Python2.4 Security Audit ETA???
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Aeons ago someone promised that said Zope security audit of Python 2.4 was scheduled for October. I've not yet seen any happy announcements that Zope is now 2.4 compliant, and do want to highlight the importance of achieving this goal. Python2.4 has been out for almost a year now, and it's fairly ubiquitous. There've been many statements made on this list about people quite happily running their Zope's - contrary to white hat advice. With the major distro's, Python is entrenched in their installer and gui processes and *all* packaging is focused around a single python (2.4 for everyone excepting our BastionLinux). In reality it is infeasible to support a second version of Python for Z2. Many modules have SWIG bindings (while core Z2 doesn't require much of this, a number of products do), requiring multiple package versions - build systems cannot cope with this scenario without massive spec customisations (which is all pointless given the window of this requirement - and of course that we've all actually learnt something for python2.5, python2.6 ....) We are getting an increasing number of people attempting to load incompatible packages. It is not possible to downgrade python. Most of userland is not competent to get a secondary python2.3 installation running - especially when packages such as python-ldap are simply not available for their old python and new ldap etc etc which all requires custom package builds. We are also stuck in a time-warp actually having to back-port a large proportion of recent linux packages because we'd like to make new features available, increasing costs and testing requirements. It is also no longer possible for customers to subscribe to just a single channel because our core is substantially different to their chosen vendor's installation, and packages will be installed into meaningless python paths etc. Can someone please give me an ETA on this, so I can decide if and how to support zope in light of other pressing linux requirements for our distro. Alan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFDi/JXCfroLk4EZpkRAlGgAKC1ZjYut1GG55TlxUyVxtD1y+YLKgCg1IV6 vsT9SOOBMUxBP4i1qo7+7q0= =MuMS -----END PGP SIGNATURE-----
Am Dienstag, den 29.11.2005, 17:16 +1100 schrieb Alan Milligan:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi, ... With the major distro's, Python is entrenched in their installer and gui processes and *all* packaging is focused around a single python (2.4 for everyone excepting our BastionLinux).
Not so true. ...
We are getting an increasing number of people attempting to load incompatible packages. It is not possible to downgrade python. Most of userland is not competent to get a secondary python2.3 installation running - especially when packages such as python-ldap are simply not available for their old python and new ldap etc etc which all requires custom package builds.
Aha. python2.1-ldap - A LDAP interface module for Python 2.1 python2.2-ldap - A LDAP interface module for Python 2.2 python2.3-ldap - A LDAP interface module for Python 2.3
We are also stuck in a time-warp actually having to back-port a large proportion of recent linux packages because we'd like to make new features available, increasing costs and testing requirements. It is also no longer possible for customers to subscribe to just a single channel because our core is substantially different to their chosen vendor's installation, and packages will be installed into meaningless python paths etc.
Can someone please give me an ETA on this, so I can decide if and how to support zope in light of other pressing linux requirements for our distro.
Well, while it would certainly fine to have said audit, it isnt really a problem - every since different python versions could happily coexist on every platforms I've seen. Even on win32. But someone has to do it. If you feel the itch - would you help scratching it at least? ++Tino
--On 29. November 2005 17:16:55 +1100 Alan Milligan <alan@balclutha.org> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
Aeons ago someone promised that said Zope security audit of Python 2.4 was scheduled for October. I've not yet seen any happy announcements that Zope is now 2.4 compliant, and do want to highlight the importance of achieving this goal.
I thought the recent postings on this issue were clear enough. Zope 2.9 will *require* Python 2.4.2. The requirements and recommendations for Zope 2.8.X have not changed and are unlikely to change. Please no further discussion about why we still don't support Python 2.4 for Zope 2.8 officially... -aj
The security audit already happened, and led to checkins by Jim on October 26 that preceded the release of Zope 2.8.4. Zope 2.8.4 is safe to use with python 2.4. Florent Alan Milligan wrote:
Aeons ago someone promised that said Zope security audit of Python 2.4 was scheduled for October. I've not yet seen any happy announcements that Zope is now 2.4 compliant, and do want to highlight the importance of achieving this goal.
Python2.4 has been out for almost a year now, and it's fairly ubiquitous. There've been many statements made on this list about people quite happily running their Zope's - contrary to white hat advice.
With the major distro's, Python is entrenched in their installer and gui processes and *all* packaging is focused around a single python (2.4 for everyone excepting our BastionLinux).
