--On 12. August 2008 19:38:16 +0200 "M.-A. Lemburg" <[EMAIL PROTECTED]> wrote:

On 2008-08-12 18:04, Tres Seaver wrote:
Garito wrote:
The same question again and again

As a Zope user I prefer to know as soon as possible if Zope has security
problems like those

Perhaps the correct way will be to send the problem to the zope people
and 2 weeks later then make it public

I think 2 weeks is a very correct period to solve a problem if not, I
want to try to solve the problem for myself

But I shout my mouth, sorry Andreas ;)

2008/8/12 Andreas Jung <[EMAIL PROTECTED]>


I wished that both exploits were reported to the Zope bugtracker in
order to work on solutions before making the exploits public.

Right:  we would just like time to investigate the problem so that we
can announce the problem and the workaround / hotfix / new releases
simultaneously.  Two weeks would be longer than I would expect that
process to take.

Next time, I'll post the report to the tracker and mark it private.

I really didn't have any intention of making your work harder than
it already is - I must admit that I wouldn't have thought of the
issue being that important.

OTOH, I do think that the PythonScript product will need some
more security audit, esp. since the restricted environment
safety belt checks are no longer being maintained in the Python
interpreter code and will likely go away completely for
Python 3.x.

It may be better to remove the PythonScript product altogether and
instead use ExternalMethods.

My conclusion after almost 9 years with Zope: PythonScripts and trusted
code was a good and nice feature in the "early days" of Zope. The future
is clearly trusted code in all its flavors. RestrictedPython, through-the-web editing (ZMI) and stuff like ZClasses should die - however they must remain until the end of time - for the sake of compatibility.


Attachment: pgpRyfw8zm2hY.pgp
Description: PGP signature

Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to