[Zope-dev] How (in)secure is Zope?

Jamie Heilman jamie@audible.transient.net
Sat, 15 Mar 2003 13:58:24 -0800


Christian Tismer wrote:
> If you compare Zope's bug paranoia with Python's, would you
> say Zope is a bit less concerned, or there are not enough
> people being concerned to get things resolved?

I don't really know, I don't follow Python all that closely.  Though
due cgi.py's usage of tempfile.py I set my TMPDIR to a directory only
writable by my zope process owner, and I don't see that changing until
python 2.3 though I haven't read over the rewrite.
 
> Why I'm asking is simply because I'm concerned that there are
> no bugtraq entries for Zope, and I don't buy that this comes
> from Zope being bug-free.

I don't think there's that many people actively auditing the source.
All the bugs I've found haven't come from me looking for way a to do
something malicious, they've come from me noticing bizzare behavior
while trying to get something to work and just following up on it.

> Maybe not enough people care about this, but if the hackers
> also don't care, why should I :-)

I don't know, why should you?  I care because it used to be my job to
care, now I can't seem to let the mentality go.

-- 
Jamie Heilman                   http://audible.transient.net/~jamie/
"Most people wouldn't know music if it came up and bit them on the ass."
                                                        -Frank Zappa