--On 8. Juli 2006 15:05:21 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:

I think this applies here as well.

1. ZClasses are not a security threat. reST is. That's a huge  difference.

Being a security thread or not ...how will you prove that a module X is a thread or not? Without source code review every module has the potential to be a thread. I would never claim that the modules I've written or maintain in some way are totally safe...

2. This event illustrates that I was wrong.

Possibly, but a lot of modules were written by ppl that are no longer active in the community and a lot of these modules are a real cruft that nobody want to touch (and that little ppl understand). For the time being we have to live with this situation in the Zope 2 world. The only way out is to replace more and more code with Zope 3 modules which is actually happening.

So what does it mean to be a maintainer of a package?

A maintainer has to keep the code in shape and should of course care about security issues. But a maintainer might have a different view on security than you...so how to get out of this dilemma? Code audits? They would help but you know how much time they take (impractical for most code if you ask me). The current "unofficial" code auditing by watching the checkin lists seems to work to a certain degree (perhaps not directly related to security issues but to wrong code in general). Getting maintainers for Zope core packages is even more harder than some yrs ago when the Zope community wasn't split up as it is today (CPS, Zope3,Zope2, Plone, CMF). The common view on the Zope 2 core seems to be "it works, it's a cruft, don't touch it"..and ppl prefer to put their hands on other stuff outside the Zope 2 core. I am realistic enough to see that this won't change in the near future.


Attachment: pgp7YXTRWMkZp.pgp
Description: PGP signature

Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to