Maik Jablonski wrote: > Normaly security-related stuff is not visible for the public... and > this seems to be good to avoid exploits etc.
Hiding the bugs doesn't avoid anything, it just leaves zope administrators helpless in the dark. I'm not going to rehash the arguments for and against full dislosure, but seriously--don't delude yourself into thinking that a problem goes away if you shut your eyes tightly enough. > Lots of security-stuff is fixed now, but I don't think that all people will > migrate their servers as soon as possible (due to limited time, the > experience of the Zope-2.6.3-"desaster", vacations, etc.pp.). Sure, thats true of every security hole. > With all the mentioned security-exploits in the collector out there, the > probability of attacks will rise. And I don't think that this will shed a > "good light" on Zope. meh. Good, bad, its irrelevant, but you can't pretend there weren't problems and expect anyone with a shred of a clue to take you seriously. If you want to establish trust, you can be honest with your community, or you can do a lot of hand waving trying to cover things up and make yourself look even worse. > My proposal: Can we have a delay for making security-related fixes public? > Just a month or two or so... Every hole thats been fixed has been publically known and detailed for well over 4 months at the latest, with the exceptions of: 615 & 1154 - sessioning machinery was losing security context 924 - object properties stored as unprotected mutables All the unrestricted operations in RestrictedPython that were found as a result of ZC's security audit. (And possibly the unicode crashing issue, which I think got discussed on a public list or something fairly recently.) Delays are pointless. The broken sessioning machinery was sitting in the collector for a year and 3 months. During that time 2 different people uncovered the issue (presumebly) independantly, and reported it. How many uncovered it and didn't report it? How exactly was ZC supposed to release a new version of Zope with the fixes but at the same time not divulge the nature of the security flaws? Release an obsfucated binary distribution and say "Trust Us"? That doesn't sound very much like open source. -- Jamie Heilman http://audible.transient.net/~jamie/ "You came all this way, without saying squat, and now you're trying to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile? I liked you better when you weren't saying squat kid." -Buddy _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )