Hi
Betreff: Re: [Zope-dev] KGS 3.4.1 versions
Adam GROSZER a écrit :
Hello,
There is a sheet with versions for KGS 3.4.1
http://spreadsheets.google.com/pub?key=tUE5Q72d4Kg1FXaacCA3EKQ&output=
html
Anyone for/against those versions?
The open questions that remain: * What about pytz 2010g? * Which lxml version to take? 1.3.6? * What about zope.app.container 3.6.2? * Would be nice to have zope.testbrowser 3.5.1
Comments are welcome.
z3c.layer has a major security issue, because of trusted traversing adapters that removes the security proxy everywhere.
yes and no, only miss use could end in security issues It's not really a security issue, it's the only concept which allows to use nested sites with more then one IAuthentication utility and allows to authenticate on objects behind the first site. But since this was such a rare use case, we decided to split the package in different packages which also supports a non trusted setup. This makes the packages more general usable without to run into security issues based on trusted confirgurations where non trusted is needed.
This package has been retired and splitted into its 3 subpackages :
z3c.layer.minimal z3c.layer.pagelet
Both package above should not use trusted traverser
z3c.layer.trusted
This package should still use trusted traverser
There is no problem upgrading to branch 1.0 of these packages, as they don't have any significant changes, excepted the splitting. However:
z3c.layer.pagelet should be in version 1.0.2. Nothing below. z3c.layer.minimal has no corrected 1.0 branch. A new maintenance release 1.0.2 of this package should be released. z3c.layer.trusted is OK, since this is trusted in purpose. (I think)
Yes Regards Roger Ineichen
Christophe _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )