[Zope-dev] 2.9.4? reStructuredText support?

Jim Fulton jim at zope.com
Sat Jul 8 14:42:31 EDT 2006 

On Jul 8, 2006, at 10:41 AM, Andreas Jung wrote:

>
>
> --On 8. Juli 2006 10:16:30 -0400 Jim Fulton <jim at zope.com> wrote:
>>>
>>> Yes, someone has to write the tests at some time, soon.
>>
>> Right. Before 2.10.
>
> ...so we have some time...

Sadly, but that's a different problem.

>>
>>> As I pointed out the risk is minimal for Zope-apps because you need
>>> to have access to the ZMI..
>>
>> No, it's not.  Getting at arbitrary files is not acceptable from  
>> the  ZMI.
>
> ...which won't be possible with *removed* file inclusion code...

Good, right some tests and prove it.

>>> so what are security concerns in this case? And file inclusion
>>> won't work if the related code is stripped off...so what are your
>>> security concerns in this case?
>>
>> I am concerned by the lack of tests.  Whoever created the last  
>> hot  fix
>> was sure the problem was fixed.  They were wrong and we're paying   
>> the
>> price.
>
> This can happen all the time. A problem in the release process does  
> not justify the removal of a feature until we tried our best to  
> solve the problem. Use the sledge hammer as a last resort.

The problem in the release process was an inattention to
basic process.  This is unacceptable in a security-related issue.

>>>> You seem to be the only one championing TTW reST?
>>>
>>> I am only champion against crude removal of features and against
>>> and a shortsighted preception.
>>
>> That doesn't deserve an answer.
>
> Sorry for being harsh but the lack of tests after two days is  
> really not
> appropriate approach.

Who said anything about 2 days.  I said we need tests and
we need someone to be responsible for this feature or we'll have to drop
the feature.  I didn't say we had to drop it right this second.


>>
>>>> Are you unwilling  to
>>>> write the tests necessary to keep it?
>>>
>>> This is really not the point. As release manager I am allowed to
>>> speak up. But that does not imply I have to fix all and everything.
>>
>> Yes, it really is the point.
>
> No, it is not. I haven't worked on the hotfix...so why would it be  
> up to me
> write tests?

It's not.  The person who *did* write the hot-fix didn't want the  
feature in the first place.  Tres stepped up and helped us in an  
emergency. I imagine that he isn't signing up to maintaint the feature.


> I don't want blame Tres...he was doing his best in the  
> situation...but this is totally unrelated that I would be unwilling  
> to write tests in this case.

That's fine.

> I would have helped but it was late evening and at some point you  
> need some sleep...

That's fine too.  I know it was late and you tried to help.  You were  
there and helping and I appreciate it.  I really do. A lot. So, we're  
past the emergency -- we hope.

The problem is that we have a feature with an implementation that is  
a security risk.  We have a feature that doesn't seem to have a  
champion -- because no one is willing to come forward and maintain it  
properly.  In that case, the feature is orphaned and we have to get  
rid of it.  It is too risky to keep it under the circumstances.

I'm perfectly willing to keep it if someone takes responsibility.   
That hasn't happened yet.

Jim

--
Jim Fulton			mailto:jim at zope.com		Python Powered!
CTO 				(540) 361-1714			http://www.python.org
Zope Corporation	http://www.zope.com		http://www.zope.org

More information about the Zope-Dev mailing list