[Zope-dev] Plans for Zope 2.12
Tres Seaver
tseaver at palladion.com
Sun Feb 1 16:57:38 EST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Lennart Regebro wrote:
> On Thu, Jan 22, 2009 at 10:38, Chris Withers <chris at simplistix.co.uk> wrote:
>>> Note that Jim never explained to me how he does these audits, but I gathered
>>> some methods he used in conversations. I think I did a pretty thorough job
>>> during the review.
>> Yeah, this disturbs me a lot still though :-S
>
> I know the feeling. :) I completely trust that Stephan did a good job
> if he thinks he did, but I would be happy if we could gather a bunch
> of smart people to spread the knowledge. Maybe a security review
> sprint at PyCon, or somesuch? I'd like to hang in a corner and suck up
> the smartness. :)
>
> Or, I'd love to help in a sprint to move to security proxies. It's a
> major job of course, and the minimal job is to make proxies that
> replicate the current very complex and idiosyncratic Zope2 security.
> At least such a sprint should be able to locate any big problems and
> "impossibilities" so we can think of a path to fix that.
Ugh. -1 to any attempt to use "space suits" in Z2. I would rather move
to a model which made it easy to mark some / all TTW objects as
"trusted", disabling security checks altogether: the "untrusted users
can edit TTW code" use case is pretty much irrelevant for any site I
have worked on, with the exception of "old Zope.org", in ten years of
working with Zope.
Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJhhrS+gerLs4ltQ4RAmeKAKDZTlDw2MYeMeb3m44MH0DSdnLP+ACfddS/
9HkJcd4AVUQ0wE/WlFiwmd0=
=PH69
-----END PGP SIGNATURE-----
More information about the Zope-Dev
mailing list