[Zope-dev] Plans for Zope 2.12
Andreas Jung
lists at zopyx.com
Thu Jan 22 06:38:06 EST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 22.01.2009 10:38 Uhr, Chris Withers wrote:
> Stephan Richter wrote:
>> On Wednesday 21 January 2009, Andreas Jung wrote:
>>> - RestrictedPython security audit: such an audit has been made
>>> by Stefan and Sidnei. I am not qualified to speak about the
>>> correctness of the audit. I assume they know what they were
>>> doing. Unless objections one might consider this issue as
>>> resolved - if not, please speak up.
>>
>> Note that Jim never explained to me how he does these audits, but I
>> gathered some methods he used in conversations. I think I did a pretty
>> thorough job during the review.
>
> Yeah, this disturbs me a lot still though :-S
>
> It's a shame Jim has so little time to spend on this...
Take your hat and collect some money for hiring Jim :-)
> It's also a shame that no one seems to be able to get any sense out of
> the PyPy guys in this area...
>
> One thing that myself and Shane talked briefly about on this list was
> re-implementing the AST manipulation as dissallow-by-default filter
> rather than a straight manipulation. That way, unexpected stuff should
> be allowed by default. That feels like it might be a lot safer when it
> comes to python version changes, but I must admit, I haven't looked
> closely enough to give a definitive answer...
>
You know the difference between fiction and the reality. We have RP
now and have to deal with it within a reasonable amount of time.
Andreas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkl4Wp4ACgkQCJIWIbr9KYxNnwCeOcvTqwCPsoXvPFh6lJ03+un2
NaEAn2kU7climKJQXvnnmOhJPJ3ZVkhJ
=fUMO
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lists.vcf
Type: text/x-vcard
Size: 316 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope-dev/attachments/20090122/b22d9088/attachment.vcf
More information about the Zope-Dev
mailing list