Christophe Combelles a écrit : > Roger a écrit : >> Hi >> >>> Betreff: Re: [Zope-dev] KGS 3.4.1 versions >>> >>> Adam GROSZER a écrit : >>>> Hello, >>>> >>>> There is a sheet with versions for KGS 3.4.1 >>>> >>> http://spreadsheets.google.com/pub?key=tUE5Q72d4Kg1FXaacCA3EKQ&output= >>>> html >>>> >>>> Anyone for/against those versions? >>>> >>>> The open questions that remain: >>>> * What about pytz 2010g? >>>> * Which lxml version to take? 1.3.6? >>>> * What about zope.app.container 3.6.2? >>>> * Would be nice to have zope.testbrowser 3.5.1 >>>> >>>> Comments are welcome. >>>> >>> z3c.layer has a major security issue, because of trusted >>> traversing adapters that removes the security proxy >>> everywhere. >> yes and no, only miss use could end in security issues >> It's not really a security issue, it's the only concept which allows >> to use nested sites with more then one IAuthentication utility >> and allows to authenticate on objects behind the first site. >> >> But since this was such a rare use case, we decided to split >> the package in different packages which also supports a non >> trusted setup. This makes the packages more general usable >> without to run into security issues based on trusted >> confirgurations where non trusted is needed. >> >>> This package has been retired and splitted into >>> its 3 subpackages : >>> >>> z3c.layer.minimal >>> z3c.layer.pagelet >> Both package above should not use trusted traverser >> >>> z3c.layer.trusted >> This package should still use trusted traverser >> >>> There is no problem upgrading to branch 1.0 of these >>> packages, as they don't have any significant changes, >>> excepted the splitting. However: >>> >>> z3c.layer.pagelet should be in version 1.0.2. Nothing below. >>> z3c.layer.minimal has no corrected 1.0 branch. A new >>> maintenance release 1.0.2 of this package should be released. >>> z3c.layer.trusted is OK, since this is trusted in purpose. (I think) >> Yes > > > Ok thanks, I'll release z3c.layer.minimal during the WE.
I've released z3c.layer.minimal 1.0.2 with the fix, and z3c.layer 0.2.4 with the same fix. For the KGS 3.4.1, we just have to upgrade z3c.layer to 0.2.4. No need to add z3c.layer.[pagelet|minimal|trusted] Christophe > > > >> Regards >> Roger Ineichen >> >>> Christophe >>> _______________________________________________ >>> Zope-Dev maillist - Zope-Dev@zope.org >>> https://mail.zope.org/mailman/listinfo/zope-dev >>> ** No cross posts or HTML encoding! ** (Related lists - >>> https://mail.zope.org/mailman/listinfo/zope-announce >>> https://mail.zope.org/mailman/listinfo/zope ) >>> >> >> > > _______________________________________________ > Zope-Dev maillist - Zope-Dev@zope.org > https://mail.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > https://mail.zope.org/mailman/listinfo/zope-announce > https://mail.zope.org/mailman/listinfo/zope ) _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
