[Zope-dev] Re: Resolved security-related collector issues for the
public?
Maik Jablonski
maik.jablonski at uni-bielefeld.de
Wed Jan 21 17:42:12 EST 2004
Hi Jamie,
Jamie Heilman wrote:
> Hiding the bugs doesn't avoid anything, it just leaves zope
> administrators helpless in the dark.
...
> How exactly was ZC
> supposed to release a new version of Zope with the fixes but at the
> same time not divulge the nature of the security flaws? Release an
> obsfucated binary distribution and say "Trust Us"? That doesn't sound
> very much like open source.
In the past we had something like Hotfixes for security problems... Easy
to install for the average administrator and that's it.
I can check out the current Zope from a CVS... So getting security fixes
is no problem for me. But I'm not an average Zope-Admin or -User.
There are many admins / users out there who aren't able to do this
(maybe they should learn it, but that's another point). Installing Zope
2.6.3 was a big mess (even renaming in the ZMI was broken) and most
people rolled back to 2.6.2. Some people run even 2.5.1 (lots of
Debian-Users etc.).
If we don't have a easy-to-install-security-fix for such people (or a so
called "stable" release, which works out of the box) we should a little
bit cautious about releasing exploits. That's my point...
Cheers, Maik
More information about the Zope-Dev
mailing list