On Jul 8, 2006, at 8:12 AM, Andreas Jung wrote:
--On 8. Juli 2006 07:45:01 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
On Jul 8, 2006, at 1:11 AM, Andreas Jung wrote:
--On 7. Juli 2006 11:03:06 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
I think we should do a 2.9.4 release to incorporate the recent hot
This is easy for me to say, since I won't be doing it. :)
Because this recent fix actually fixed the same problem that the
previous hot fix was supposed to fix, I think someone needs to
some decent tests. This is not a trivial task, bit it is
no one is willing to do this, I think we need to drop the TTW
reStructuredText support from Zope 2, as it is too great a risk.
Dropping TTW reST is absolutely not an option. I breaks backward
Sorry, security trumps backward compatibility.
Only if there is no other option. Tres' patch seems to resolve this
issue and with further testing there is no need to remove the
"Seems" isn't good enough. It's not even close. The hot fix last fall
"seemed" to fix the problem. :(
Heck (I wanted to use another 4-letter-word, because I'm getting kinda
angry), even the current patch hasn't been adequately tested. Michael
suggested that the patch needed to be tested against all recent Zope
versions. Has this been done? I don't think so. Do we even have
that it works? I doubt it. I don't fault Tres for this. We needed
to get the hotfix
out in a hurry. Do I think Tres should have to write tests for this?
After he plugged
a hole in something he didn't want included in the first place? Heck no.
BTW, I suspect that a less violent patch could be created, if
anyone wants to champion TTW reStructuedText support in
Zope 2. Personally, I'm for dropping it.
Tres' patch is looking in fine to me. I don't see a need right now
for dropping reST with having file inclusing *removed*.
Has anyone written tests for Tres' patch? Apparently no one wrote
adequate tests for the last hot fix, which helped put us in this
I'm not opposed to keeping TTW reST if *someone takes responsibility*
for it. I don't see this happening. If someone cares enough
to stand behind it and properly address the security risks by writing
There is currently litte need to break this over the knee. We have
a hotfix, we have a stripped down version of Docutils. We have some
time until the next releases. Perhaps nobody had time so far (at
least me) for writing further tests..that does not mean that nobody
takes responsibility. If we would rip of everything from Zope 2
where nobody takes over responsibility....what would be left?
In addition I don't see a big problem for Zope-only(!) apps. Using
reST in Zope requires access to the ZMI which is in general
available only to trusted users. Removing TTW-editing of reST in
Zope does *not* solve any
problem e.g. for Plone where reST can be edited through the Plone
UI by usually untrusted users. It is *our* task to make reST
secure enough. It's safe enough for Zope-only apps but I agree that
the Docutils code and the "hotfix" requires some more testing and
Otherwise it has to go.
Wrong. Sorry, I'll invoke Pope if I have to.
I'm not talking about 2.9 and earlier. but if no one takes
for this feature, wi'll rip it out of 2.10.
It reflects a sorry, but perhaps
accurate, view of the community's commitment to quality. :(
Sorry, I've no idea what you mean with this remark.
Tres came up with this sledge hammer because he has no confidence
in people's willingness to test and implement this feature properly.
Sadly, he has good evidence for this point of view.
Jim Fulton mailto:[EMAIL PROTECTED] Python
CTO (540) 361-1714
Zope Corporation http://www.zope.com http://www.zope.org
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -