> Maik Jablonski wrote: > > Normaly security-related stuff is not visible for the public... and > > this seems to be good to avoid exploits etc. > > Jamie Heilman wrote: > Hiding the bugs doesn't avoid anything, it just leaves zope > administrators helpless in the dark. I'm not going to rehash the > arguments for and against full dislosure, but seriously--don't delude > yourself into thinking that a problem goes away if you shut your eyes > tightly enough.
As the person who unfailingly gets flamed no matter which way the decisions leans :), I think we are probably at a point where we should have an official, documented and community-agreed-to policy on how these kinds of things will be handled. *Getting to that point* is what I'm afraid of :) There are pretty widely varying opinions on this, and historically as a community we've not yet found a good process to really resolve issues when there isn't a clear majority opinion. At a minimum, having a clear and documented policy would provide the benefit of 'no surprises' - if you disagree with the policy, or some aspect of it, you would at least be able to plan around it. While we at ZC try very hard to strike a delicate balance between transparency and risk management, doing so on a case-by-case basis is tough and there will *always* be some who disagree with the course chosen, no matter what it is. All in all, I think we'd better off having 'The Rules' regarding security reports, and working to make sure that we are all consistent in following them. Brian Lloyd [EMAIL PROTECTED] V.P. Engineering 540.361.1716 Zope Corporation http://www.zope.com _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )