> Maik Jablonski wrote:
> > Normaly security-related stuff is not visible for the public... and
> > this seems to be good to avoid exploits etc.
> Jamie Heilman wrote:
> Hiding the bugs doesn't avoid anything, it just leaves zope
> administrators helpless in the dark. I'm not going to rehash the
> arguments for and against full dislosure, but seriously--don't delude
> yourself into thinking that a problem goes away if you shut your eyes
> tightly enough.
As the person who unfailingly gets flamed no matter which way the
decisions leans :), I think we are probably at a point where we
should have an official, documented and community-agreed-to policy
on how these kinds of things will be handled.
*Getting to that point* is what I'm afraid of :) There are pretty
widely varying opinions on this, and historically as a community
we've not yet found a good process to really resolve issues when
there isn't a clear majority opinion.
At a minimum, having a clear and documented policy would provide
the benefit of 'no surprises' - if you disagree with the policy,
or some aspect of it, you would at least be able to plan around it.
While we at ZC try very hard to strike a delicate balance between
and risk management, doing so on a case-by-case basis is tough and there
*always* be some who disagree with the course chosen, no matter what it is.
All in all, I think we'd better off having 'The Rules' regarding security
reports, and working to make sure that we are all consistent in following
Brian Lloyd [EMAIL PROTECTED]
V.P. Engineering 540.361.1716
Zope Corporation http://www.zope.com
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists -