Maik Jablonski wrote at 2004-1-21 23:42 +0100:
...
If we don't have a easy-to-install-security-fix for such people (or a so
called stable release, which works out of the box) we should a little
bit cautious about releasing exploits. That's my point...
Almost all the issues covered by Zope
Hi Jamie,
Jamie Heilman wrote:
Hiding the bugs doesn't avoid anything, it just leaves zope
administrators helpless in the dark.
...
How exactly was ZC
supposed to release a new version of Zope with the fixes but at the
same time not divulge the nature of the security flaws? Release an
Maik Jablonski wrote:
There are many admins / users out there who aren't able to do this
(maybe they should learn it, but that's another point). Installing Zope
2.6.3 was a big mess (even renaming in the ZMI was broken) and most
people rolled back to 2.6.2. Some people run even 2.5.1 (lots
Jamie Heilman wrote
Given that ZC clearly doesn't have the resources available to do (a),
irrespective of if its even technically feasible, we can rule it out.
And (b), well (b) just screws everybody. Exploits are a byproduct of
understanding the vulnerability, they're a natural part of