Roger a écrit : > Hi > >> Betreff: Re: [Zope-dev] KGS 3.4.1 versions >> >> Adam GROSZER a écrit : >>> Hello, >>> >>> There is a sheet with versions for KGS 3.4.1 >>> >> http://spreadsheets.google.com/pub?key=tUE5Q72d4Kg1FXaacCA3EKQ&output= >>> html >>> >>> Anyone for/against those versions? >>> >>> The open questions that remain: >>> * What about pytz 2010g? >>> * Which lxml version to take? 1.3.6? >>> * What about zope.app.container 3.6.2? >>> * Would be nice to have zope.testbrowser 3.5.1 >>> >>> Comments are welcome. >>> >> z3c.layer has a major security issue, because of trusted >> traversing adapters that removes the security proxy >> everywhere. > > yes and no, only miss use could end in security issues > It's not really a security issue, it's the only concept which allows > to use nested sites with more then one IAuthentication utility > and allows to authenticate on objects behind the first site. > > But since this was such a rare use case, we decided to split > the package in different packages which also supports a non > trusted setup. This makes the packages more general usable > without to run into security issues based on trusted > confirgurations where non trusted is needed. > >> This package has been retired and splitted into >> its 3 subpackages : >> >> z3c.layer.minimal >> z3c.layer.pagelet > > Both package above should not use trusted traverser > >> z3c.layer.trusted > > This package should still use trusted traverser > >> There is no problem upgrading to branch 1.0 of these >> packages, as they don't have any significant changes, >> excepted the splitting. However: >> >> z3c.layer.pagelet should be in version 1.0.2. Nothing below. >> z3c.layer.minimal has no corrected 1.0 branch. A new >> maintenance release 1.0.2 of this package should be released. >> z3c.layer.trusted is OK, since this is trusted in purpose. (I think) > > Yes
Ok thanks, I'll release z3c.layer.minimal during the WE. > > Regards > Roger Ineichen > >> Christophe >> _______________________________________________ >> Zope-Dev maillist - [email protected] >> https://mail.zope.org/mailman/listinfo/zope-dev >> ** No cross posts or HTML encoding! ** (Related lists - >> https://mail.zope.org/mailman/listinfo/zope-announce >> https://mail.zope.org/mailman/listinfo/zope ) >> > > > _______________________________________________ Zope-Dev maillist - [email protected] https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
