- You can work with full SSL-encryption, maybe even client certificates. This is much more secure than TELNET or FTP. (Unfortunately, SSH/SCP, while being the "better TELNET/FTP" is not always an option, and it always opens up more than necessary)
what exactly does SSH open uo 'more than necessary'. Sufficient clue on admin's side provided?
Of course, "suficient clue on admin's side provided", you are right. But I don't know too many cases of perfectly secure configurations ...
- People won't hack together their own solutions for the problem (with LocalFS installed and me having the rights to add LocalFS instances, it would take me not very long to "infiltrate" any Zope server. Just add the "Extensions" folder via LocalFS and upload all you need as External Methods ...)
That requires a few things, if I am not mistaken...
a) ZServer runs as anything but nobody/nogroup and is not jail(8)ed/chrooted. If that is the case, well, I'd personally shoot the admin responsible for that if something comes up.
b) ${ZOPEROOT}/Extensions allows nobody to write into it - shoot admin.
Again you are right, but as Zope is really easy to install, I'd guess that it is not only used (and installed) by "uberadmins" who know exactly what they are doing ... Joachim