[Zope-dev] Re: Resolved security-related collector issues for the public?

Maik Jablonski maik.jablonski at uni-bielefeld.de
Wed Jan 21 17:42:12 EST 2004


Hi Jamie,

Jamie Heilman wrote:
> Hiding the bugs doesn't avoid anything, it just leaves zope
> administrators helpless in the dark.
...
 > How exactly was ZC
> supposed to release a new version of Zope with the fixes but at the
> same time not divulge the nature of the security flaws?  Release an
> obsfucated binary distribution and say "Trust Us"?  That doesn't sound
> very much like open source.

In the past we had something like Hotfixes for security problems... Easy 
to install for the average administrator and that's it.

I can check out the current Zope from a CVS... So getting security fixes 
is no problem for me. But I'm not an average Zope-Admin or -User.

There are many admins / users out there who aren't able to do this 
(maybe they should learn it, but that's another point). Installing Zope 
2.6.3 was a big mess (even renaming in the ZMI was broken) and most 
people rolled back to 2.6.2. Some people run even 2.5.1 (lots of 
Debian-Users etc.).

If we don't have a easy-to-install-security-fix for such people (or a so 
called "stable" release, which works out of the box) we should a little 
bit cautious about releasing exploits. That's my point...

Cheers, Maik




More information about the Zope-Dev mailing list