On Jul 19, 2006, at 8:47 AM, Benji York wrote:
David Pratt wrote:
What about the idea of maintaining a text file in the distribution
specific to possible security issues. Is this worth considering
for historical purposes so they do not get lost over time or
implicitly understood by only a handful of people.
Exactly. Any package that needs security-related things verified
should have a test (doctest in a text file) describing the problem
and verifying that it has been fixed.
Of course, that, by itself, doesn't solve the problem. docutils may
introduce a new feature in the furture that shouldn't be exposed
through the web. Whenever we integrate a new version, we need to
review it to make sure there aren't new security issues. This is
especially true of anything that is exposed TTW.
Jim Fulton mailto:[EMAIL PROTECTED] Python
CTO (540) 361-1714
Zope Corporation http://www.zope.com http://www.zope.org
Zope3-users mailing list