In reality it is infeasible to support a second version of Python for Z2. Many modules have SWIG bindings (while core Z2 doesn't require much of this, a number of products do), requiring multiple package versions - build systems cannot cope with this scenario without massive spec customisations (which is all pointless given the window of this requirement - and of course that we've all actually learnt something for python2.5, python2.6 ....)
We are getting an increasing number of people attempting to load incompatible packages. It is not possible to downgrade python. Most of userland is not competent to get a secondary python2.3 installation running - especially when packages such as python-ldap are simply not available for their old python and new ldap etc etc which all requires custom package builds.
We are also stuck in a time-warp actually having to back-port a large proportion of recent linux packages because we'd like to make new features available, increasing costs and testing requirements. It is also no longer possible for customers to subscribe to just a single channel because our core is substantially different to their chosen vendor's installation, and packages will be installed into meaningless python paths etc.
Can someone please give me an ETA on this, so I can decide if and how to support zope in light of other pressing linux requirements for our distro.
-- Florent Guillaume, Nuxeo (Paris, France) CTO, Director of R&D +33 1 40 33 71 59 http://nuxeo.com fg@nuxeo.com
--On 29. November 2005 15:13:45 +0100 Florent Guillaume <fg@nuxeo.com> wrote:
The security audit already happened, and led to checkins by Jim on October 26 that preceded the release of Zope 2.8.4.
Zope 2.8.4 is safe to use with python 2.4.
Let's say it this way: it's safer than with Zope 2.8.3 but it is still not supported :-) -aj
Andreas Jung wrote:
--On 29. November 2005 15:13:45 +0100 Florent Guillaume <fg@nuxeo.com> wrote:
The security audit already happened, and led to checkins by Jim on October 26 that preceded the release of Zope 2.8.4.
Zope 2.8.4 is safe to use with python 2.4.
Let's say it this way: it's safer than with Zope 2.8.3 but it is still not supported :-)
From where I'm standing, with Zope 2.8.4 it's as safe as with Zope 2.9 (which actually *requires* Python 2.4...) So it is really just a label we put on the 2.8 and 2.9 branches, in terms of the relevant code base they're the same...
Philipp
Hi, Am Mittwoch, den 30.11.2005, 15:52 +0100 schrieb Philipp von Weitershausen:
Andreas Jung wrote:
Let's say it this way: it's safer than with Zope 2.8.3 but it is still not supported :-)
From where I'm standing, with Zope 2.8.4 it's as safe as with Zope 2.9 (which actually *requires* Python 2.4...) So it is really just a label we put on the 2.8 and 2.9 branches, in terms of the relevant code base they're the same...
Statements like that are *dangerous*. The label is all that it is about. It is against the possibility that although the likely relevant code base is the same, there might be some minor minor minor switch that makes everything burn. There are _several_ major linux distributions out there that already ignore this label and shipped Zope with Python 2.4. It's not helpful to argue them out of that if we don't care for the label ourselves. Christian -- gocept gmbh & co. kg - schalaunische str. 6 - 06366 koethen - germany www.gocept.com - ct@gocept.com - phone +49 3496 30 99 112 - fax +49 3496 30 99 118 - zope and plone consulting and development
Christian Theune wrote:
Hi,
Am Mittwoch, den 30.11.2005, 15:52 +0100 schrieb Philipp von Weitershausen:
Andreas Jung wrote:
Let's say it this way: it's safer than with Zope 2.8.3 but it is still not supported :-)
From where I'm standing, with Zope 2.8.4 it's as safe as with Zope 2.9 (which actually *requires* Python 2.4...) So it is really just a label we put on the 2.8 and 2.9 branches, in terms of the relevant code base they're the same...
Statements like that are *dangerous*. The label is all that it is about. It is against the possibility that although the likely relevant code base is the same, there might be some minor minor minor switch that makes everything burn.
I really can't figure out what your saying.
There are _several_ major linux distributions out there that already ignore this label and shipped Zope with Python 2.4. It's not helpful to argue them out of that if we don't care for the label ourselves.
