[Zope] defacement/crack statistics

Andy McKay andym@ActiveState.com
Mon, 4 Jun 2001 10:42:05 -0700


> Maybe it
> is just because all zope.org security alerts where promptly posted on the
> usual sites (like RedHat's or SuSE's) and people were not able to judge
the
> importance of those.

I believe this is the problem:

- we see a hotfix which fixes an obscure security problem in an unusual
situation. Mostly related to allowing trusted users access to create stuff
(a la Zope.org). Most sites do not do this and most security patches are of
little importance.

- this hotfix gets reported on Zope.org and thanks to the wonders of
syndication and RSS is reported on numerous sites. There was an old article
on this (http://www.zopezen.org/SDot/983385083/index_html). Everyone thinks
Zope is insecure and hence people see all these security patches with Zope
in them and think its insecure.

Im not sure how to solve this or educate people.

Cheers.
--
  Andy McKay.