[Snip]
I just want to keep the security worries in check. Let me ramble for a bit... We've released a lot of hotfixes, but *none* of the vulnerabilities could give an attacker root access, and none of them could give console access to anonymous users AFAIK. All of the vulnerabilities violated Zope's security policy, but Zope's security policy is constrained by system security and other safeguards. People outside the Zope community don't know that, so a lot have labeled Zope as too insecure to use. The reality is that we've never even had an exploitable buffer overrun. :-) We should avoid sending the wrong message by making a hotfix for every little thing.
Shane
I'd like to second this. It was one of the contibuting factors in the decision of my former employers to opt for spectra instead of a Zope solution (That already existed!!). I am sure there are other cases of this too... If someone finds a buffer overrun, fix it by all means, but other issues may be better left for minor version releases, where they can be buried in the changelog. Just my £0.02 Adrian... -- Adrian Hungate EMail: adrian@haqa.co.uk Web: http://www.haqa.co.uk