On Jul 8, 2006, at 3:27 PM, Andreas Jung wrote:
--On 8. Juli 2006 15:05:21 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
I think this applies here as well.
1. ZClasses are not a security threat. reST is. That's a huge
difference.
Being a security thread or not ...how will you prove that a module
X is a thread or not? Without source code review every module has
the potential
to be a thread. I would never claim that the modules I've written
or maintain in some way are totally safe...
One difference is that between our code and 3rd-party code. I wrote
the ZClasses
code and paid a lot of attention to security.
Whoever integrated reST didn't even read the documentation, much less
the code.
2. This event illustrates that I was wrong.
Possibly, but a lot of modules were written by ppl that are no
longer active in the community and a lot of these modules are a
real cruft that nobody want to touch (and that little ppl
understand). For the time being we have to live with this situation
in the Zope 2 world. The only way out is to replace more and more
code with Zope 3 modules which is actually happening.
So what does it mean to be a maintainer of a package?
This is something that the Zope Foundation needs to work out. I'd
like to start
a discussion of this when Martijn gets back from vacation. Or perhaps we
should put off the discussion till September when most people are
back from vacation.
A maintainer has to keep the code in shape and should of course
care about security issues. But a maintainer might have a different
view on security than you...so how to get out of this dilemma? Code
audits? They would help but you know how much time they take
(impractical for most code if you ask me). The current
"unofficial" code auditing by watching the checkin lists seems to
work to a certain degree (perhaps not directly related to security
issues but to wrong code in general). Getting maintainers for Zope
core packages is even more harder than some yrs ago when the Zope
community wasn't split up as it is today (CPS, Zope3,Zope2, Plone,
CMF). The common view on the Zope 2 core seems to be "it works,
it's a cruft, don't touch it"..and ppl prefer to put their hands on
other stuff outside the Zope 2 core. I am realistic enough to see
that this won't change in the near future.
My view is that both Zope 2 and Zope 3 are too big. IMO, they need
to be split into smaller projects packaged more or less separately.
reST and ZClasses should be add-ons, not a part of the code. It
should be possible for each project/package to tell if the project is
active. Then it's up to users to decide whether to take the risk of
using an unsupported package.
Jim
--
Jim Fulton mailto:[EMAIL PROTECTED] Python
Powered!
CTO (540) 361-1714
http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
_______________________________________________
Zope-Dev maillist - Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )
