> In Zope2 land, the module is still available, and can be used by other
> code (which may not know of that issue). I'm *not* in favor of shipping
> an un-patched docutils until we work this out. For instance, perhaps we
> should be patching docutils to make the *default* settings disable file
> inclusion and 'raw'; then the trusted code which wanted to render reST
> which legitimately needed those features could enable them explicitly.
If we do this, it is important to communicate effectively with packagers
(like, in Linux distributions) that the Zope docutils is patched as a
workaround to this.
This may be a problem for distributions that promise their users to do
bugfixes only, and are distributing a Zope that depends on the standard
docutils in their distribution.
(I cc-ed Martin Pitt, who is responsible for Ubuntu security updates.
I'll fill him in on the rest of the discussion.)
Zope3-dev mailing list