On Mon, Jun 04, 2001 at 03:12:33PM -0400, Shane Hathaway wrote:
Andy McKay wrote:
I believe this is the problem:
- we see a hotfix which fixes an obscure security problem in an unusual situation. Mostly related to allowing trusted users access to create stuff (a la Zope.org). Most sites do not do this and most security patches are of little importance.
I'd say Zope has a very good track record in the area of security. DC is just paranoid. :-)
I would not disagree, but part of the problem is the language that DC has normally used to advertise a hotfix. This is truly a delicate situation, in that you want to be damned sure that needed patches are applied; but in the past, the alerts have been somewhat breathless. I think it might be a real help if the alerts had a section titled something like "Profile of Affected Site", or something like that, and then the paragraph said "Zope hosting site, or other site that lets unknwon or untrusted users post DTML", "Zope site that permits posting of structured text", or "All users, Yeep! Red Alert, man the battle stations" It might also help to begin the alert with a notice of the number of sites known to have been defaced as a result of the problem.
Shane
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )