On Jul 8, 2006, at 3:27 PM, Andreas Jung wrote:

--On 8. Juli 2006 15:05:21 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:

I think this applies here as well.

1. ZClasses are not a security threat. reST is. That's a huge difference.

Being a security thread or not ...how will you prove that a module X is a thread or not? Without source code review every module has the potential to be a thread. I would never claim that the modules I've written or maintain in some way are totally safe...

One difference is that between our code and 3rd-party code. I wrote the ZClasses
code and paid a lot of attention to security.

Whoever integrated reST didn't even read the documentation, much less the code.

2. This event illustrates that I was wrong.

Possibly, but a lot of modules were written by ppl that are no longer active in the community and a lot of these modules are a real cruft that nobody want to touch (and that little ppl understand). For the time being we have to live with this situation in the Zope 2 world. The only way out is to replace more and more code with Zope 3 modules which is actually happening.

So what does it mean to be a maintainer of a package?

This is something that the Zope Foundation needs to work out. I'd like to start
a discussion of this when Martijn gets back from vacation. Or perhaps we
should put off the discussion till September when most people are back from vacation.

A maintainer has to keep the code in shape and should of course care about security issues. But a maintainer might have a different view on security than you...so how to get out of this dilemma? Code audits? They would help but you know how much time they take (impractical for most code if you ask me). The current "unofficial" code auditing by watching the checkin lists seems to work to a certain degree (perhaps not directly related to security issues but to wrong code in general). Getting maintainers for Zope core packages is even more harder than some yrs ago when the Zope community wasn't split up as it is today (CPS, Zope3,Zope2, Plone, CMF). The common view on the Zope 2 core seems to be "it works, it's a cruft, don't touch it"..and ppl prefer to put their hands on other stuff outside the Zope 2 core. I am realistic enough to see that this won't change in the near future.

My view is that both Zope 2 and Zope 3 are too big. IMO, they need to be split into smaller projects packaged more or less separately. reST and ZClasses should be add-ons, not a part of the code. It should be possible for each project/package to tell if the project is active. Then it's up to users to decide whether to take the risk of using an unsupported package.


Jim Fulton                      mailto:[EMAIL PROTECTED]                Python 
CTO                             (540) 361-1714                  
Zope Corporation        http://www.zope.com             http://www.zope.org

Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Reply via email to