[Zope-dev] How (in)secure is Zope?

Chris McDonough chrism@zope.com
13 Mar 2003 22:31:01 -0500 

On Thu, 2003-03-13 at 22:09, Jamie Heilman wrote:
> Chris McDonough wrote:
> > I'm wondering if you might consider applying for checkin privileges. 
> 
> I've considered it.  I don't think you need anymore cooks, maybe just
> a few more recipes.

We have many recipes already.

> > The host header issue that you've uploaded several patches for is a
> > bonafide problem for some users, but I think that most people with
> > checkin privs feel that it isn't sufficiently dangerous to the majority
> > of users to take the time out to review all of your patches and vouch
> > for them via a checkin (this might take a day or so to do).
> 
> Well then that either means I'm not explaining it well enough, or I'm
> wrong, or something.  What I'm shooting for is some discussion of the
> issue, which to use bug 813 as an example, is why I asked for it to be
> made public.  Even after going into more explicit detail on the zope
> list though I got exactly 0 followups, so I was starting to think
> people just didn't really care all that much.  Thankfully this thread
> came along...

It's not that people don't care, it's that there's a lot of work to do,
a limited amount of time to do it in, and people have to choose
carefully what they apply themselves to.  I'm sure you can understand
this.

> > OTOH, if you could just check them in yourself, you would no longer
> > feel disenfranchised.
> 
> I don't actually feel disenfranchised, just confused as to what kind
> of commitment to security ZC is making.

Zope is an open source product, the collector issues make their way to
many folks outside ZC as well.

> My disapointment stems from
> my lack of ability to get any feedback on the bugs I've submitted.
> Its kinda happening now, but having to kick up dust to make it happen
> is less than ideal.

I'm not sure how else to help you.  The bug reports are appreciated, but
we need folks to do the work.

> I'm also worried about the amount of reported bugs versus the activity
> occuring to fix them.  I understand many of them are probably "I did X
> and Y crashed, and gosh I think it might be a security problem in Z."
> without any analysis apart from random observation, which is sort of a
> pain in the ass to deal with, but they aren't visible, and thus I
> worry they aren't all like 493.  (of which 494 is a public dupe <g>)

Which is why we want more cooks.  If you don't want checkin privs,
that's ok, but you'll need to be more patient.

- C