Re: [Zope-dev] Re: Resolved security-related collector issues for the public?
Maik Jablonski wrote at 2004-1-21 23:42 +0100: ... If we don't have a easy-to-install-security-fix for such people (or a so called stable release, which works out of the box) we should a little bit cautious about releasing exploits. That's my point... Almost all the issues covered by Zope 2.6.3 are irrelevant to the normal Zope installation (e.g. whether or not someone gets a binding for context/container while he does not have the object access permission). I think only the cross scripting exploits may be a real problem for normal installations. Their fix would probably have broken few sites... -- Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: Resolved security-related collector issues for the public?
Hi Jamie, Jamie Heilman wrote: Hiding the bugs doesn't avoid anything, it just leaves zope administrators helpless in the dark. ... How exactly was ZC supposed to release a new version of Zope with the fixes but at the same time not divulge the nature of the security flaws? Release an obsfucated binary distribution and say Trust Us? That doesn't sound very much like open source. In the past we had something like Hotfixes for security problems... Easy to install for the average administrator and that's it. I can check out the current Zope from a CVS... So getting security fixes is no problem for me. But I'm not an average Zope-Admin or -User. There are many admins / users out there who aren't able to do this (maybe they should learn it, but that's another point). Installing Zope 2.6.3 was a big mess (even renaming in the ZMI was broken) and most people rolled back to 2.6.2. Some people run even 2.5.1 (lots of Debian-Users etc.). If we don't have a easy-to-install-security-fix for such people (or a so called stable release, which works out of the box) we should a little bit cautious about releasing exploits. That's my point... Cheers, Maik ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: Resolved security-related collector issues for the public?
Maik Jablonski wrote: There are many admins / users out there who aren't able to do this (maybe they should learn it, but that's another point). Installing Zope 2.6.3 was a big mess (even renaming in the ZMI was broken) and most people rolled back to 2.6.2. Some people run even 2.5.1 (lots of Debian-Users etc.). Debian users who continue to use the 2.5.1 packages are being done an injustice, I agree, and its too bad, but the Debian security policy fails when a maintainer takes on a package they can't keep up with and the security team isn't able to step in and cover for them. It happens, the answer is usually to either find a new maintainer who can keep up, or remove the package from Debian. One of Debian's strengths though is that they don't hide this information, users are encouranged to review the bug tracking system to get a feel for a package's relative stability and weigh the risks on their own. If we don't have a easy-to-install-security-fix for such people (or a so called stable release, which works out of the box) we should a little bit cautious about releasing exploits. That's my point... So you want to offer aide to the people who've bitten off more than they can chew, and your proposed solutions seem to be either: a) provide easy-to-swallow security fixes timely vulnerability disclosure b) provide neither Given that ZC clearly doesn't have the resources available to do (a), irrespective of if its even technically feasible, we can rule it out. And (b), well (b) just screws everybody. Exploits are a byproduct of understanding the vulnerability, they're a natural part of experimentation and learning. You usually can't discuss a vulnerabilty without implying the exploit. If you really want to help people who can't help themselves, offer education, not censorship in the guise of protection. -- Jamie Heilman http://audible.transient.net/~jamie/ ...and no, I don't support the War On Terror. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: Resolved security-related collector issues for the public?
Jamie Heilman wrote Given that ZC clearly doesn't have the resources available to do (a), irrespective of if its even technically feasible, we can rule it out. And (b), well (b) just screws everybody. Exploits are a byproduct of understanding the vulnerability, they're a natural part of experimentation and learning. You usually can't discuss a vulnerabilty without implying the exploit. If you really want to help people who can't help themselves, offer education, not censorship in the guise of protection. Worse yet, hiding the security bugs mean that other people who might be motivated to supply fixes are unaware of the issue and cannot help. I'd be +1 on exposing the security bugs - maybe after 2 weeks so that critical security flaws have a chance to be fixed immediately. But it should be an automatic thing, not something that requires manual intervention. Anthony -- Anthony Baxter [EMAIL PROTECTED] It's never too late to have a happy childhood. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )