[Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changesabout to be checked in

Adrian Hungate adrian@haqa.co.uk
Mon, 12 Aug 2002 15:46:44 +0100 

> >  > I'd like to second this. It was one of the contibuting factors in the
> >  > decision of my former employers to opt for spectra instead of a Zope
> >  > solution (That already existed!!).
> > I, in contrary, appreciate the openess and fast response with
> > respect to security problems.
> >
> > I do not install most hotfixes because the vulnerabilities do not
> > affect our sites but it is a good feeling that there are fast
> > fixes when this would be once the case.
>
> In some way we need to make it clear that most hotfixes don't matter for
> most sites.  A lot of hotfixes ensured that users who could write DTML
> couldn't get extra privileges.  They really only mattered for sites like
> zope.org, where anyone with an email address is allowed to write code
> that will be executed directly on the server.  But:
>

You are exactly right... but... The problem is not one of clarity of
labling, it's one of targetting: The people that actually make this level of
decision (i.e. board level execs) are not "techies", and are just not
interested in _why_ the fix is needed, or in _what_ technical problem it
fixes, but that ZC (visibly) releases 'n' fixes per month for Zope, while M$
(visibly) releases less than that number per year for IIS/ASP - Therefore,
Zope must be the less stable/reliable product etc?

The logic is flawed, we all know that, but who is volunteering to visit
every companies senior execs worldwide and spend the time to make them care
enough?

The hotfixes, and new releases need to be "marketted" (I use that word
loosely) quite differently, new releases are "A Good Thing(tm)", while the
fixes need to be "under the hood" where the execs won't be bothered by them,
but the techies can find them when they need them.

I appologise, in advance, for the sweeping generalization that all execs are
like Dilbert's pointy-haired boss, but some really are!

Adrian...

--
Adrian Hungate
EMail: adrian@haqa.co.uk
Web: http://www.haqa.co.uk