[Zope-dev] RE: Resolved security-related collector issues forthepublic?

Brian Lloyd brian at zope.com
Thu Jan 22 09:53:16 EST 2004


> Brian Lloyd wrote:
> > As the person who unfailingly gets flamed no matter which way the
> > decisions leans :), I think we are probably at a point where we
> > should have an official, documented and community-agreed-to policy
> > on how these kinds of things will be handled.
> 
> My intent was not flaming anyone... Sorry for that. I just tried 
> to take the
> voice of the "average" Zope-Admin (installs Zope from a recent stable
> release, waits for the security-maintainers of distros to get security
> patches etc.).

Sorry, I should have been more clear. I didn't mean to imply 
that your or Jamie's notes were flames (they're definitely not), 
just that I'd been singed in the past ;)


> > At a minimum, having a clear and documented policy would provide
> > the benefit of 'no surprises' - if you disagree with the policy,
> > or some aspect of it, you would at least be able to plan around it.
> 
> Very good idea...:) If all Zope-Admins can read before an installation:
> "Security exploits will be exposed to the public as soon as they're
> resolved in the CVS" everyone will & should run Zope out of CVS.

...or will decide that doing so is unreasonable and use something 
else instead :(  Note that I'm not necessarily criticizing that 
particular policy, just pointing out that _any_ policy will have 
some upside and some downside. The challenge will be coming to 
agreement on a policy with the right balance that everyone can 
live with.


Brian Lloyd        brian at zope.com
V.P. Engineering   540.361.1716              
Zope Corporation   http://www.zope.com 





More information about the Zope-Dev mailing list