[ZWeb] Beware to HotFix Legacy

Júlio Dinis Silva juliodinis@hotmail.com
Mon, 27 Aug 2001 20:43:54 +0100


Hi All,

I was having some weird permissions problem, really WEIRD!!
After trying everything, really everything, I started to became
paranoid and suddenly my mind/clicks went into Control_Panel/Products
and my eyes went trough the Product's list stoping on a part of this
list where the word "HotFix" appeared several times :-).

Since we are long time zope users, and we have a zope production site
running long before the first hotfix come out, I asked my self: "Do I
really need all this hotfixes installed?". I think it was never said
one was forced to uninstall zope hotfixes, i.e, it is safe to leave
them installed.

Well, I uninstalled the old hotfixes and left only the ones related
with my version of zope and voila the weird security problem
disappeared. I cant describe the problem I had, because it was really
weird but this post is to alert everybody to this possibility, i.e:

try to run the latest zope with ALL the hotfixes ever released. Then
try to do some programatic stuff like create a simple product with a
class and then go and do some methods with manage_changeProducts,
manage_addProduct, dtml-with "propertysheets.info", etc, and see if
your programming security paradigm is breaked with weird security
restrictions you never saw before.

Maybe some zope guru :-) could say something about the risk or not of
leaving the HotFixes installed.

One thing cool would be to on zope.org associate to each release of
zope the HotFixes released for it. For instance when we choose a
version of zope to download, besides the install information, release
information, History information, etc, we could see a list of hotfixes
one should apply to that version. Maybe create a class Hotfix on
zope.org and then relate it somehow with the /Products/Zope/xxx/
folders. Then when a Hotfix class instance is created the person
creating it associate that hotfix with some versions of zope, and when
we visit a zope version download page we can see a list of hotfixes
released for that version.

Best Regards,
JS


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp