> Tres, thanks a lot for the work!
>
> Since this is such a serious vulnerability, the Plone security team
> would like to hold of the hotfix release a bit and do a pre-
> announcement. So all vendors get a chance to plan and prepare for
> deploying the hotfix.
That is exactly the reason *not* to hold off -- we should be putting out
the hotfix and new releases ASAP, because of it seriousness.
> We'll do a pre-announcement of the upcoming patch, to be released on
> Tuesday October 4. And then we can handle the actual release of the
> code on that day. I can take care of the Zope-side of the hotfix
> release and also release proper new versions of Zope 2.12 and 2.13 at
> the same time.
You want to leave this unpatched for *two weeks*? That seem grossly
irresponsible to me: the Zope community *is* bigger than a set of
nervous Plone integrators, and deserves to get fixes for "zero day"
exploits out as soon as they are availble.
Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 <email address hidden>
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/22/2011 04:24 AM, Hanno Schlichting wrote:
> Tres, thanks a lot for the work!
>
> Since this is such a serious vulnerability, the Plone security team
> would like to hold of the hotfix release a bit and do a pre-
> announcement. So all vendors get a chance to plan and prepare for
> deploying the hotfix.
That is exactly the reason *not* to hold off -- we should be putting out
the hotfix and new releases ASAP, because of it seriousness.
> We'll do a pre-announcement of the upcoming patch, to be released on
> Tuesday October 4. And then we can handle the actual release of the
> code on that day. I can take care of the Zope-side of the hotfix
> release and also release proper new versions of Zope 2.12 and 2.13 at
> the same time.
You want to leave this unpatched for *two weeks*? That seem grossly
irresponsible to me: the Zope community *is* bigger than a set of
nervous Plone integrators, and deserves to get fixes for "zero day"
exploits out as soon as they are availble.
Tres. ======= ======= ======= ======= ======= ======= ======= ======= ==== palladion. com enigmail. mozdev. org/
- --
=======
Tres Seaver +1 540-429-0999 <email address hidden>
Palladion Software "Excellence by Design" http://
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://
iEYEARECAAYFAk5 7ZmIACgkQ+ gerLs4ltQ5xKQCg s6UC9cxyAGmVOxU 2AyK8Vcqv UnvqhEM63lJv7xJ /U
bwMAoLPsPjyfORy
=k919
-----END PGP SIGNATURE-----