[Zope] Securing Zope

[Jamie Heilman]

Chris Withers wrote:
> The acrimonious nature of your document means many people are unlikely to 
> take it seriously and hardly anyone who _can_ fix the problems you half 
> heartedly describe will want to put up with the verbal battering required 
> to do so...

We've been over this privately, now let it be shown on the public
record that I am aware of your opinion, but that the venue you express
it in makes no difference.
 

Robert Segall wrote:
> Jamie's fixes are useful and should be considered by anybody who is
> really interested in these matters. Whether they are really vital is
> another question: some of the issues are not important in certain
> scenarios (small development team on single project may not care
> about about privilege escalation via ZMI, problems with the CGI are
> of no importance unless you use that mechanism), others can be dealt
> with by other mechanisms (proxy filtering).

Yup, the only people who can answer the question of importance are the
people using the software, because they're the only ones who know the
behavior they require.  The advantage of the community is we can share
our knowledge of these problems, and the advantage of open source is
that we can address the origin of the problems directly and at our
leisure.

> Yet some others are truly horrible and affect everybody (the idea of
> allowing XML-RPC on the HTTP port is about as bad as anything I have
> ever seen).

...and there ya go, a perfect example; I didn't find that issue
threatening.  I removed XML-RPC from my personal tree just because I
didn't need it.

-- 
Jamie Heilman                     http://audible.transient.net/~jamie/
"...thats the metaphorical equivalent of flopping your wedding tackle
 into a lion's mouth and flicking his lovespuds with a wet towel, pure
 insanity..."                                           -Rimmer