On Jul 19, 2006, at 8:47 AM, Benji York wrote:

David Pratt wrote:
What about the idea of maintaining a text file in the distribution specific to possible security issues. Is this worth considering for historical purposes so they do not get lost over time or implicitly understood by only a handful of people.

Exactly. Any package that needs security-related things verified should have a test (doctest in a text file) describing the problem and verifying that it has been fixed.

Of course, that, by itself, doesn't solve the problem. docutils may introduce a new feature in the furture that shouldn't be exposed through the web. Whenever we integrate a new version, we need to review it to make sure there aren't new security issues. This is especially true of anything that is exposed TTW.


Jim Fulton                      mailto:[EMAIL PROTECTED]                Python 
CTO                             (540) 361-1714                  
Zope Corporation        http://www.zope.com             http://www.zope.org

Zope3-users mailing list

Reply via email to