[Zope-dev] Re: Resolved security-related collector issues for the
public?
Jamie Heilman
jamie at audible.transient.net
Wed Jan 21 19:16:15 EST 2004
Maik Jablonski wrote:
> There are many admins / users out there who aren't able to do this
> (maybe they should learn it, but that's another point). Installing Zope
> 2.6.3 was a big mess (even renaming in the ZMI was broken) and most
> people rolled back to 2.6.2. Some people run even 2.5.1 (lots of
> Debian-Users etc.).
Debian users who continue to use the 2.5.1 packages are being done an
injustice, I agree, and its too bad, but the Debian security policy
fails when a maintainer takes on a package they can't keep up with and
the security team isn't able to step in and cover for them. It
happens, the answer is usually to either find a new maintainer who can
keep up, or remove the package from Debian. One of Debian's strengths
though is that they don't hide this information, users are encouranged
to review the bug tracking system to get a feel for a package's
relative stability and weigh the risks on their own.
> If we don't have a easy-to-install-security-fix for such people (or a so
> called "stable" release, which works out of the box) we should a little
> bit cautious about releasing exploits. That's my point...
So you want to offer aide to the people who've bitten off more than
they can chew, and your proposed solutions seem to be either:
a) provide easy-to-swallow security fixes & timely vulnerability
disclosure
b) provide neither
Given that ZC clearly doesn't have the resources available to do (a),
irrespective of if its even technically feasible, we can rule it out.
And (b), well (b) just screws everybody. Exploits are a byproduct of
understanding the vulnerability, they're a natural part of
experimentation and learning. You usually can't discuss a vulnerabilty
without implying the exploit. If you really want to help people who
can't help themselves, offer education, not censorship in the guise of
protection.
--
Jamie Heilman http://audible.transient.net/~jamie/
...and no, I don't support the War On Terror.
More information about the Zope-Dev
mailing list