> Maik Jablonski wrote:
> > Normaly security-related stuff is not visible for the public... and
> > this seems to be good to avoid exploits etc.
> Jamie Heilman wrote:
> Hiding the bugs doesn't avoid anything, it just leaves zope
> administrators helpless in the dark.  I'm not going to rehash the
> arguments for and against full dislosure, but seriously--don't delude
> yourself into thinking that a problem goes away if you shut your eyes
> tightly enough.

As the person who unfailingly gets flamed no matter which way the
decisions leans :), I think we are probably at a point where we
should have an official, documented and community-agreed-to policy
on how these kinds of things will be handled.

*Getting to that point* is what I'm afraid of :) There are pretty
widely varying opinions on this, and historically as a community
we've not yet found a good process to really resolve issues when
there isn't a clear majority opinion.

At a minimum, having a clear and documented policy would provide
the benefit of 'no surprises' - if you disagree with the policy,
or some aspect of it, you would at least be able to plan around it.

While we at ZC try very hard to strike a delicate balance between
and risk management, doing so on a case-by-case basis is tough and there
*always* be some who disagree with the course chosen, no matter what it is.

All in all, I think we'd better off having 'The Rules' regarding security
reports, and working to make sure that we are all consistent in following

Brian Lloyd        [EMAIL PROTECTED]
V.P. Engineering   540.361.1716
Zope Corporation   http://www.zope.com

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to