[Zope-dev] 2.9.4? reStructuredText support?

Andreas Jung lists at zopyx.com
Sat Jul 8 15:27:22 EDT 2006 


--On 8. Juli 2006 15:05:21 -0400 Jim Fulton <jim at zope.com> wrote:

>> I think this applies here as well.
>
> 1. ZClasses are not a security threat. reST is. That's a huge  difference.

Being a security thread or not ...how will you prove that a module X is a 
thread or not? Without source code review every module has the potential
to be a thread. I would never claim that the modules I've written or 
maintain in some way are totally safe...


>
> 2. This event illustrates that I was wrong.
>

Possibly, but a lot of modules were written by ppl that are no longer 
active in the community and a lot of these modules are a real cruft that 
nobody want to touch (and that little ppl understand). For the time being 
we have to live with this situation in the Zope 2 world. The only way out 
is to replace more and more code with Zope 3 modules which is actually 
happening.

So what does it mean to be a maintainer of a package?

A maintainer has to keep the code in shape and should of course care about 
security issues. But a maintainer might have a different view on security 
than you...so how to get out of this dilemma? Code audits? They would help 
but you know how much time they take (impractical for most code if you ask 
me).  The current "unofficial" code auditing by watching the checkin lists 
seems to work to a certain degree (perhaps not directly related to security 
issues but to wrong code in general). Getting maintainers for Zope core 
packages is even more harder than some yrs ago when the Zope community 
wasn't split up as it is today (CPS, Zope3,Zope2, Plone, CMF). The common 
view on the Zope 2 core seems to be "it works, it's a cruft, don't touch 
it"..and ppl prefer to put their hands on other stuff outside the Zope 2 
core. I am realistic enough to see that this won't change in the near 
future.

Andreas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope-dev/attachments/20060708/33233083/attachment.bin

More information about the Zope-Dev mailing list