Solved Vulnerabilities

I worked on the project Free Online Office, a collaborative online office based on LibreOffice technology, to solve vulnerabilities of the used JavaScript packages. I updated all used JavaScript packages to new versions. The command ‘npm audit’ reports no vulnerabilities now.

This is a big difference to the starting point, where there was and is the following report:

57 vulnerabilities (1 low, 20 moderate, 34 high, 2 critical)

I’ll create a new Docker image from the updated source code and publish it on the Docker hub during the next days. You can get it from there with:

docker pull freeonlineoffice/online:nightly

Free Online Office Nightly On ProxMox

I created a Linux Container on my ProxMox server using Debian 11 and installed and run Docker inside of it. Then I pulled the current Free Online Office (nightly build) from hub.docker.io:

docker pull freeonlineoffice/online:nightly

I started this Docker container with:

docker run -t -d -p 192.168.10.15:9980:9980 -e "username=admin" -e "password=S3cRet" freeonlineoffice/online:nightly

The IP in the docker command depends on the IP address of the Linux Container on your ProxMox server. You should give the container a fixed IP address. I used the IP address (double escaped) for the aliasgroup entry for my first run too.

Once I started the container I run ‘docker ps’ to see, if the container is running. Then I checked with curl from my remote machine, if everything works.

curl -k https://192.168.10.15:9980

If you don’t get an error message in return everything seemed to work. I could open a browser on my remote machine and type call the URL:

https://192.168.10.15:9980/browser/dist/admin/admin.html

This shows the admin console of Free Online Office build on LibreOffice technology.

Worked Further On LibreOffice Online Code And Docker Image

The Javascript packages in the former git repository of LibreOffice Online and ist fork were not up to date. Thus I hat to work on update them. This and the code update took a bunch of my spare time.

I had also to work on the configuration of the shrinkwrap/shrinkpack tooling. The former configuration and especially the shrinkwrap.json.in file blocked the build process of the docker file. The naming of the shrinkpacked files changed.

Once this was fixed the browser part of LibreOffice was build sucessfully. And finally I was able to build a first lool docker container and start it.

I made a first test and could copy the loolwsd.xml from the container and also view the container log.

Updated The LibreOffice Online Code And JavaScript Modules

I worked further on the update of the LibreOffice Online source code during the last days. I brought it on par with its fork first. In parallel I worked on the JavaScript modules and were able to move them to newer versions. This fixes also some vulnerabilities, from critical to mid category. The npm tool doesn’t complain about vulnerabillities in the JavaScript area of the source code anymore yet.

Update JavaScript Modules Of LOOL

I had a look at the ‘zoo’ of JavaScript modules which are living in the browser part of LibreOffice Online and found a lot of outdated versions there. This modules need an update to newer versions. I’m working currently on this task step by step.

I also got the message in the shell about vulnarabilities in the modules, some of them classified high and one critical. I fixed a bunch of them with an npm command, thus there is no critical vulnarability left. The high classified dimished from 15 to five.

Next Step: Work On Docker File

I worked on the changes in the source code to create an up to day docker file of LibreOffice Online today. I had to adapt scripts to build the online version from source to LibreOffice Online for that and run it. Because the naming and the variable names of former scripts were changed with the fork I had to rework them.

I’m currently running the build process a second time and hope it will create a first version of a new LibreOffice Online docker container from source. Keep your fingers cross 😉

Work On Revival Of LibreOffice Online

I worked during the last two weeks on a revival of the LibreOffice Online project. This project / branch is a version of LibreOffice which runs in a browser and supports collaborative editing.

I fetched the commits, which has been commited to a fork of the LibreOffice Online (LOOL) branch since October 2020. But there had been some renamings of file names and strings, which increases the effort. I had to adapt those commits to the original file names and strings. There were also changes in the license header of some files. I had to revert the commit, which inserted those changes.

And then I got another issue with an hardware defect and I had to migrate my environment to another hardware. And yet I got everything up and running. The first screenshot shows LibreOffice Online Writer with a text document.

LibreOffice Online Writer Document in the Browser

And the next screenshot shows the Admin console of LibreOffice Online with some statistics. It shows also that there is currently one user working with one document.

LibreOffice Online Admin Console in the Browser

Test Of Plone 6.0a2 With Collective.Addons

I installed the current alpha release of Plone 6 (a2) using buildout. I created a Python 3.9 virtual environment and used it to build a Plone 6.0a2 instance. I could start this instance in forground mode with ‘instance fg’ and it was available at port 8080 on localhost.

This shows me a site where I could add a new Plone site to the instance. I used the advance button and could add the ‘plone.volto’ add-on to it. This makes it more easy to use the new Volto frontend later (see screenshot below).

Volto Home Plone 6.0-a2

Once I finished the first steps with a new Plone 6.0-a2 buildout I made some further steps and added one of my Plone add-ons to the buildout script. I ran the buildout again and was able to include my add-on, named ‘collective.addons’.

But once I started the instance in forground mode I got a traceback which points me to a line in the configure.zcml of the add-on. I had to comment out the line with ‘IncludeDependencies’ in this file and everything went fine. I could install the add-on in the Plone site and also use its content types. It was able to view the content types within the Plone classic frontend. But there is currently no complete view of the content types within the new Volto frontend available. I’ll work on this during the next weeks.

Further Short Volto Test

I activated the blocks feature on the Dexterity page type of Plone 6 with Volto and I get a new experience with the Volto frontend. Everything on the page are now similar to the work in a current WordPress site. I could move aroud this blocks very easily. And I found out that I could insert a blog for an image. I could set the size of this blog to small and align the image to the left side. I move this image block to the top and the first text block adapted its wide to the image block. You could see this behavior on the screenshot below.

Short Test With Volto On Plone-6-dev

I created an instance from the development branch of Plone 6. The source code of this branch could be cloned from the Github repository of the Open Source project: https://github.com/plone/buildout.coredev

I also cloned the Volto repository from Github: https://github.com/plone/volto and started with building the backend. Then run ‘yarn start’ and fixed the missing dependencies, especially ‘razzle’ (yarn add razzle). Once this was done yarn build the Volto client and server. I could get the Volto interface at ‘localhost:3000’ yet. But it is missing a Plone instance, because it had not been up.

I fixed this by running the instance of my Plone 6 buildout, created a new Plone site with the default name ‘Plone’. This site could be reached in the (old) classic Plone interface at ‘localhost:8080/Plone’.

I had to install the ‘plone.restapi’ inside the new Plone site (within the settings site under ‘add-ons’). The Volto interface at ‘localhost:3000’ could connect to the Plone instance yet.

I made a first test with the new Volto interface and created a new Page inside the Plone instance (inside a folder) to test its functionality. I copied a text from a popular Open Source projects website for this test. I could paste it directly into the new page. Then I tried to insert a grafic into the page. But this functionality wasn’t available in my Volto interface yet. I could integrate this grafic within the edit feature of the classic Plone interface and display it also on the Volto interface. The screenshot at the top shows the result of my short test.