[Zope-dev] Resolved security-related collector issues for
thepublic?
Brian Lloyd
brian at zope.com
Wed Jan 21 21:05:41 EST 2004
> Maik Jablonski wrote:
> > Normaly security-related stuff is not visible for the public... and
> > this seems to be good to avoid exploits etc.
>
> Jamie Heilman wrote:
> Hiding the bugs doesn't avoid anything, it just leaves zope
> administrators helpless in the dark. I'm not going to rehash the
> arguments for and against full dislosure, but seriously--don't delude
> yourself into thinking that a problem goes away if you shut your eyes
> tightly enough.
As the person who unfailingly gets flamed no matter which way the
decisions leans :), I think we are probably at a point where we
should have an official, documented and community-agreed-to policy
on how these kinds of things will be handled.
*Getting to that point* is what I'm afraid of :) There are pretty
widely varying opinions on this, and historically as a community
we've not yet found a good process to really resolve issues when
there isn't a clear majority opinion.
At a minimum, having a clear and documented policy would provide
the benefit of 'no surprises' - if you disagree with the policy,
or some aspect of it, you would at least be able to plan around it.
While we at ZC try very hard to strike a delicate balance between
transparency
and risk management, doing so on a case-by-case basis is tough and there
will
*always* be some who disagree with the course chosen, no matter what it is.
All in all, I think we'd better off having 'The Rules' regarding security
reports, and working to make sure that we are all consistent in following
them.
Brian Lloyd brian at zope.com
V.P. Engineering 540.361.1716
Zope Corporation http://www.zope.com
More information about the Zope-Dev
mailing list