[Zope-dev] Re: Python2.4 Security Audit ETA???

Florent Guillaume fg at nuxeo.com
Tue Nov 29 09:13:45 EST 2005


The security audit already happened, and led to checkins by Jim on October 
26 that preceded the release of Zope 2.8.4.

Zope 2.8.4 is safe to use with python 2.4.

Florent

Alan Milligan wrote:
> Aeons ago someone promised that said Zope security audit of Python 2.4
> was scheduled for October.  I've not yet seen any happy announcements
> that Zope is now 2.4 compliant, and do want to highlight the importance
> of achieving this goal.
> 
> Python2.4 has been out for almost a year now, and it's fairly
> ubiquitous.  There've been many statements made on this list about
> people quite happily running their Zope's - contrary to white hat advice.
> 
> With the major distro's, Python is entrenched in their installer and gui
> processes and *all* packaging is focused around a single python (2.4 for
> everyone excepting our BastionLinux).
> 
> In reality it is infeasible to support a second version of Python for
> Z2.  Many modules have SWIG bindings (while core Z2 doesn't require much
> of this, a number of products do), requiring multiple package versions -
> build systems cannot cope with this scenario without massive spec
> customisations (which is all pointless given the window of this
> requirement - and of course that we've all actually learnt something for
> python2.5, python2.6 ....)
> 
> We are getting an increasing number of people attempting to load
> incompatible packages.  It is not possible to downgrade python.  Most of
> userland is not competent to get a secondary python2.3 installation
> running - especially when packages such as python-ldap are simply not
> available for their old python and new ldap etc etc which all requires
> custom package builds.
> 
> We are also stuck in a time-warp actually having to back-port a large
> proportion of recent linux packages because we'd like to make new
> features available, increasing costs and testing requirements.  It is
> also no longer possible for customers to subscribe to just a single
> channel because our core is substantially different to their chosen
> vendor's installation, and packages will be installed into meaningless
> python paths etc.
> 
> Can someone please give me an ETA on this, so I can decide if and how to
> support zope in light of other pressing linux requirements for our distro.

-- 
Florent Guillaume, Nuxeo (Paris, France)   CTO, Director of R&D
+33 1 40 33 71 59   http://nuxeo.com   fg at nuxeo.com


More information about the Zope-Dev mailing list