--On 9. Juli 2006 10:10:53 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
That doesn't change the fact that when we found out about the threat last fall, we didn't check all of the places in Zope where we were using reST. You might say that this was because the person who did the hot fix didn't know about all of the places we were using reST.
As far as I can remember at least Tres and I were involved in this issue. I think Tres was working on the hotfix and I was working on the releases...something like that. So we both were possibly blind...
But that just illustrates that our current approach of "everyone is responsible for everything" or, cynically, "no one is responsible for anything" isn't working.
Isn't that the approach how Zope is working since years? It is a working process - not a perfect process. Look how often major vendors like Microsoft, Oracle or Apple deliver patches for their patches...we're neither better nor worse. That's not a excuse for mistakes (which *will* happen as long as humans are involved) but better look how far we got with Zope so far given the fact that a big part of the Zope core is just a cruft.
Responsibility for a particular code part requires a solid understanding of the code. There are a bunch of modules where I assume that only a small number of people understands the code (who understand ZClasses except you and Dieter?).
Responsibility for a particular code part requires dedication. You may find a maintainer for module X or Y but I doubt that some will show dedication e.g. to ZClasses....which is a perfect example...Some month ago we had again the discussion about ZClasses and their future and one person spoke up to do something (take over the code or reimplement them).....lots of noise...nothing else... in my experience most contributors are of course dedicated in the first place to their own code but very little to some cruft code that dates back to the DC and early ZC times.
So my conclusion: dedication and taking over responsibility won't solve the general problem especially when it comes to security. As a maintainer you're usually blind or have a narrowed perception on things (which might depend on the personal skills and experiences)...not everyone of the contributors is a mastermind as you...that's just the situation..so only outstanding persons can help in such a situation (e.g. through regular reviews).
Description: PGP signature
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )