[Zope-dev] Re: Python2.4 Security Audit ETA???

Jim Fulton jim at zope.com
Fri Dec 2 10:03:28 EST 2005 

Christian Theune wrote:
> Hi,
> 
> Am Mittwoch, den 30.11.2005, 15:52 +0100 schrieb Philipp von
> Weitershausen:
> 
>>Andreas Jung wrote:
>>
>>>Let's say it this way: it's safer than with Zope 2.8.3 but it is still not
>>>supported :-)
>>
>>>From where I'm standing, with Zope 2.8.4 it's as safe as with Zope 2.9
>>(which actually *requires* Python 2.4...) So it is really just a label
>>we put on the 2.8 and 2.9 branches, in terms of the relevant code base
>>they're the same...
> 
> 
> Statements like that are *dangerous*. The label is all that it is about.
> It is against the possibility that although the likely relevant code
> base is the same, there might be some minor minor minor switch that
> makes everything burn.

I really can't figure out what your saying.

> There are _several_ major linux distributions out there that already
> ignore this label and shipped Zope with Python 2.4.  It's not helpful to
> argue them out of that if we don't care for the label ourselves.

Python 2.4 is not supported for current production Zopes.  This
has been clearly stated for some time.  We can't prevent people
from ignoring this and creating Zope distributions based on an
unsupported Python.  People who release Zope for unsupported Python
releases are doing their users a disservice.  In this case, there
was a reasonably serious security problem introduced by Python 2.4.

What Andreas is saying is that Python 2.4 still isn't supported
for Zope 2.8.  This is different from a statement about a security
audit.  The security audit evaluated and addressed issues arising
from a change from Python 2.3 to python 2.4.  Zope 2.8.4 reflects
this.  We still choose not to support Python 2.4 for Zope 2.8 because
there hasn't been any sort of test release cycle for Zope 2.8 with
Python 2.4.  Zope 2.9 will go through such a cycle which will give us
at least some consequence.

Jim

-- 
Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org

More information about the Zope-Dev mailing list