Jeremy Hylton : weblog : 2004-01-08

Zope Security Issues

Thursday, January 08, 2004, 9:35 p.m.

The Zope security work done last month was merged into the public CVS today. Lots of fixes and changes.

Tres Seaver did a nice job of extracting the various fixes and merging them individually. The CVS history in the public repository should clearly identify which changes were made to address which bug. I'm sure it took a lot longer to do this way, but it was the right thing.

I suppose one nice thing is the conclusion: In the course of the evaluation, very few of the Python changes in 2.3.3 directly affected the Zope security architecture or had impacts on the restricted execution model. It underscores that Python 2.3 is a fairly conservative release with few compatibility issues.

I wrote a couple of web log entries while I was working on the project, but I didn't post them until the fixes were made public. I discussed how we generation custom bytecode for unpacking and how we might write a simple bytecode verifier to check that the transformation are correct.