--On 8. Juli 2006 07:45:01 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:

On Jul 8, 2006, at 1:11 AM, Andreas Jung wrote:

--On 7. Juli 2006 11:03:06 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:

I think we should do a 2.9.4 release to incorporate the recent hot
This is easy for me to say, since I won't be doing it. :)

Because this recent fix actually fixed the same problem that the
previous hot fix was supposed to fix, I think someone needs to
work up
some decent tests.  This is not a trivial task, bit it is
necessary.  If
no one is willing to do this, I think we need to drop the TTW
reStructuredText support from Zope 2, as it is too great a risk.

Dropping TTW reST is absolutely not an option. I breaks backward

Sorry, security trumps backward compatibility.

Only if there is no other option. Tres' patch seems to resolve this issue and with further testing there is no need to remove the functionality.

BTW, I suspect that a less violent patch could be created, if
anyone wants to champion TTW reStructuedText support in
Zope 2.  Personally, I'm for dropping it.

Tres' patch is looking in fine to me. I don't see a need right now
for dropping reST with having file inclusing *removed*.

Has anyone written tests for Tres' patch?  Apparently no one wrote
adequate tests for the last hot fix, which helped put us in this

I'm not opposed to keeping TTW reST if *someone takes responsibility*
for it.  I don't see this happening.  If someone cares enough about  TTW
to stand behind it and properly address the security risks by writing
then great.

There is currently litte need to break this over the knee. We have a hotfix, we have a stripped down version of Docutils. We have some time until the next releases. Perhaps nobody had time so far (at least me) for writing further tests..that does not mean that nobody takes responsibility. If we would rip of everything from Zope 2 where nobody takes over responsibility....what would be left?

In addition I don't see a big problem for Zope-only(!) apps. Using reST in Zope requires access to the ZMI which is in general available only to trusted users. Removing TTW-editing of reST in Zope does *not* solve any problem e.g. for Plone where reST can be edited through the Plone UI by usually untrusted users. It is *our* task to make reST (basically Docutils) secure enough. It's safe enough for Zope-only apps but I agree that the Docutils code and the "hotfix" requires some more testing and review.

Otherwise it has to go.

No :-)

 It reflects a sorry, but  perhaps
accurate,  view of the community's commitment to quality. :(

Sorry, I've no idea what you mean with this remark.


Attachment: pgp0Qll2KK3JE.pgp
Description: PGP signature

Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to