-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! I read on the german zope user group homepage, that Zope 2.8.4 is not supported on python 2.4.x, because of the missing security audit. That is good to know, but... who did the security audit for python 2.3.x? Where can I read about that? What was done? (Where is the protocol?) That is a nice argument why one should prefer plone/zope/python over typo3/php, but only if we can prove that... Can someone point me to more information about that topic? Regards, Sven Deichmann - -- - --------------------------------------------------------------- Information nimmt Gestalt an... - <http://www.werkbank.com> - --------------------------------------------------------------- Werkbank Multimedia GmbH * Bergstrasse 152 * 44791 Bochum * GER Fon: +49(0)234/ 935386-03 * Fax: 935386-06 * mail@werkbank.com - --------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkPYkr4ACgkQx3fK1szFYvn3TgCeLyI9ijZuj6lwG8Ijb8oxNgQ0 ce0Ani802ynidbjqe0IZN8CFQi/yUgP2 =XUY6 -----END PGP SIGNATURE-----
--On 26. Januar 2006 10:13:35 +0100 Sven Deichmann <deichmann@werkbank.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello!
I read on the german zope user group homepage, that Zope 2.8.4 is not supported on python 2.4.x, because of the missing security audit. That is good to know, but... who did the security audit for python 2.3.x? Where can I read about that? What was done?
There was never an official protocol..the audit was executed at Zope Corporation (ask Jim Fulton for details). There were also some glitches with RestrictedPython that had to be fixed when switching to new Python version.
(Where is the protocol?)
That is a nice argument why one should prefer plone/zope/python over typo3/php, but only if we can prove that...
I doubt that such an information matters much to _promote_ Zope & Co. The weekly bugs in PHP are self-explanatory :-) -aj
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Oh well... no news is not always good news. I could also mean that PHP is much more popular and under more surveillance while python is only good known to professional crackers... The problem is, that in this usecase we won't be able to use Zope if there is no official, independent security certificate for it. Which could lead to such a certificate for Zope, but more likely to a commercial CMS for which a certificate exists. We are talking about a pharmaceutical company that is bound to international regulations regarding software systems in such companies. Especially all Interface functions have to be tested with every possible input. Regards, Sven Andreas Jung schrieb:
--On 26. Januar 2006 10:13:35 +0100 Sven Deichmann <deichmann@werkbank.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello!
I read on the german zope user group homepage, that Zope 2.8.4 is not supported on python 2.4.x, because of the missing security audit. That is good to know, but... who did the security audit for python 2.3.x? Where can I read about that? What was done?
There was never an official protocol..the audit was executed at Zope Corporation (ask Jim Fulton for details). There were also some glitches with RestrictedPython that had to be fixed when switching to new Python version.
(Where is the protocol?)
That is a nice argument why one should prefer plone/zope/python over typo3/php, but only if we can prove that...
I doubt that such an information matters much to _promote_ Zope & Co. The weekly bugs in PHP are self-explanatory :-)
-aj
- -- - --------------------------------------------------------------- Information nimmt Gestalt an... - <http://www.werkbank.com> - --------------------------------------------------------------- Werkbank Multimedia GmbH * Bergstrasse 152 * 44791 Bochum * GER Fon: +49(0)234/ 935386-03 * Fax: 935386-06 * mail@werkbank.com - --------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkPZ2/QACgkQx3fK1szFYvmRNQCdGWTryfKGn/NMPpM2PRxjUqAn 6nQAn2sRSrlBRGKOGmXlJup0Guow9F1t =lyKL -----END PGP SIGNATURE-----
--On 27. Januar 2006 09:38:12 +0100 Sven Deichmann <deichmann@werkbank.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Oh well... no news is not always good news. I could also mean that PHP is much more popular and under more surveillance while python is only good known to professional crackers...
The problem is, that in this usecase we won't be able to use Zope if there is no official, independent security certificate for it.
Which could lead to such a certificate for Zope, but more likely to a commercial CMS for which a certificate exists.
