[Grok-dev] UPDATE recently created projects to 0.14.1

Martijn Faassen faassen at startifact.com
Sun Dec 14 10:26:01 EST 2008


Brandon Craig Rhodes wrote:
> I understand that our policies prevent us from fixing 0.14 itself
> retroactively and protecting people with old buildouts who haven't seen
> all of the announcements; we want to keep everything old looking like it
> always did so that old buildouts can always be guaranteed to be
> identical, even if identically insecure.

We can't reach into people's existing buildouts magically and replace 
their version of 0.14 with a new one anyway, right?

> But it would be nice to display a message.

> Before 1.0, could we add to "grokproject" a line that, if it's using its
> default URL, also looks up another URL and, if it exists, prints the
> message there? 

This isn't a bad idea, but grokproject will always look at 'current' to 
look at the most recent version of Grok. This will be 0.14.1 now, so 
nobody will ever see the warning.

The only potential point at which people could see the warning is if we 
forget, like we did, to update the 'current' entry to 0.14.1. But this 
wouldn't be a safety net for us, as we could just as easily forget to 
write the warning message. We will try not to make the same mistake next 
time - luckily Michael Haubenwallner caught it pretty fast. :)

> That way, old-buildout-identicalness would be preserved, but users would
> at least have some indication that they needed to take action if they
> did not want their site to be invaded.

I'm not sure we can actually do anything more to protect people by 
audomtation. When they start new projects, they'll be safe (if we don't 
forget to update current). We could provide a recipe to warn people when 
they actually run buildout again, but will only warn people if they're 
actively developing - moderate increased safety but I'm not sure whether 
it's worth the effort.

To also catch people who have deployed (who need the warning the most!), 
we could also do a run-time check. Going off and doing a "phone home" 
while running once every while will probably not be appreciated by 
everyone, and also involves quite a bit of run-time complexity. And 
where would we place the warning message so that the site maintainers 
would see it?

I think the best way to improve the chances people will see our security 
notifications is to spread them wider. Right now we updated 
grok.zope.org, sent a message to grok-dev and I sent a message to 
zope-announce (which I'm not sure has gotten through yet). We could in 
addition also investigate where people tend to send security-related 
warnings in general and institute a policy to also send the warning 
messages there.



More information about the Grok-dev mailing list