Roger a écrit :
>> Betreff: Re: [Zope-dev] KGS 3.4.1 versions
>> Adam GROSZER a écrit :
>>> There is a sheet with versions for KGS 3.4.1
>>> Anyone for/against those versions?
>>> The open questions that remain:
>>> * What about pytz 2010g?
>>> * Which lxml version to take? 1.3.6?
>>> * What about zope.app.container 3.6.2?
>>> * Would be nice to have zope.testbrowser 3.5.1
>>> Comments are welcome.
>> z3c.layer has a major security issue, because of trusted
>> traversing adapters that removes the security proxy
> yes and no, only miss use could end in security issues
> It's not really a security issue, it's the only concept which allows
> to use nested sites with more then one IAuthentication utility
> and allows to authenticate on objects behind the first site.
> But since this was such a rare use case, we decided to split
> the package in different packages which also supports a non
> trusted setup. This makes the packages more general usable
> without to run into security issues based on trusted
> confirgurations where non trusted is needed.
>> This package has been retired and splitted into
>> its 3 subpackages :
> Both package above should not use trusted traverser
> This package should still use trusted traverser
>> There is no problem upgrading to branch 1.0 of these
>> packages, as they don't have any significant changes,
>> excepted the splitting. However:
>> z3c.layer.pagelet should be in version 1.0.2. Nothing below.
>> z3c.layer.minimal has no corrected 1.0 branch. A new
>> maintenance release 1.0.2 of this package should be released.
>> z3c.layer.trusted is OK, since this is trusted in purpose. (I think)
Ok thanks, I'll release z3c.layer.minimal during the WE.
> Roger Ineichen
>> Zope-Dev maillist - Zope-Dev@zope.org
>> ** No cross posts or HTML encoding! ** (Related lists -
>> https://mail.zope.org/mailman/listinfo/zope )
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -