>>> Jamie Heilman wrote
> Given that ZC clearly doesn't have the resources available to do (a),
> irrespective of if its even technically feasible, we can rule it out.
> And (b), well (b) just screws everybody.  Exploits are a byproduct of
> understanding the vulnerability, they're a natural part of
> experimentation and learning.  You usually can't discuss a vulnerabilty
> without implying the exploit.  If you really want to help people who
> can't help themselves, offer education, not censorship in the guise of
> protection.

Worse yet, hiding the security bugs mean that other people who might
be motivated to supply fixes are unaware of the issue and cannot help.

I'd be +1 on exposing the security bugs - maybe after 2 weeks so that
critical security flaws have a chance to be fixed immediately. But it
should be an automatic thing, not something that requires manual 

Anthony Baxter     <[EMAIL PROTECTED]>   
It's never too late to have a happy childhood.

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to