> [Snip] > > I just want to keep the security worries in check. Let me ramble for a > bit... We've released a lot of hotfixes, but *none* of the > vulnerabilities could give an attacker root access, and none of them > could give console access to anonymous users AFAIK. All of the > vulnerabilities violated Zope's security policy, but Zope's security > policy is constrained by system security and other safeguards. People > outside the Zope community don't know that, so a lot have labeled Zope > as too insecure to use. The reality is that we've never even had an > exploitable buffer overrun. :-) We should avoid sending the wrong > message by making a hotfix for every little thing. > > Shane >
I'd like to second this. It was one of the contibuting factors in the decision of my former employers to opt for spectra instead of a Zope solution (That already existed!!). I am sure there are other cases of this too... If someone finds a buffer overrun, fix it by all means, but other issues may be better left for minor version releases, where they can be buried in the changelog. Just my £0.02 Adrian... -- Adrian Hungate EMail: [EMAIL PROTECTED] Web: http://www.haqa.co.uk _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
