[Zope-dev] How (in)secure is Zope?
Jamie Heilman
jamie@audible.transient.net
Sat, 15 Mar 2003 13:58:24 -0800
Christian Tismer wrote:
> If you compare Zope's bug paranoia with Python's, would you
> say Zope is a bit less concerned, or there are not enough
> people being concerned to get things resolved?
I don't really know, I don't follow Python all that closely. Though
due cgi.py's usage of tempfile.py I set my TMPDIR to a directory only
writable by my zope process owner, and I don't see that changing until
python 2.3 though I haven't read over the rewrite.
> Why I'm asking is simply because I'm concerned that there are
> no bugtraq entries for Zope, and I don't buy that this comes
> from Zope being bug-free.
I don't think there's that many people actively auditing the source.
All the bugs I've found haven't come from me looking for way a to do
something malicious, they've come from me noticing bizzare behavior
while trying to get something to work and just following up on it.
> Maybe not enough people care about this, but if the hackers
> also don't care, why should I :-)
I don't know, why should you? I care because it used to be my job to
care, now I can't seem to let the mentality go.
--
Jamie Heilman http://audible.transient.net/~jamie/
"Most people wouldn't know music if it came up and bit them on the ass."
-Frank Zappa