OpenOffice, once the premier open source alternative to Microsoft Office, could be shut down because there aren't enough developers to update the office suite. Project leaders are particularly worried about their ability to fix security problems.

An e-mail thread titled, "What would OpenOffice retirement involve?" was started yesterday by Dennis Hamilton, vice president of Apache OpenOffice, a volunteer position that reports to the Apache Software Foundation (ASF) board.

"It is my considered opinion that there is no ready supply of developers who have the capacity, capability, and will to supplement the roughly half-dozen volunteers holding the project together," Hamilton wrote.

No decisions have been made yet, but Hamilton noted that "retirement of the project is a serious possibility," as the Apache board "wants to know what the project's considerations are with respect to retirement."

Few updates and a lingering security hole

Many developers have abandoned OpenOffice to work on LibreOffice, a fork that got its first release in January 2011. While LibreOffice issues frequent updates, OpenOffice's most recent version update was 4.1.2 in October 2015. That was the only OpenOffice release in 2015, and there were only two updates in all of 2014. LibreOffice got 14 version updates in 2015 alone.

In July, OpenOffice issued an advisory about a security vulnerability that had no fix. The problem could let attackers craft denial-of-service attacks and execute arbitrary code. One of the workarounds suggested by the OpenOffice project was to use LibreOffice or Microsoft Office instead. A patch for that problem that can be applied to existing versions of OpenOffice was released in late August, but concerns about fixing future security problems remain.

Though the vulnerability didn't become public until recently, Hamilton wrote that the problem and a proof of concept was reported to the OpenOffice team just as version 4.1.2 was about to be released. Developers figured out a source code fix in March this year, but "we were sitting on the fix because we didn't want to give anyone ideas when they saw it applied to the source code unless there was a release in the works," Hamilton wrote.

The person who reported the vulnerability became "concerned about sitting on the disclosure any longer," but OpenOffice worked out a compromise "to create a hotfix instead of attempting to work up a full maintenance release (e.g., a 4.1.3)," Hamilton wrote.

"In the case of Apache OpenOffice, needing to disclose security vulnerabilities for which there is no mitigation in an update has become a serious issue," Hamilton wrote. By the time a new version release incorporates the fix, it will likely be "a year since the release of Apache OpenOffice 4.1.2."

The ASF board asked the OpenOffice project management committee "to account for this inability and to provide a remedy," and ASF wants monthly updates rather than the usual quarterly ones, Hamilton wrote.

How a shutdown would proceed

While the board hasn't ordered any specific solution, Hamilton noted that ending the project is one option and described a possible process for retiring OpenOffice. Source code would remain available for anyone interested in using it, but the project would provide no means of committing changes. Installable binaries would be retained in an archive system, but there would be "no further additions." The mechanism for announcing updates to the latest version of OpenOffice would be adjusted to provide "advice to users about investigating still-supported alternatives."

Various other components of the project would have to be shut down, including public discussion mailing lists and mailing lists for developers. OpenOffice would shut down its blog and Twitter and Facebook accounts. The project management committee would be disbanded, but Apache would maintain an e-mail address that accepts requests to make use of the OpenOffice brand.

While this is still hypothetical, Hamilton said he sketched out the details of the retirement plan because he wants to make sure "any retirement happen[s] gracefully. That means we need to consider it as a contingency. For contingency plans, no time is a good time, but earlier is always better than later."

One response to Hamilton's e-mail came from Jim Jagielski, a software engineer who co-founded the Apache Software Foundation and serves on its board.

"What is obvious is that the AOO [Apache OpenOffice] project cannot support, at the present time, being an end-user focused effort. I would suggest we focus on not being one, but instead being a framework or library that can be consumed by actual end-user implementations," Jagielski wrote.

Despite LibreOffice success, OpenOffice has many users

OpenOffice became an open source project in 2000 after Sun Microsystems acquired StarOffice and released the code. The LibreOffice fork was created after Sun was acquired by Oracle in 2010. After the fork, Oracle contributed OpenOffice to the ASF, which renamed it Apache OpenOffice.

LibreOffice is maintained by The Document Foundation, whose advisory board includes free software groups such as the Free Software Foundation and GNOME and companies such as Canonical, Google, and Red Hat. The existence of LibreOffice is fortunate because it provides OpenOffice users new features and a likely more secure alternative to switch to. LibreOffice is already the default office suite on major Linux distributions, and it has more than 100 million active users.

But OpenOffice still has plenty of users on Windows and Mac in part due to name recognition resulting from its long history. OpenOffice was downloaded more than 29 million times in 2015, for a cumulative total of more than 160 million downloads since May 2012, according to project statistics.

Developers want to keep OpenOffice alive

There is still support for continuing OpenOffice. Developer Phillip Rhodes wrote that "even broaching this topic is a mistake" because it will become "a '3rd party fulfilling prophecy' as soon as this hits the press."

"I know a lot of people prefer to contribute to LO [LibreOffice] and not AOO, and that losing the people IBM was paying was a big hit," Rhodes also wrote. "But I can't help but think there's a way to get more people involved and contributing here. So I'd rather see discussion around 'how do we attract additional contributors (or fix whatever other problems we have)?' than talk about a 'retirement plan.'"

Developer Jorg Schmidt argued that OpenOffice is "excellent software" but suffers from "pretty bad public relations," while LibreOffice is "good" software with "excellent public relations."

Roberto Galoppini called it "inappropriate at best to discuss anything related to the shutdown at this time."

Developer Pedro Giffuni wrote that having a retirement plan is important for users and the Apache Software Foundation, but that "we should focus now on the next release. It is clear to me that even if AOO were to be retired, we still have to push out a new release mainly because we do have stuff that should see the light of a release."

It's theoretically possible that OpenOffice could be revitalized by being transferred to an independent entity outside of Apache, but Hamilton argued that the odds are against that happening.

"My considered opinion is that the greatest barrier is lack of a meaningful business/operation/funding model," he wrote. "In addition, there is an insufficient supply of developers having the capacity, capability, and will to provide material improvements to Apache OpenOffice. Whatever the pool might be, it is aging and shrinking for many reasons. The affliction that Apache OpenOffice suffers under in that respect also besets any organization set up to support the code, even with paid developers."