[Zope-dev] How (in)secure is Zope?

Christian Tismer tismer@tismer.com
Thu, 13 Mar 2003 02:57:36 +0100


Adrian van den Dries wrote:
> On March 13, Christian Tismer wrote:
> 
>>please excuse my ignorance, but I am asked
>>from time to time how secure or insecure
>>Zope actually is, and I always have to say
>>that I actually don't know.
> 
> 
> How secure is your wallet?

I won't tell you (since this is insecure:).

> You will never answer this until you define what you mean by
> "security", and what you are securing *against*.

This is quite a silly argument, IMHO.
My simple question was alike "what kind of insecurity do
I buy when I install Zope on my server". This question is
asked from the POV of a system administrator.
It is simple: Do I increase the possibility of somebody
to obtain root rights, or do I not?

> Zope is perfectly secure or some uses, and perfectly insecure for
> others.

Either it is secure for my server, in the sense I depicted above,
or it is not. I don't see any relevance to any use, if I am using
it on an exposed server in the internet. I think there should
be one single answer, nothing else is relevant. ?

> For example, for safe delegation of responsibility within a web
> application, in a trusted environment, Zope is "secure".

Run in an intranet service? Run on the same machine?
What is your definition of "secure", if there is any?

> However, as a mission-critical service exposed to the internet, it is
> wide-open.

Why is it wide open, and when is it wide open?

Thanks a lot, but this doesn't help me at all.

sorry - chris

-- 
Christian Tismer             :^)   <mailto:tismer@tismer.com>
Mission Impossible 5oftware  :     Have a break! Take a ride on Python's
Johannes-Niemeyer-Weg 9a     :    *Starship* http://starship.python.net/
14109 Berlin                 :     PGP key -> http://wwwkeys.pgp.net/
work +49 30 89 09 53 34  home +49 30 802 86 56  pager +49 173 24 18 776
PGP 0x57F3BF04       9064 F4E1 D754 C2FF 1619  305B C09C 5A3B 57F3 BF04
      whom do you want to sponsor today?   http://www.stackless.com/