However, I have difficulties
seeing the link between the open source status and the actual security.
As a quick summary of things, all software have the potential for security
issues; the only difference between open source and closed source is that
for the former, it is possible to run a security audit on the code to find
these defects, while in closed source you just have to trust some vendors
for their words.
That aside, LibreOffice itself have no (as far as I know) disclosed
security issues at the moment. It have happened (and will happen, as with
any kind of software), and usually such issues are fixed quickly by the
developers.
As long as you download the software from a trusted source (as in, the
official LibreOffice website) there is nothing to worry about on this front.

Also, LibreOffice is a completely offline package, and does not require any
kind of internet connection to run (beyond the initial download of course).
Unless you explicitely use such functionalities, there is no communication
at all coming from the software, with the exception of the update-checking
mechanism.

Paul_D_Mirowsky · October 13, 2015, 2:48pm

Hello

LibreOffice is no different than any other software when in comes down to the code.
But it is paid attention too by them. See URL below.

https://www.libreoffice.org/about-us/security/advisories/

I would like to thank L-user from this https://ask.libreoffice.org/en/question/22960/ms-office-libreoffice-which-one-is-more-vulnerable/
for the following quote. Read the entire response from the URL if you have time, this is the short version.

When we are talking about security we must first provide the potential security risk? You didn't provide more details, so I will try to answer the question in general manner.
1. Protect from unauthorized access to file. Encrypt your files and share the password with your friend/coworker in secure way (like telling the password in person). You can do this by File | "Save as" and check "Save with password" checkbox. Make sure you pick complicated password with at least 14 characters. Few of them must be non-characters like numbers, special characters like: !, $, %, @ etc. This kind of password is very difficult to brake. This way you can also send file by e-mail, just don't write the password in mail. In this case I suggest to use LibreOffice 3.6 or newer, because of implemented strong encryption.
2. Someone from internet is trying to access my files? Implement firewall, antivirus. If extremely paranoid, then edit files offline and store them on USB key.
3. You would like to exchange files securely (paranoid). Use some SFTP server or FTPS or some other means like creating SSH tunnel and then transfer files inside the tunnel. (not really for non-computer-geeks)
4. You are trying to protect access to your local files by someone that has physical access to your computer? You need to install operating system by yourself (most secure) and make sure all of the operating system passwords are strong and well kept. You need to encrypt your hard disks. You need to make sure you don't install too many programs on it, because each of the program can bring some vulnerability.(this is paranoid way and not really for non-computer-geeks)

Nothing is totally secure, but that doesn't mean you shouldn't try.

Hope this helps.

Bastian_Diaz · October 13, 2015, 2:52pm

Do not forget that a user of OS X, asking the question.

Also a reliable source of download for users of OS X is the App Store. Thanks to friends of Collabora (https://www.collabora.com/), you can access LibreOffice Vanilla (https://itunes.apple.com/us/app/libreoffice-vanilla/id921923693?mt=12) that is the same as LibreOffice fresh and LibreOffice from Collabora (https://itunes.apple.com/app/libreoffice-from-collabora/id918120011) that LibreOffice is stable version with commerciall support to a reasonable price, Both meet high safety levels. Also, remember that security, much it depends on the user, file sharing and how to use the software.

Enjoy

Jean-Louis_Oneto · October 13, 2015, 4:32pm

Hi,
If you are really worry about security, you should apply the rule in practice in high security agency (military...): only use software that you compîled yourself, from official source files, and after checking the sources for any backdoor or security issues. While usually you can get the source of proprietary sofware (with a non-disclosure agreement and often a lots of money), Open-source software let you do that for free.
That's one major reason that those agencies favor more and more open source.
Best regards,
Jean-Louis

James_E_Lang1 · October 13, 2015, 7:36pm

Hi Alexander,

My remarks below are tagged as [... -- jl]

A few words appear in FULL CAPS for emphasis.

Tom_Davies1 · October 13, 2015, 8:40pm

Hi
3. It is installed directly onto your machine/device and is not a Cloud
App. In your words, it does work independently.

