> Brian Lloyd wrote: > > As the person who unfailingly gets flamed no matter which way the > > decisions leans :), I think we are probably at a point where we > > should have an official, documented and community-agreed-to policy > > on how these kinds of things will be handled. > > My intent was not flaming anyone... Sorry for that. I just tried > to take the > voice of the "average" Zope-Admin (installs Zope from a recent stable > release, waits for the security-maintainers of distros to get security > patches etc.).
Sorry, I should have been more clear. I didn't mean to imply that your or Jamie's notes were flames (they're definitely not), just that I'd been singed in the past ;) > > At a minimum, having a clear and documented policy would provide > > the benefit of 'no surprises' - if you disagree with the policy, > > or some aspect of it, you would at least be able to plan around it. > > Very good idea...:) If all Zope-Admins can read before an installation: > "Security exploits will be exposed to the public as soon as they're > resolved in the CVS" everyone will & should run Zope out of CVS. ...or will decide that doing so is unreasonable and use something else instead :( Note that I'm not necessarily criticizing that particular policy, just pointing out that _any_ policy will have some upside and some downside. The challenge will be coming to agreement on a policy with the right balance that everyone can live with. Brian Lloyd [EMAIL PROTECTED] V.P. Engineering 540.361.1716 Zope Corporation http://www.zope.com _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )