[Zope-dev] 2.9.4? reStructuredText support?

Andreas Jung lists at zopyx.com
Sat Jul 8 08:12:40 EDT 2006 


--On 8. Juli 2006 07:45:01 -0400 Jim Fulton <jim at zope.com> wrote:

>
> On Jul 8, 2006, at 1:11 AM, Andreas Jung wrote:
>
>>
>>
>> --On 7. Juli 2006 11:03:06 -0400 Jim Fulton <jim at zope.com> wrote:
>>
>>>
>>> I think we should do a 2.9.4 release to incorporate the recent hot
>>> fix.
>>> This is easy for me to say, since I won't be doing it. :)
>>>
>>> Because this recent fix actually fixed the same problem that the
>>> previous hot fix was supposed to fix, I think someone needs to
>>> work up
>>> some decent tests.  This is not a trivial task, bit it is
>>> necessary.  If
>>> no one is willing to do this, I think we need to drop the TTW
>>> reStructuredText support from Zope 2, as it is too great a risk.
>>>
>>
>> Dropping TTW reST is absolutely not an option. I breaks backward
>> compatibility.
>
> Sorry, security trumps backward compatibility.

Only if there is no other option. Tres' patch seems to resolve this issue 
and with further testing there is no need to remove the functionality.


>
>
>>> BTW, I suspect that a less violent patch could be created, if
>>> anyone wants to champion TTW reStructuedText support in
>>> Zope 2.  Personally, I'm for dropping it.
>>
>> Tres' patch is looking in fine to me. I don't see a need right now
>> for dropping reST with having file inclusing *removed*.
>
> Has anyone written tests for Tres' patch?  Apparently no one wrote
> adequate tests for the last hot fix, which helped put us in this
> situation.
>
> I'm not opposed to keeping TTW reST if *someone takes responsibility*
> for it.  I don't see this happening.  If someone cares enough about  TTW
> reST
> to stand behind it and properly address the security risks by writing
> tests,
> then great.

There is currently litte need to break this over the knee. We have a 
hotfix, we have a stripped down version of Docutils. We have some time 
until the next releases. Perhaps nobody had time so far (at least me) for 
writing further tests..that does not mean that nobody takes responsibility. 
If we would rip of everything from Zope 2 where nobody takes over 
responsibility....what would be left?

In addition I don't see a big problem for Zope-only(!) apps. Using reST in 
Zope requires access to the ZMI which is in general available only to 
trusted users. Removing TTW-editing of reST in Zope does *not* solve any
problem e.g. for Plone where reST can be edited through the Plone UI by 
usually untrusted users. It is *our* task to make reST (basically Docutils)
secure enough. It's safe enough for Zope-only apps but I agree that the 
Docutils code and the "hotfix" requires some more testing and review.

> Otherwise it has to go.

No :-)

>  It reflects a sorry, but  perhaps
> sadly
> accurate,  view of the community's commitment to quality. :(

Sorry, I've no idea what you mean with this remark.

Andreas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope-dev/attachments/20060708/77335fcc/attachment-0001.bin

More information about the Zope-Dev mailing list