We are talking about a pharmaceutical company that is bound to international regulations regarding software systems in such companies. Especially all Interface functions have to be tested with every possible input.
Then forget about Zope 2 and look at Z3. Zope 3 is currently on the way to be certified for the Common Criteria (hope this is the official name). You should look through the zope3-dev mailinglist archive for details. -aj
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well. But when will that be? And when will Plone be ported to Z3? And when will Plone be certified? ;) And after all: Is Z3 ready to use? :D Sven Andreas Jung schrieb:
--On 27. Januar 2006 09:38:12 +0100 Sven Deichmann <deichmann@werkbank.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Oh well... no news is not always good news. I could also mean that PHP is much more popular and under more surveillance while python is only good known to professional crackers...
The problem is, that in this usecase we won't be able to use Zope if there is no official, independent security certificate for it.
Which could lead to such a certificate for Zope, but more likely to a commercial CMS for which a certificate exists.
We are talking about a pharmaceutical company that is bound to international regulations regarding software systems in such companies. Especially all Interface functions have to be tested with every possible input.
Then forget about Zope 2 and look at Z3. Zope 3 is currently on the way to be certified for the Common Criteria (hope this is the official name). You should look through the zope3-dev mailinglist archive for details.
-aj
- -- - --------------------------------------------------------------- Information nimmt Gestalt an... - <http://www.werkbank.com> - --------------------------------------------------------------- Werkbank Multimedia GmbH * Bergstrasse 152 * 44791 Bochum * GER Fon: +49(0)234/ 935386-03 * Fax: 935386-06 * mail@werkbank.com - --------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkPZ6WgACgkQx3fK1szFYvndFACfX6qA2zE9qcPaZzZMF5JtYVEj rG8Ani08Ors7gdteo/lweTHEzTeFR0Eh =Bi0i -----END PGP SIGNATURE-----
Sven Deichmann schrieb:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Oh well... no news is not always good news. I could also mean that PHP is much more popular and under more surveillance while python is only good known to professional crackers...
The problem is, that in this usecase we won't be able to use Zope if there is no official, independent security certificate for it.
While I wonder who could prossibly proofe PHP or PHP based solutions secure in the meaning of secureness in Zope. ;) Regards Tino
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well, acutally secureness in this case has not really something to do with protection against attackers. It's more secureness in the sense of consistency and data security. The system has to be determined in every way and every step must be reversible and traceable. That is possible with PHP based solutions. But PHP is not necessarily what I meant ;) Regards, Sven Tino Wildenhain schrieb:
Sven Deichmann schrieb:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Oh well... no news is not always good news. I could also mean that PHP is much more popular and under more surveillance while python is only good known to professional crackers...
The problem is, that in this usecase we won't be able to use Zope if there is no official, independent security certificate for it.
While I wonder who could prossibly proofe PHP or PHP based solutions secure in the meaning of secureness in Zope. ;)
Regards Tino
- -- - --------------------------------------------------------------- Information nimmt Gestalt an... - <http://www.werkbank.com> - --------------------------------------------------------------- Werkbank Multimedia GmbH * Bergstrasse 152 * 44791 Bochum * GER Fon: +49(0)234/ 935386-03 * Fax: 935386-06 * mail@werkbank.com - --------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkPZ59YACgkQx3fK1szFYvlj6ACfV2b+dKtKHZ1jI8RgXgbULSDs d4AAn06hzp1IM/I+n6blAJW5sDa0ybEs =t1El -----END PGP SIGNATURE-----
The system has to be determined in every way and every step must be reversible and traceable.
Humm. Then you might want go for Zope3. Afaik Christian Theune also did some work to have Zope3 certified by TÜV Germany. But unfortunately I do not know at which point they are. If you want the above then I would think twice about using Plone, though. SCNR Regards Maik
participants (4)
-
Andreas Jung -
Maik Ihde -
Sven Deichmann -
Tino Wildenhain