If you wanted a Cloud App version then possibly the best one is
Google-docs. Google is one of our many supporters and their apps should
integrate fairly well with ours. I think TDF (= "The Document Foundation",
the charity/company that owns LibreOffice) is working on a Cloud version of
LibreOffice but that is a slightly separate project. There are also
"Portable Apps" versions that can be installed onto Usb-Stick which can
then be carried around and plugged into almost any Windows machine giving
you access to the program, even if it isn't already installed. Mostly
it's probably easier to just use Google Apps when you need a Cloud version
and LibreOffice when you need an installed one on your machine.

2. It is quite contra-intuitive but OpenSource keeps out-performing
Proprietary software in almost all tests and real-world cases.

Here's part of a discussion about the coverity score;
https://www.reddit.com/r/linux/comments/2ns5br/libreoffice_now_has_a_coverity_defect_density_of/cmgc91n
http://softwareintegrity.coverity.com/register-for-libreoffice-scan-report-2014.html?cm=social&cs=pr&ct=none

Errr, quite a long way down in this article from ZdNet
http://www.zdnet.com/article/libreoffice-4-3-the-best-open-source-office-suite-gets-better/

Here is one article abut OpenSource security;
http://opensource.com/business/15/5/why-open-source-means-stronger-security
This wikipedia page has a few links and external sources to explore;
https://en.wikipedia.org/wiki/Open-source_software_security
The first section is a bit "off-topic" but after that it starts to make a
bit of sense.

There used to be a fantastic little blog entry that explained most of it
very clearly and i was hoping that was still around but it was a bit
ancient.

There are entire Operating Systems made as OpenSource. The most famous are
Linux, properly called "Gnu&Linux". Another is BSD but there are others
too. Here is one page from "Ubuntu Linux"'s documentation about Antivirus;
https://help.ubuntu.com/community/Antivirus

Some very tangential facts ...
97.60% of the world's top 500 supercomputers run on Linux (OpenSource), as
at 1st June 2015
02.20% of them ran proprietary systems of which,
00.20% run Windows, so it's not even the most widely used proprietary OS
and is totally insignificant when compared to OpenSource systems.

02.00% run on Unix, having dropped from around 70% 'just' 12 years ago.
Although, since Linux (and BSD and Mac) is unix-based it still kinda has a
hugely significant impact. BSD had 3.00% of the market 12 years ago and
gradually gone down about 0 but switching between unix-based system is a
LOT easier than making the jump to/from Windows so that could plausibly
change.

Windows peaked from June 2008 to June 2009 with a fairly steady 0.80%. Mac
peaked a couple of years earlier in 2005-2006 with 1.00% of the market.

Source;
http://www.top500.org/statistics/overtime/

If you look at performance share then you see Windows rocketed up to a
high-point of 1.5% and Mac's was 1.6% but BSD's was 11.75% at the start of
the 12 year period and was probably more before that. BSD is also kinda
OpenSource. Unix also started the 12 year period very high but it was
closer to it's market share so it seems less driven by perception and seems
more driven by knowledge and experience than most of the others. Linux is
currently at 98.91% on the performance chart but looks like it is still
rising!

So the upshot is that you are likely to actually be safer using LibreOffice
than anything proprietary. A simple way of explaining this to people is
"Security through obscurity" which is an incredibly tiny part of the whole
reason. The larger part of it is more about secure by design.

You can always take things several steps further, such as encrypting files
and password-protecting them but i generally find they are more hindrance
to legitimate users. Encrypting things is generally becoming much more
crucial in the world in general and that probably includes OpenSource.

1. Many thanks "for the flowers" as they say. Mostly we are 'just'
'normal' users on this mailing list although several people here are also
in different teams. Our main mission on this mailing list is to just help
people overcome any problem they may have had and to help them find good
documentation. So, mostly we just agree with you and your experience so
far sounds fairly typical of what most of us found too. :))

4. We do understand. Those were good and legitimate questions. The
security question is always a good one to ask about any software.
Hopefully we have answered that adequately.

Good luck and many thanks and regards from
Tom