Dieter Maurer wrote:

Philipp von Weitershausen wrote at 2006-9-28 11:22 +0200:
The last time this was discussed with Jim, the idea was to try to use
Zope 3's security proxy approach in Zope 2 for Python Script security
- Jim and I had some ideas I need to dredge up from the back of my

I am quite fearful in this regard:

 Lots of existing code rely on the fact that trusted code
 can do anything without to worry about security.

 As security proxies restrict trusted code, too (though trusted
 code can remove the wrapper), we might get more security
 at the cost of massive backward incompatibility.
As Zope 2 and Zope 3 merge in the long run, we'll have to worry about this at one point. The major question nowadays is: do we want/need to do it right now, or can we/should we procrastinate on this topic.

Zope3-dev mailing list

Reply via email to