[Zope-dev] Python2.4 Security Audit ETA???

Alan Milligan alan at balclutha.org
Tue Nov 29 01:16:55 EST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Aeons ago someone promised that said Zope security audit of Python 2.4
was scheduled for October.  I've not yet seen any happy announcements
that Zope is now 2.4 compliant, and do want to highlight the importance
of achieving this goal.

Python2.4 has been out for almost a year now, and it's fairly
ubiquitous.  There've been many statements made on this list about
people quite happily running their Zope's - contrary to white hat advice.

With the major distro's, Python is entrenched in their installer and gui
processes and *all* packaging is focused around a single python (2.4 for
everyone excepting our BastionLinux).

In reality it is infeasible to support a second version of Python for
Z2.  Many modules have SWIG bindings (while core Z2 doesn't require much
of this, a number of products do), requiring multiple package versions -
build systems cannot cope with this scenario without massive spec
customisations (which is all pointless given the window of this
requirement - and of course that we've all actually learnt something for
python2.5, python2.6 ....)

We are getting an increasing number of people attempting to load
incompatible packages.  It is not possible to downgrade python.  Most of
userland is not competent to get a secondary python2.3 installation
running - especially when packages such as python-ldap are simply not
available for their old python and new ldap etc etc which all requires
custom package builds.

We are also stuck in a time-warp actually having to back-port a large
proportion of recent linux packages because we'd like to make new
features available, increasing costs and testing requirements.  It is
also no longer possible for customers to subscribe to just a single
channel because our core is substantially different to their chosen
vendor's installation, and packages will be installed into meaningless
python paths etc.

Can someone please give me an ETA on this, so I can decide if and how to
support zope in light of other pressing linux requirements for our distro.


Alan


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFDi/JXCfroLk4EZpkRAlGgAKC1ZjYut1GG55TlxUyVxtD1y+YLKgCg1IV6
vsT9SOOBMUxBP4i1qo7+7q0=
=MuMS
-----END PGP SIGNATURE-----


More information about the Zope-Dev mailing list