IRC log of #zope for Thursday, 2015-02-26

*** MrTango has joined #zope00:12
*** MrTango has quit IRC00:19
MatthewWilkeskseifried: Sorry about the hold-up there. Feel free to send it on to oss-security@, I just sent an email with code links, but the short version is that Zope2 <2.10.10, <2.11.5 and <2.12.2 are the vulnerable ones.00:28
MatthewWilkesand it's a 2 line fix if you need to hotfix an older version internally00:28
*** Pumukel has joined #zope00:32
*** Jan_Garaj3 has quit IRC00:43
*** fdrake has quit IRC01:39
*** fdrake has joined #zope01:54
*** J1m has quit IRC01:56
kseifriedMatthewWilkes  tha nks02:05
kseifriedMatthewWilkes  we backport all the things. it's awesome =)02:05
*** m8 has quit IRC02:08
MatthewWilkeskseifried: Well, happy to help, but we wouldn't be an upstream vendor if we didn't say that updating to the latest minor version would be preferable from our perspective02:11
kseifriedMatthewWilkes  that would be awesome except one of red hat's main things is we sell you something and then manage API/ABI compatibility (which means backporting security fixes/etc)02:12
kseifriedMatthewWilkes it's good and bad, makes for stability (and less work in many areas) at the cost of more work in other areas like backporting02:12
MatthewWilkeskseifried: Understandable02:12
kseifriedbut long term...02:12
kseifriedyes. we need to figure something better out as an industry02:12
MatthewWilkeskseifried: Unfortunately we don't have enough eyes on the Zope codebase (especially going back 5 years) to know for sure we haven't inadvertently fixed security issues02:13
kseifriedbecause basically everyone wants the latest greatest software, but with the promise of no backwards compatibility issues...02:13
kseifriedMatthewWilkes  oh you havem for 100% sure =)02:13
kseifriedMatthewWilkes but here's the dirty secret.02:13
kseifriedif you rely on your code to be bug free to be secure. you're not.02:13
kseifriedso whether it's one bug or one million, chances are the code you use has nasty flaws02:14
*** KageSenshi has quit IRC02:14
kseifriedso we keep things from being completely insanely terrible, but if you want real security you need to do a lot more02:14
MatthewWilkeskseifried: Sure, but what I'm saying is that we are almost certainly fixing security issues you'd like to back port without it going through messages to oss-security etc02:14
kseifriedyup. I agree02:14
kseifriedso basically because I saw this, I have to deal with it =)02:15
kseifriedit's like being a cop02:15
MatthewWilkesPlone's a lot better about it, as we have more people there so you do get oss-security reports, but even then I'd be surprised if we managed to notify you of everything02:15
kseifriedMatthewWilkes no worries, we track our upstreams02:15
kseifriedobviously it helps if they label things as security/get CVEs02:16
kseifriedMatthewWilkes to be honest stuff like xss barely concerns me02:17
kseifriedRCE with no auth is about the only thing that'll get me even mildly interested now. I think I have compassion fatigue =)02:18
*** Pumukel has quit IRC02:19
MatthewWilkeskseifried: We haven't had one of those in a couple of years. I know that feeling though, I hear "meh, it's probably a 5" (CVSSv2) from colleagues a lot02:19
kseifriedyeah, it's a funny world now02:19
*** Pumukel has joined #zope02:19
MatthewWilkesI quite enjoy timing issues for web02:20
MatthewWilkesBecause it feels like it should be completely impossible to exploit reliably02:21
MatthewWilkesbut when you try it some works surprisingly well02:21
kseifriedI love when people say "oh to much jitter", but then you use a site hosted in AWS and you have like 1ms connection with 0 jitter =)02:22
kseifriedwho knew the last 20 years of network security wouldn't be thrown out and now all the things we used to prevent are what we sell now (oh you want root access on a box? sure that's $5 a month)02:23
kseifriedwould be rather02:23
MatthewWilkesheh, yeah02:24
MatthewWilkesWent in to do some work for a client the other week, they couldn't access any of their production servers. Their last sysadmin had left the company and taken his ssh private key with him. Every server was set up to have root access only02:25
MatthewWilkesnote, also, the use of the singular for 'ssh key'.02:26
kseifriedin fiarness I know people like that02:27
kseifriedbut they have a 15+ year relationship with the sysadmin02:27
kseifriedMatthewWilkes  long term I suspect everyone has to embrace devops/service and essentially be able to handle rolling releases, which is great because it'll only work if you have all the source code =)02:35
MatthewWilkeskseifried: Sorry, I don't follow?02:36
kseifriedMatthewWilkes  with respect to software integration02:36
kseifriedbackporting works but holy heck it's non trivial, and yeah, stuff gets missed02:37
MatthewWilkesOh, right02:37
kseifriedso ideally we'd have rolling releases, keep everything up to date, and have a huge integration testing system to make sure nothing breaks horribly02:37
kseifriedit's a lot like tcp-ip and the web...02:37
MatthewWilkesThere'll always be a need for backwards incompatible changes though02:37
