[Grok-dev] UPDATE recently created projects to 0.14.1
faassen at startifact.com
Sun Dec 14 13:11:31 EST 2008
Brandon Craig Rhodes wrote:
> Martijn Faassen <faassen at startifact.com> writes:
>> We can't reach into people's existing buildouts magically and replace
>> their version of 0.14 with a new one anyway, right?
> The Wordpress admin page prints out a message if there's a new version
> available. Could the Grok admin interface print a message if it sees
> the version has been marked insecure?
You could do that, and I think that's a reasonable UI feature.
Each time the admin screen is loaded up it could do a check with some
kind of "grok security URL" perhaps along the line you suggest with
releaseinfo. It can dig up Grok's release number using setuptools
It should only do the check once every while, and cache the results in
the ZODB, say for a few hours (along with the last time checked). This
way it won't reload the releaseinfo URL each time the page is reloaded.
It should fail gracefully and quickly if offline or if grok.zope.org
doesn't resolve for some reason.
This *is* a phone-home feature we're talking about - a Grok server that
has the admin UI installed will automatically phone home. I don't know
whether people will like that. We can track how many grok-based servers
are running by checking our apache logs. :)
I think best would be to make a setting in some settings screen "check
for security updates" that's off by default. Unfortunately many people
will forget to turn it on as a result. Perhaps people aren't as
sensitive to this as all that though. Anyway, we need good UI thinking
If someone writes all that, we could include it.
I think that we have a lot more urgent things to work on in the way we
manage security issues. I realize most people don't know this as we
haven't discussed it yet, but the main problem right now is that we let
this issue linger in our issue tracker for an astoundingly long time. We
could've known about this one for a very long time if we'd just paid
more serious attention to the issue tracker. I consider this primarily
my own fault as I could've realized the severity of this issue long
before and didn't test well enough.
My priority is to make sure this doesn't happen again. We should do some
more post-mortem discussion on this event. I'd prefer to do this in a
few weeks however, giving people a bit more time to do an update before
we spill the details.
More information about the Grok-dev