[Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changesabout to be checked in

Sat, 10 Aug 2002 00:20:09 +0100

> [Snip]
>
> I just want to keep the security worries in check.  Let me ramble for a
> bit...  We've released a lot of hotfixes, but *none* of the
> vulnerabilities could give an attacker root access, and none of them
> could give console access to anonymous users AFAIK.  All of the
> vulnerabilities violated Zope's security policy, but Zope's security
> policy is constrained by system security and other safeguards.  People
> outside the Zope community don't know that, so a lot have labeled Zope
> as too insecure to use.  The reality is that we've never even had an
> exploitable buffer overrun. :-)  We should avoid sending the wrong
> message by making a hotfix for every little thing.
>
> Shane
>

I'd like to second this. It was one of the contibuting factors in the
decision of my former employers to opt for spectra instead of a Zope
solution (That already existed!!).

I am sure there are other cases of this too... If someone finds a buffer
overrun, fix it by all means, but other issues may be better left for minor
version releases, where they can be buried in the changelog.

Just my Ł0.02

Adrian...

--
Adrian Hungate
EMail: adrian@haqa.co.uk
Web: http://www.haqa.co.uk