[Zope3-dev] Re: Through-the-web reStructuredText
Tres Seaver
tseaver at palladion.com
Sat Jul 8 15:47:03 EDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Steve Alexander wrote:
> Tres wrote:
>> In Zope2 land, the module is still available, and can be used by other
>> code (which may not know of that issue). I'm *not* in favor of shipping
>> an un-patched docutils until we work this out. For instance, perhaps we
>> should be patching docutils to make the *default* settings disable file
>> inclusion and 'raw'; then the trusted code which wanted to render reST
>> which legitimately needed those features could enable them explicitly.
>
> If we do this, it is important to communicate effectively with packagers
> (like, in Linux distributions) that the Zope docutils is patched as a
> workaround to this.
>
> This may be a problem for distributions that promise their users to do
> bugfixes only, and are distributing a Zope that depends on the standard
> docutils in their distribution.
>
> (I cc-ed Martin Pitt, who is responsible for Ubuntu security updates.
> I'll fill him in on the rest of the discussion.)
Packagers would have to do the moral equivalent of forking docutils in
order to satisfy incompatible use cases:
- Zope needs a docutils which is "safe at any speed" for TTW use.
- Other Python applications may not need that safety, and may need
the very features which Zope *must* disable.
So forking docutils inside Zope is *not* evil, even when considering
packaged versions, as long as the packagers know about the fork, right?
Hoping-we-are-in-violent-agreement'ly,
Tres.
- --
===================================================================
Tres Seaver +1 202-558-7113 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEsAu3+gerLs4ltQ4RAkq5AKCO6w1PxQbt9QyOffRY//6Be0QlSwCgpMaT
1XxvUjzUhUBlr5uTk44u6B8=
=9qal
-----END PGP SIGNATURE-----
More information about the Zope3-dev
mailing list