[Zope-dev] How (in)secure is Zope?

Christian Tismer tismer@tismer.com
Sat, 15 Mar 2003 22:14:40 +0100


Jamie Heilman wrote:

[snipped many good things]

> Generally, the more software you install, the more open to attack you
> are.  If you don't need it, don't run it, and don't install it.  Some
> Zope products may open up more avenues of exploit than others, thats
> why the admin should audit them before installing.

Yes, I know. Carelessly written products can do quite much.
I used Zope for half a year, intensively, and also wrote
a database driver, so I know what it is about. Just wanted
to get an update, since so much has happened since I stopped
looking for mroe than a year.

...

> No, its not a very simple question.  If Zope was a small program with
> a single clear purpose, it might be.  But Zope is a large framework
> with a multitude of directions.

I know. "simple question" was not meant seriously. :-)
Simple to formulate, like "what is love".

> (A small program with a single clear
> purpose can not do what Zope does; let it be known I'm not suggesting
> Zope should be somehow packed into a small program with a single clear
> purpose.  Broken up into several... perhaps, but thats a different
> thread.)

This would interest me quite much, if it is possible to split
this up into different small packages, which combine nicely.
I fear I know the answer for the next few years already...

> Outside of the ideal world, unless extreme care is taken, software
> tends to have flaws with security ramifications.  Last time I counted
> (March 1st.) there were 16 unaddressed issues in the Zope bug
> collector that had been marked as having security ramifications.  Two
> of them are mine, and thus I feel confident in saying Zope is not as
> secure as it should or could be, but that if nothing else, the
> maintainers have been made aware of these shortcomings and that one
> can assume (if they should or not is a different matter) the issues
> will be taken care of.
> 
> I will go on record as saying that, recently, response times to
> security related issues in the Zope2 tree have been disapointing.
> Construe from that what you will.

Do I read a bit of disappointment between the lines?
If you compare Zope's bug paranoia with Python's, would you
say Zope is a bit less concerned, or there are not enough
people being concerned to get things resolved?

Why I'm asking is simply because I'm concerned that there are
no bugtraq entries for Zope, and I don't buy that this comes
from Zope being bug-free.

Maybe not enough people care about this, but if the hackers
also don't care, why should I :-)

I-know-I-shouldn't-have-said-that-at-all - ciao - chris

-- 
Christian Tismer             :^)   <mailto:tismer@tismer.com>
Mission Impossible 5oftware  :     Have a break! Take a ride on Python's
Johannes-Niemeyer-Weg 9a     :    *Starship* http://starship.python.net/
14109 Berlin                 :     PGP key -> http://wwwkeys.pgp.net/
work +49 30 89 09 53 34  home +49 30 802 86 56  pager +49 173 24 18 776
PGP 0x57F3BF04       9064 F4E1 D754 C2FF 1619  305B C09C 5A3B 57F3 BF04
      whom do you want to sponsor today?   http://www.stackless.com/