[Zope-dev] 2.9.4? reStructuredText support?
Jim Fulton
jim at zope.com
Sat Jul 8 07:45:01 EDT 2006
On Jul 8, 2006, at 1:11 AM, Andreas Jung wrote:
>
>
> --On 7. Juli 2006 11:03:06 -0400 Jim Fulton <jim at zope.com> wrote:
>
>>
>> I think we should do a 2.9.4 release to incorporate the recent hot
>> fix.
>> This is easy for me to say, since I won't be doing it. :)
>>
>> Because this recent fix actually fixed the same problem that the
>> previous hot fix was supposed to fix, I think someone needs to
>> work up
>> some decent tests. This is not a trivial task, bit it is
>> necessary. If
>> no one is willing to do this, I think we need to drop the TTW
>> reStructuredText support from Zope 2, as it is too great a risk.
>>
>
> Dropping TTW reST is absolutely not an option. I breaks backward
> compatibility.
Sorry, security trumps backward compatibility.
>> BTW, I suspect that a less violent patch could be created, if
>> anyone wants to champion TTW reStructuedText support in
>> Zope 2. Personally, I'm for dropping it.
>
> Tres' patch is looking in fine to me. I don't see a need right now
> for dropping reST with having file inclusing *removed*.
Has anyone written tests for Tres' patch? Apparently no one wrote
adequate tests for the last hot fix, which helped put us in this
situation.
I'm not opposed to keeping TTW reST if *someone takes responsibility*
for it. I don't see this happening. If someone cares enough about
TTW reST
to stand behind it and properly address the security risks by writing
tests,
then great. Otherwise it has to go.
I also think Tres' patch was the right emergency measure, but I'm not
so sure it is the right long-term fix. It reflects a sorry, but
perhaps sadly
accurate, view of the community's commitment to quality. :(
Jim
--
Jim Fulton mailto:jim at zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
More information about the Zope-Dev
mailing list