[Zope-dev] DTML and REQUEST data changes about to be checked in

Brian Lloyd brian@zope.com
Wed, 14 Aug 2002 16:25:09 -0400


> >>Like I said before, this is probably a good feature. If it was
> available as a
> >>patch then I would probably use it on a number of my sites, and would
> >>recommend it to others. I would be very happy see it (or
> something like it)
> >>in 2.7.
> >>
> >>But not 2.6.
> >>
> >
>> Then Jim wrote:
>> WRT to this change, now that I'm back from vacation, I want to talk to
Brian
>> about it. ;)

Hear ye, hear ye :^)

Zope 2.6 is a second-dot release, meaning that it is expected that
there will be new features and that it is possible (though we always
try to avoid it) that some things can break in the name of progress.

(See http://dev.zope.org/CVS/ZopeReleasePolicy for more details).

Zope 2.5.x will be a third-dot release, intended to be bug-fix only
(and thus not allowed to break things).

So here's what we'll do. Zope 2.6 will include the string tainting
changes, enabled by default. The tainting can be turned off by
providing an environment variable.

The next Zope 2.5.x release will contain the tainting code, but it
will be *disabled* by default. If you are worried about the issues
it addresses, you will be able to enable it explicitly using an
environment variable (without having to upgrade to 2.6).

2.7 and later releases will behave as 2.6.


Brian Lloyd        brian@zope.com
V.P. Engineering   540.361.1716
Zope Corporation   http://www.zope.com