-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve Alexander wrote: > Tres wrote: >> In Zope2 land, the module is still available, and can be used by other >> code (which may not know of that issue). I'm *not* in favor of shipping >> an un-patched docutils until we work this out. For instance, perhaps we >> should be patching docutils to make the *default* settings disable file >> inclusion and 'raw'; then the trusted code which wanted to render reST >> which legitimately needed those features could enable them explicitly. > > If we do this, it is important to communicate effectively with packagers > (like, in Linux distributions) that the Zope docutils is patched as a > workaround to this. > > This may be a problem for distributions that promise their users to do > bugfixes only, and are distributing a Zope that depends on the standard > docutils in their distribution. > > (I cc-ed Martin Pitt, who is responsible for Ubuntu security updates. > I'll fill him in on the rest of the discussion.)
Packagers would have to do the moral equivalent of forking docutils in order to satisfy incompatible use cases: - Zope needs a docutils which is "safe at any speed" for TTW use. - Other Python applications may not need that safety, and may need the very features which Zope *must* disable. So forking docutils inside Zope is *not* evil, even when considering packaged versions, as long as the packagers know about the fork, right? Hoping-we-are-in-violent-agreement'ly, Tres. - -- =================================================================== Tres Seaver +1 202-558-7113 [EMAIL PROTECTED] Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEsAu3+gerLs4ltQ4RAkq5AKCO6w1PxQbt9QyOffRY//6Be0QlSwCgpMaT 1XxvUjzUhUBlr5uTk44u6B8= =9qal -----END PGP SIGNATURE----- _______________________________________________ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com