> Betreff: Re: [Zope-dev] KGS 3.4.1 versions
> Adam GROSZER a écrit :
> > Hello,
> > There is a sheet with versions for KGS 3.4.1
> > html
> > Anyone for/against those versions?
> > The open questions that remain:
> > * What about pytz 2010g?
> > * Which lxml version to take? 1.3.6?
> > * What about zope.app.container 3.6.2?
> > * Would be nice to have zope.testbrowser 3.5.1
> > Comments are welcome.
> z3c.layer has a major security issue, because of trusted
> traversing adapters that removes the security proxy
yes and no, only miss use could end in security issues
It's not really a security issue, it's the only concept which allows
to use nested sites with more then one IAuthentication utility
and allows to authenticate on objects behind the first site.
But since this was such a rare use case, we decided to split
the package in different packages which also supports a non
trusted setup. This makes the packages more general usable
without to run into security issues based on trusted
confirgurations where non trusted is needed.
> This package has been retired and splitted into
> its 3 subpackages :
Both package above should not use trusted traverser
This package should still use trusted traverser
> There is no problem upgrading to branch 1.0 of these
> packages, as they don't have any significant changes,
> excepted the splitting. However:
> z3c.layer.pagelet should be in version 1.0.2. Nothing below.
> z3c.layer.minimal has no corrected 1.0 branch. A new
> maintenance release 1.0.2 of this package should be released.
> z3c.layer.trusted is OK, since this is trusted in purpose. (I think)
> Zope-Dev maillist - Zope-Dev@zope.org
> ** No cross posts or HTML encoding! ** (Related lists -
> https://mail.zope.org/mailman/listinfo/zope )
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -