[Zope-dev] 2.9.4? reStructuredText support?
Andreas Jung
lists at zopyx.com
Sat Jul 8 10:09:54 EDT 2006
--On 8. Juli 2006 09:53:47 -0400 Jim Fulton <jim at zope.com> wrote:
>
> Maybe you aren't listening.
I am listening very well.
>
>>> Tres came up with this sledge hammer because he has no confidence
>>> in people's willingness to test and implement this feature properly.
>>
>> I am fine with the sledge-hammer. I've never claimed that we need
>> to support file insertion and raw support in any way. We don't
>> need, we can kick it.
>> But removing or disabling a feature because we are possibly
>> incompetent would be just ridiculous.
>
> I can live with the sledge hammer for Zope 2. All I ask for is tests.
>
> If there are tests for each way of invoking reST through the web that
> verifies that file-inclusion isn't enabled, then it's alright with me if
> the sledge hammer is used to make the tests pass. I won't tolerate an
> untested feature with so much security risk.
Yes, someone has to write the tests at some time, soon. As I pointed out
the risk is minimal for Zope-apps because you need to have access to the
ZMI..
so what are security concerns in this case? And file inclusion won't work
if the related code is stripped off...so what are your security concerns in
this case?
>
> I'll also note that the sledgehammer might not itself be safe in the
> presence of the various reload products for Zope 3. Would Tres' patch
> be defeated by reloading docutils.parsers.rst.directives.misc? Is there
> a chance that a reload product
> could reload this module and undo the fix? I dunno. It is worrisome.
> You seem to be the only one championing TTW reST?
I am only champion against crude removal of features and against and a
shortsighted preception.
> Are you unwilling to
> write the tests necessary to keep it?
This is really not the point. As release manager I am allowed to speak up.
But that does not imply I have to fix all and everything.
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope-dev/attachments/20060708/9cefeeb0/attachment.bin
More information about the Zope-Dev
mailing list