Hi Jamie, Jamie Heilman wrote:
Hiding the bugs doesn't avoid anything, it just leaves zope administrators helpless in the dark. ... How exactly was ZC supposed to release a new version of Zope with the fixes but at the same time not divulge the nature of the security flaws? Release an obsfucated binary distribution and say "Trust Us"? That doesn't sound very much like open source.
In the past we had something like Hotfixes for security problems... Easy to install for the average administrator and that's it. I can check out the current Zope from a CVS... So getting security fixes is no problem for me. But I'm not an average Zope-Admin or -User. There are many admins / users out there who aren't able to do this (maybe they should learn it, but that's another point). Installing Zope 2.6.3 was a big mess (even renaming in the ZMI was broken) and most people rolled back to 2.6.2. Some people run even 2.5.1 (lots of Debian-Users etc.). If we don't have a easy-to-install-security-fix for such people (or a so called "stable" release, which works out of the box) we should a little bit cautious about releasing exploits. That's my point... Cheers, Maik