[Zope-dev] Resolved security-related collector issues for the public?

Jamie Heilman jamie at audible.transient.net
Wed Jan 21 16:21:01 EST 2004


Maik Jablonski wrote:
> Normaly security-related stuff is not visible for the public... and
> this seems to be good to avoid exploits etc.

Hiding the bugs doesn't avoid anything, it just leaves zope
administrators helpless in the dark.  I'm not going to rehash the
arguments for and against full dislosure, but seriously--don't delude
yourself into thinking that a problem goes away if you shut your eyes
tightly enough.
 
> Lots of security-stuff is fixed now, but I don't think that all people will
> migrate their servers as soon as possible (due to limited time, the
> experience of the Zope-2.6.3-"desaster", vacations, etc.pp.). 

Sure, thats true of every security hole.

> With all the mentioned security-exploits in the collector out there, the
> probability of attacks will rise. And I don't think that this will shed a
> "good light" on Zope.

meh.  Good, bad, its irrelevant, but you can't pretend there weren't
problems and expect anyone with a shred of a clue to take you
seriously.  If you want to establish trust, you can be honest with
your community, or you can do a lot of hand waving trying to cover
things up and make yourself look even worse.

> My proposal: Can we have a delay for making security-related fixes public?
> Just a month or two or so...

Every hole thats been fixed has been publically known and detailed for
well over 4 months at the latest, with the exceptions of:
615 & 1154 - sessioning machinery was losing security context
924 - object properties stored as unprotected mutables
All the unrestricted operations in RestrictedPython that were found as
a result of ZC's security audit.  (And possibly the unicode crashing
issue, which I think got discussed on a public list or something
fairly recently.)

Delays are pointless.  The broken sessioning machinery was sitting in
the collector for a year and 3 months.  During that time 2 different
people uncovered the issue (presumebly) independantly, and reported
it.  How many uncovered it and didn't report it?  How exactly was ZC
supposed to release a new version of Zope with the fixes but at the
same time not divulge the nature of the security flaws?  Release an
obsfucated binary distribution and say "Trust Us"?  That doesn't sound
very much like open source.

-- 
Jamie Heilman                     http://audible.transient.net/~jamie/
"You came all this way, without saying squat, and now you're trying
 to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile?
 I liked you better when you weren't saying squat kid." -Buddy



More information about the Zope-Dev mailing list