[snipped many good things]
Generally, the more software you install, the more open to attack you are. If you don't need it, don't run it, and don't install it. Some Zope products may open up more avenues of exploit than others, thats why the admin should audit them before installing.
Yes, I know. Carelessly written products can do quite much. I used Zope for half a year, intensively, and also wrote a database driver, so I know what it is about. Just wanted to get an update, since so much has happened since I stopped looking for mroe than a year.
No, its not a very simple question. If Zope was a small program with a single clear purpose, it might be. But Zope is a large framework with a multitude of directions.
I know. "simple question" was not meant seriously. :-) Simple to formulate, like "what is love".
(A small program with a single clear purpose can not do what Zope does; let it be known I'm not suggesting Zope should be somehow packed into a small program with a single clear purpose. Broken up into several... perhaps, but thats a different thread.)
This would interest me quite much, if it is possible to split this up into different small packages, which combine nicely. I fear I know the answer for the next few years already...
Outside of the ideal world, unless extreme care is taken, software tends to have flaws with security ramifications. Last time I counted (March 1st.) there were 16 unaddressed issues in the Zope bug collector that had been marked as having security ramifications. Two of them are mine, and thus I feel confident in saying Zope is not as secure as it should or could be, but that if nothing else, the maintainers have been made aware of these shortcomings and that one can assume (if they should or not is a different matter) the issues will be taken care of.
I will go on record as saying that, recently, response times to security related issues in the Zope2 tree have been disapointing. Construe from that what you will.
Do I read a bit of disappointment between the lines? If you compare Zope's bug paranoia with Python's, would you say Zope is a bit less concerned, or there are not enough people being concerned to get things resolved?
Why I'm asking is simply because I'm concerned that there are no bugtraq entries for Zope, and I don't buy that this comes from Zope being bug-free.
Maybe not enough people care about this, but if the hackers also don't care, why should I :-)
I-know-I-shouldn't-have-said-that-at-all - ciao - chris
-- Christian Tismer :^) <mailto:[EMAIL PROTECTED]> Mission Impossible 5oftware : Have a break! Take a ride on Python's Johannes-Niemeyer-Weg 9a : *Starship* http://starship.python.net/ 14109 Berlin : PGP key -> http://wwwkeys.pgp.net/ work +49 30 89 09 53 34 home +49 30 802 86 56 pager +49 173 24 18 776 PGP 0x57F3BF04 9064 F4E1 D754 C2FF 1619 305B C09C 5A3B 57F3 BF04 whom do you want to sponsor today? http://www.stackless.com/
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce