[Zope-dev] KGS 3.4.1 versions

Christophe Combelles ccomb at free.fr
Fri Apr 16 11:26:33 EDT 2010 

Roger a écrit :
> Hi 
> 
>> Betreff: Re: [Zope-dev] KGS 3.4.1 versions
>>
>> Adam GROSZER a écrit :
>>> Hello,
>>>
>>> There is a sheet with versions for KGS 3.4.1 
>>>
>> http://spreadsheets.google.com/pub?key=tUE5Q72d4Kg1FXaacCA3EKQ&output=
>>> html
>>>
>>> Anyone for/against those versions?
>>>
>>> The open questions that remain:
>>> * What about pytz 2010g?
>>> * Which lxml version to take? 1.3.6?
>>> * What about zope.app.container 3.6.2?
>>> * Would be nice to have zope.testbrowser 3.5.1
>>>
>>> Comments are welcome.
>>>
>> z3c.layer has a major security issue, because of trusted 
>> traversing adapters that removes the security proxy 
>> everywhere. 
> 
> yes and no, only miss use could end in security issues
> It's not really a security issue, it's the only concept which allows
> to use nested sites with more then one IAuthentication utility
> and allows to authenticate on objects behind the first site.
> 
> But since this was such a rare use case, we decided to split
> the package in different packages which also supports a non
> trusted setup. This makes the packages more general usable
> without to run into security issues based on trusted
> confirgurations where non trusted is needed.
> 
>> This package has been retired and splitted into 
>> its 3 subpackages :
>>
>> z3c.layer.minimal
>> z3c.layer.pagelet
> 
> Both package above should not use trusted traverser
> 
>> z3c.layer.trusted
> 
> This package should still use trusted traverser
> 
>> There is no problem upgrading to branch 1.0 of these 
>> packages, as they don't have any significant changes, 
>> excepted the splitting. However:
>>
>> z3c.layer.pagelet should be in version 1.0.2. Nothing below.
>> z3c.layer.minimal has no corrected 1.0 branch. A new 
>> maintenance release 1.0.2 of this package should be released.
>> z3c.layer.trusted is OK, since this is trusted in purpose. (I think)
> 
> Yes


Ok thanks, I'll release z3c.layer.minimal during the WE.



> 
> Regards
> Roger Ineichen
> 
>> Christophe
>> _______________________________________________
>> Zope-Dev maillist  -  Zope-Dev at zope.org
>> https://mail.zope.org/mailman/listinfo/zope-dev
>> **  No cross posts or HTML encoding!  ** (Related lists -  
>> https://mail.zope.org/mailman/listinfo/zope-announce
>>  https://mail.zope.org/mailman/listinfo/zope )
>>
> 
> 
>

More information about the Zope-Dev mailing list