Python 2.4 is not supported for current production Zopes. This has been clearly stated for some time. We can't prevent people from ignoring this and creating Zope distributions based on an unsupported Python. People who release Zope for unsupported Python releases are doing their users a disservice. In this case, there was a reasonably serious security problem introduced by Python 2.4. What Andreas is saying is that Python 2.4 still isn't supported for Zope 2.8. This is different from a statement about a security audit. The security audit evaluated and addressed issues arising from a change from Python 2.3 to python 2.4. Zope 2.8.4 reflects this. We still choose not to support Python 2.4 for Zope 2.8 because there hasn't been any sort of test release cycle for Zope 2.8 with Python 2.4. Zope 2.9 will go through such a cycle which will give us at least some consequence. Jim -- Jim Fulton mailto:jim@zope.com Python Powered! CTO (540) 361-1714 http://www.python.org Zope Corporation http://www.zope.com http://www.zope.org
Hi, Am Freitag, den 02.12.2005, 10:03 -0500 schrieb Jim Fulton:
Christian Theune wrote:
Am Mittwoch, den 30.11.2005, 15:52 +0100 schrieb Philipp von Weitershausen:
From where I'm standing, with Zope 2.8.4 it's as safe as with Zope 2.9 (which actually *requires* Python 2.4...) So it is really just a label we put on the 2.8 and 2.9 branches, in terms of the relevant code base they're the same...
Statements like that are *dangerous*. The label is all that it is about. It is against the possibility that although the likely relevant code base is the same, there might be some minor minor minor switch that makes everything burn.
I really can't figure out what your saying.
Sorry. See my response a couple of lines downwards.
What Andreas is saying is that Python 2.4 still isn't supported for Zope 2.8. This is different from a statement about a security audit. The security audit evaluated and addressed issues arising from a change from Python 2.3 to python 2.4. Zope 2.8.4 reflects this. We still choose not to support Python 2.4 for Zope 2.8 because there hasn't been any sort of test release cycle for Zope 2.8 with Python 2.4. Zope 2.9 will go through such a cycle which will give us at least some consequence.
If I didn't miss anything, neither an audit has happend for Zope 2.8 with Python 2.4, nor did we make it a supported platform. IMHO it is dangerous to call it "just a label" that we apply. If the audit was performed, then I'll shut up immediately. I just think that it can happen more easily that someone picks up "that's *just* a label" and will ignore recommendations in the future. If that happens those ignoring the recommendations can of course not blame us, but it creates more trouble than necessary. Just my 0.02 EUR ... Christian -- gocept gmbh & co. kg - schalaunische str. 6 - 06366 koethen - germany www.gocept.com - ct@gocept.com - phone +49 3496 30 99 112 - fax +49 3496 30 99 118 - zope and plone consulting and development
Christian Theune wrote:
Hi,
Am Freitag, den 02.12.2005, 10:03 -0500 schrieb Jim Fulton:
Christian Theune wrote:
Am Mittwoch, den 30.11.2005, 15:52 +0100 schrieb Philipp von Weitershausen:
From where I'm standing, with Zope 2.8.4 it's as safe as with Zope 2.9 (which actually *requires* Python 2.4...) So it is really just a label we put on the 2.8 and 2.9 branches, in terms of the relevant code base they're the same...
Statements like that are *dangerous*. The label is all that it is about. It is against the possibility that although the likely relevant code base is the same, there might be some minor minor minor switch that makes everything burn.
I really can't figure out what your saying.
Sorry. See my response a couple of lines downwards.
What Andreas is saying is that Python 2.4 still isn't supported for Zope 2.8. This is different from a statement about a security audit. The security audit evaluated and addressed issues arising from a change from Python 2.3 to python 2.4. Zope 2.8.4 reflects this. We still choose not to support Python 2.4 for Zope 2.8 because there hasn't been any sort of test release cycle for Zope 2.8 with Python 2.4. Zope 2.9 will go through such a cycle which will give us at least some consequence.
If I didn't miss anything, neither an audit has happend for Zope 2.8 with Python 2.4, nor did we make it a supported platform.
You did miss something. As has been pointed out several times in this thread, the audit did happen for 2.8 and 2.8. And, as has also been said many times, Python 2.4 with Zope 2.8 is not supported.
IMHO it is dangerous to call it "just a label" that we apply.
I really don't know what "it" you are refering to. We did do the security audit. We still aren't supporting Python 2.4 for Zope 2.8.
If the audit was performed, then I'll shut up immediately.
Cool. :) Jim -- Jim Fulton mailto:jim@zope.com Python Powered! CTO (540) 361-1714 http://www.python.org Zope Corporation http://www.zope.com http://www.zope.org
participants (7)
-
Alan Milligan -
Andreas Jung -
Christian Theune -
Florent Guillaume -
Jim Fulton -
Philipp von Weitershausen -
Tino Wildenhain