[Zope-dev] RFC: 3.4.1 KGS?

Christophe Combelles ccomb at free.fr
Wed Mar 31 19:00:35 EDT 2010


Sebastien Douche a écrit :
> On Wed, Mar 31, 2010 at 14:50, Marius Gedminas <marius at gedmin.as> wrote:
>> Mostly I wanted to know if anybody was using the KGS in production and
>> interested in a point release.
> 
> Yes! :)
> 
>> I'm especially interested in setuptools 0.6c11, since
>> the KGS currently pins to 0.6c9, which doesn't support Subversion 1.6
>> checkouts.
> 
> we use distribute w/o issue.
> 
>> We use the 3.4 KGS in production with a few extra pins.  Some fix
>> important bugs:
>>
>> zope.app.component = 3.4.2 # very important bugfix for BBB
>> ZODB3 = 3.8.4              # security fixes
>> zope.sendmail = 3.5.1      # This version handles the 5xx errors
>> zope.security = 3.4.2      # bugfixes for Python 2.5
>> setuptools = 0.6c11
> 
> our vendor KGS:
> 
> lxml = 2.2.2
> tl.eggdeps = 0.4
> transaction = 1.0a1
> z3c.batching = 1.1.0
> z3c.contents = 0.5.0
> z3c.coverage = 1.1.3
> z3c.etestbrowser = 1.3.0
> z3c.evalexception = 2.0
> z3c.i18n = 0.1.1
> z3c.layer.minimal = 1.2.0
> z3c.layer.pagelet = 1.0.1

There is a big security issue on this package. You should update to 1.0.2 as 
soon as possible

1.0.2 (2009-04-03)
---------------------
http://pypi.python.org/pypi/z3c.layer.pagelet/1.0.2
- **Security issue:** The traverser defined for
   ``IPageletBrowserLayer`` was a trusted adapter, so the security
   proxy got removed from each traversed object. Thus all sub-objects
   were publically accessable, too.


Then have fun fixing all the security declaration. Everything seems easy with 
z3c.layer.pagelet 1.0.1



> z3c.profiler = 0.7.1
> z3c.recipe.compattest = 0.11
> z3c.recipe.depgraph = 0.4.0sa1
> z3c.recipe.i18n = 0.5.4
> z3c.recipe.paster = 0.5.0
> z3c.table = 0.6.0
> z3c.testsetup = 0.5.1
> zc.recipe.egg = 1.2.2
> zope.sqlalchemy = 0.4
> zope.testing = 3.8.3sa1
> 
> lxml, zope.testing & zope.etestbrowser are the most important update I guess.
> 
>>  * try to get a 3.4.1 release out of the door <-- this is where I'm
>>   fuzzy.  I think I used to have ssh access to download.zope.org, but I
>>   don't even remember how you're supposed to use zope.release's bin/upload,
>>   and I never knew how the releases were made.
> 
> it's simple:
> - upload all eggs on the cheeseshop
> - create the controled-packages.cfg. Example:
> http://download.zope.org/zope3.4/3.4.0/controlled-packages.cfg
> - generate the site with zope.kgs
> 
> 



More information about the Zope-Dev mailing list