[Zope-dev] How (in)secure is Zope?

Jamie Heilman jamie@audible.transient.net
Thu, 13 Mar 2003 19:09:20 -0800


Chris McDonough wrote:
> I'm wondering if you might consider applying for checkin privileges. 

I've considered it.  I don't think you need anymore cooks, maybe just
a few more recipes.

> The host header issue that you've uploaded several patches for is a
> bonafide problem for some users, but I think that most people with
> checkin privs feel that it isn't sufficiently dangerous to the majority
> of users to take the time out to review all of your patches and vouch
> for them via a checkin (this might take a day or so to do).

Well then that either means I'm not explaining it well enough, or I'm
wrong, or something.  What I'm shooting for is some discussion of the
issue, which to use bug 813 as an example, is why I asked for it to be
made public.  Even after going into more explicit detail on the zope
list though I got exactly 0 followups, so I was starting to think
people just didn't really care all that much.  Thankfully this thread
came along...

> OTOH, if you could just check them in yourself, you would no longer
> feel disenfranchised.

I don't actually feel disenfranchised, just confused as to what kind
of commitment to security ZC is making.  My disapointment stems from
my lack of ability to get any feedback on the bugs I've submitted.
Its kinda happening now, but having to kick up dust to make it happen
is less than ideal.

I'm also worried about the amount of reported bugs versus the activity
occuring to fix them.  I understand many of them are probably "I did X
and Y crashed, and gosh I think it might be a security problem in Z."
without any analysis apart from random observation, which is sort of a
pain in the ass to deal with, but they aren't visible, and thus I
worry they aren't all like 493.  (of which 494 is a public dupe <g>)

-- 
Jamie Heilman                   http://audible.transient.net/~jamie/
"Paranoia is a disease unto itself, and may I add, the person standing
 next to you may not be who they appear to be, so take precaution."
						-Sathington Willoughby