[Zope-dev] Re: Resolved security-related collector issues for the public?

Casey Duncan casey at zope.com
Wed Jan 21 22:56:40 EST 2004


On Wed, 21 Jan 2004 16:16:15 -0800
Jamie Heilman <jamie at audible.transient.net> wrote:

> Maik Jablonski wrote:
> > There are many admins / users out there who aren't able to do this 
> > (maybe they should learn it, but that's another point). Installing
> > Zope 2.6.3 was a big mess (even renaming in the ZMI was broken) and
> > most people rolled back to 2.6.2. Some people run even 2.5.1 (lots
> > of Debian-Users etc.).
> 
> Debian users who continue to use the 2.5.1 packages are being done an
> injustice, I agree, and its too bad, but the Debian security policy
> fails when a maintainer takes on a package they can't keep up with and
> the security team isn't able to step in and cover for them.  It
> happens, the answer is usually to either find a new maintainer who can
> keep up, or remove the package from Debian.  One of Debian's strengths
> though is that they don't hide this information, users are encouranged
> to review the bug tracking system to get a feel for a package's
> relative stability and weigh the risks on their own.

ZC has developed (thanks largely to Tres) a patch-set against 2.6 for
the security fixes (and one can be regenerated from cvs as well, but the
patches are better segregated). These could in theory be used as a basis
for a patch set against 2.5.1.

Saying it would be a large, difficult task to effectively backport the
changes to 2.5 is an understatement, but it could be done. The
change-set for 2.6 is Python 2.1 compatible, so at least you don't have
to contend with that.

Selectively backporting only certain fixes, that affect the widest range
of sites, would be much easier to consider. This could mean some of the
more invasive and tricky fixes, such as the ones for vulnerabilities in
untrusted code, which IMO are really only a concern in a small minority
of sites, could be skipped for a 2.5 backport.

-Casey



More information about the Zope-Dev mailing list