-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lennart Regebro wrote: > On Thu, Jan 22, 2009 at 10:38, Chris Withers <ch...@simplistix.co.uk> wrote: >>> Note that Jim never explained to me how he does these audits, but I gathered >>> some methods he used in conversations. I think I did a pretty thorough job >>> during the review. >> Yeah, this disturbs me a lot still though :-S > > I know the feeling. :) I completely trust that Stephan did a good job > if he thinks he did, but I would be happy if we could gather a bunch > of smart people to spread the knowledge. Maybe a security review > sprint at PyCon, or somesuch? I'd like to hang in a corner and suck up > the smartness. :) > > Or, I'd love to help in a sprint to move to security proxies. It's a > major job of course, and the minimal job is to make proxies that > replicate the current very complex and idiosyncratic Zope2 security. > At least such a sprint should be able to locate any big problems and > "impossibilities" so we can think of a path to fix that.
Ugh. -1 to any attempt to use "space suits" in Z2. I would rather move to a model which made it easy to mark some / all TTW objects as "trusted", disabling security checks altogether: the "untrusted users can edit TTW code" use case is pretty much irrelevant for any site I have worked on, with the exception of "old Zope.org", in ten years of working with Zope. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJhhrS+gerLs4ltQ4RAmeKAKDZTlDw2MYeMeb3m44MH0DSdnLP+ACfddS/ 9HkJcd4AVUQ0wE/WlFiwmd0= =PH69 -----END PGP SIGNATURE----- _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
