Re: [Zope-dev] How (in)secure is Zope?

Wed, 12 Mar 2003 17:58:12 -0800

Adrian van den Dries wrote:
On March 13, Christian Tismer wrote:

please excuse my ignorance, but I am asked
from time to time how secure or insecure
Zope actually is, and I always have to say
that I actually don't know.


How secure is your wallet?

I won't tell you (since this is insecure:).

You will never answer this until you define what you mean by
"security", and what you are securing *against*.


This is quite a silly argument, IMHO.
My simple question was alike "what kind of insecurity do
I buy when I install Zope on my server". This question is
asked from the POV of a system administrator.
It is simple: Do I increase the possibility of somebody
to obtain root rights, or do I not?

Zope is perfectly secure or some uses, and perfectly insecure for
others.


Either it is secure for my server, in the sense I depicted above,
or it is not. I don't see any relevance to any use, if I am using
it on an exposed server in the internet. I think there should
be one single answer, nothing else is relevant. ?

For example, for safe delegation of responsibility within a web
application, in a trusted environment, Zope is "secure".


Run in an intranet service? Run on the same machine?
What is your definition of "secure", if there is any?

However, as a mission-critical service exposed to the internet, it is
wide-open.

Why is it wide open, and when is it wide open?

Thanks a lot, but this doesn't help me at all.

sorry - chris

--
Christian Tismer             :^)   <mailto:[EMAIL PROTECTED]>
Mission Impossible 5oftware  :     Have a break! Take a ride on Python's
Johannes-Niemeyer-Weg 9a     :    *Starship* http://starship.python.net/
14109 Berlin                 :     PGP key -> http://wwwkeys.pgp.net/
work +49 30 89 09 53 34  home +49 30 802 86 56  pager +49 173 24 18 776
PGP 0x57F3BF04       9064 F4E1 D754 C2FF 1619  305B C09C 5A3B 57F3 BF04
     whom do you want to sponsor today?   http://www.stackless.com/



_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Reply via email to