> [Snip]
>
> I just want to keep the security worries in check.  Let me ramble for a
> bit...  We've released a lot of hotfixes, but *none* of the
> vulnerabilities could give an attacker root access, and none of them
> could give console access to anonymous users AFAIK.  All of the
> vulnerabilities violated Zope's security policy, but Zope's security
> policy is constrained by system security and other safeguards.  People
> outside the Zope community don't know that, so a lot have labeled Zope
> as too insecure to use.  The reality is that we've never even had an
> exploitable buffer overrun. :-)  We should avoid sending the wrong
> message by making a hotfix for every little thing.
>
> Shane
>

I'd like to second this. It was one of the contibuting factors in the
decision of my former employers to opt for spectra instead of a Zope
solution (That already existed!!).

I am sure there are other cases of this too... If someone finds a buffer
overrun, fix it by all means, but other issues may be better left for minor
version releases, where they can be buried in the changelog.

Just my 0.02

Adrian...

--
Adrian Hungate
EMail: [EMAIL PROTECTED]
Web: http://www.haqa.co.uk



_______________________________________________
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to