Jamie Heilman wrote:

[snipped many good things]

Generally, the more software you install, the more open to attack you
are.  If you don't need it, don't run it, and don't install it.  Some
Zope products may open up more avenues of exploit than others, thats
why the admin should audit them before installing.

Yes, I know. Carelessly written products can do quite much. I used Zope for half a year, intensively, and also wrote a database driver, so I know what it is about. Just wanted to get an update, since so much has happened since I stopped looking for mroe than a year.

...

No, its not a very simple question.  If Zope was a small program with
a single clear purpose, it might be.  But Zope is a large framework
with a multitude of directions.

I know. "simple question" was not meant seriously. :-) Simple to formulate, like "what is love".

(A small program with a single clear
purpose can not do what Zope does; let it be known I'm not suggesting
Zope should be somehow packed into a small program with a single clear
purpose.  Broken up into several... perhaps, but thats a different
thread.)

This would interest me quite much, if it is possible to split this up into different small packages, which combine nicely. I fear I know the answer for the next few years already...

Outside of the ideal world, unless extreme care is taken, software
tends to have flaws with security ramifications.  Last time I counted
(March 1st.) there were 16 unaddressed issues in the Zope bug
collector that had been marked as having security ramifications.  Two
of them are mine, and thus I feel confident in saying Zope is not as
secure as it should or could be, but that if nothing else, the
maintainers have been made aware of these shortcomings and that one
can assume (if they should or not is a different matter) the issues
will be taken care of.

I will go on record as saying that, recently, response times to
security related issues in the Zope2 tree have been disapointing.
Construe from that what you will.

Do I read a bit of disappointment between the lines? If you compare Zope's bug paranoia with Python's, would you say Zope is a bit less concerned, or there are not enough people being concerned to get things resolved?

Why I'm asking is simply because I'm concerned that there are
no bugtraq entries for Zope, and I don't buy that this comes
from Zope being bug-free.

Maybe not enough people care about this, but if the hackers
also don't care, why should I :-)

I-know-I-shouldn't-have-said-that-at-all - ciao - chris

--
Christian Tismer             :^)   <mailto:[EMAIL PROTECTED]>
Mission Impossible 5oftware  :     Have a break! Take a ride on Python's
Johannes-Niemeyer-Weg 9a     :    *Starship* http://starship.python.net/
14109 Berlin                 :     PGP key -> http://wwwkeys.pgp.net/
work +49 30 89 09 53 34  home +49 30 802 86 56  pager +49 173 24 18 776
PGP 0x57F3BF04       9064 F4E1 D754 C2FF 1619  305B C09C 5A3B 57F3 BF04
     whom do you want to sponsor today?   http://www.stackless.com/



_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Reply via email to