[Zope-dev] Re: Resolved security-related collector issues for the
public?
Anthony Baxter
anthony at interlink.com.au
Wed Jan 21 19:46:26 EST 2004
>>> Jamie Heilman wrote
> Given that ZC clearly doesn't have the resources available to do (a),
> irrespective of if its even technically feasible, we can rule it out.
> And (b), well (b) just screws everybody. Exploits are a byproduct of
> understanding the vulnerability, they're a natural part of
> experimentation and learning. You usually can't discuss a vulnerabilty
> without implying the exploit. If you really want to help people who
> can't help themselves, offer education, not censorship in the guise of
> protection.
Worse yet, hiding the security bugs mean that other people who might
be motivated to supply fixes are unaware of the issue and cannot help.
I'd be +1 on exposing the security bugs - maybe after 2 weeks so that
critical security flaws have a chance to be fixed immediately. But it
should be an automatic thing, not something that requires manual
intervention.
Anthony
--
Anthony Baxter <anthony at interlink.com.au>
It's never too late to have a happy childhood.
More information about the Zope-Dev
mailing list