kseifriedthe companies that embraced those techs, it wasn't easy, but they clobbered the firms that did not embrace them02:37
MatthewWilkesSo you'll still end up with people on dead-ends once a change becomes enough work they don't do it02:38
kseifriedMatthewWilkes exactly, that's where having all the source code and a huge test suite comes in, you catch those and fix the other bits02:38
kseifriedMatthewWilkes the people that embrace this will end up with a huge competitive advantage02:38
kseifriedlike netflix...02:38
kseifriedeven if the studios were willing to release their stuff, they can't build IT like netflix can02:39
kseifriedlike my cable providers video on demand service, you know what the main advertising thing is?02:39
kseifried"we curate the content, people who love to watch tv decide what we show"02:39
kseifriedthey have no reccomendation system/etc02:39
kseifriedjust a blob of random content you can sort of split up by category02:40
MatthewWilkesI guess I'm a bit disillusioned. There are so many web dev agencies out there whose business model is "quote an impractically low price, get the contract, then charge change fees and half-arse everything once the client's locked in"02:40
kseifriedthat's normal for business02:40
kseifriedexploit the sunk cost fallacy =)02:40
kseifriedand dumb people will keep falling for it02:40
MatthewWilkesYou only get the competitive advantage for having good infrastructure if your business model relies on you being able to do things better than your competitors02:41
kseifriedMatthewWilkes  look at it this way: nigerian 419 scams still work02:41
kseifriedlike... how is that even possible now?02:41
kseifriedMatthewWilkes  or you create a new category and dominate it, like netflix did02:41
MatthewWilkesYeah, and godaddy exists, and people sell SSL certs, etc02:41
kseifriedMatthewWilkes and Qray bracelets02:41
MatthewWilkesI guess the point is that having a solid base for your software only helps the companies that take such things seriously02:42
MatthewWilkesa bunch of people are going to want cheap and nasty02:42
kseifriedand firms like netflix or amazon will clobber them02:43
kseifriedlike locally we have the whole uber/taxi firm thing going on02:43
kseifriedand general concensus seems to be "taxis suck, uber is sort of evil, but at least they aren't rude to customers"02:44
*** menesis has quit IRC02:50
*** menesis1 has joined #zope02:50
*** KageSenshi has joined #zope03:06
*** menesis1 has quit IRC03:41
*** yvl has quit IRC03:52
*** do3cc has quit IRC04:09
*** do3cc has joined #zope04:50
*** KageSenshi has quit IRC05:30
*** Jan_Garaj3 has joined #zope07:52
*** MrTango has joined #zope07:53
*** Jan_Garaj3 has quit IRC08:00
*** Jan_Garaj3 has joined #zope08:16
*** MrTango has quit IRC08:23
*** alecm has quit IRC08:24
*** alecm has joined #zope08:24
*** alecm has joined #zope08:24
*** __mac__ has joined #zope08:32
*** bosim has joined #zope08:48
*** alecm has quit IRC08:50
*** kseifried has quit IRC08:50
*** alecm has joined #zope08:51
*** alecm has joined #zope08:51
*** __mac__ has left #zope09:06
*** KageSenshi has joined #zope09:16
*** Jan_Garaj3 has quit IRC09:18
*** MrTango has joined #zope09:18
*** bosim has quit IRC09:23
*** bosim has joined #zope09:24
*** bosim has quit IRC09:28
*** bosim_ has joined #zope09:28
*** bosim_ has quit IRC09:30
*** bosim has joined #zope09:31
*** alecm has quit IRC09:33
*** giacomos has joined #zope09:33
*** alecm has joined #zope09:35
*** alecm has quit IRC09:38
*** alecm has joined #zope09:39
*** tisto has joined #zope09:42
*** alecm has quit IRC09:48
*** alecm has joined #zope09:49
*** PeterZ1 has joined #zope10:01
*** PeterZ1 has left #zope10:02
*** bosim has quit IRC10:47
*** bosim has joined #zope11:10
*** bosim has joined #zope11:11
*** maurits has joined #zope11:17
*** projekt01 has joined #zope11:27
*** MrTango has quit IRC11:30
*** MrTango has joined #zope11:34
*** m8 has joined #zope11:45
*** KageSenshi has quit IRC11:49
*** menesis has joined #zope11:56
*** bosim has quit IRC12:14
*** bosim has joined #zope12:23
*** tisto is now known as tisto|afk12:44
*** bosim has quit IRC13:45
*** bosim has joined #zope14:00
*** menesis has quit IRC14:03
*** stereo_ has joined #zope14:12
*** J1m has joined #zope14:37
*** menesis has joined #zope15:12
*** m8 has quit IRC15:22
*** tisto|afk is now known as tisto15:35
*** bosim has quit IRC15:52
*** bosim has joined #zope16:00
*** yvl has joined #zope16:15
*** RiverRat has quit IRC16:29
*** RiverRat has joined #zope16:30
*** bosim has quit IRC16:50
*** bosim has joined #zope16:51
*** bosim has quit IRC16:56
*** giacomos has quit IRC16:58
*** tiwula has joined #zope17:05
*** Jan_Garaj3 has joined #zope17:08
*** Jan_Garaj3 has quit IRC17:27
*** Jan_Garaj3 has joined #zope17:30
*** KageSenshi has joined #zope17:33
*** KageSenshi has joined #zope17:33
*** stereo_ has quit IRC17:34
*** J1m has quit IRC17:51
*** J1m has joined #zope17:55
*** fRiSi has joined #zope18:35
*** tisto has quit IRC18:44
*** fRiSi has quit IRC18:48
*** maurits has quit IRC18:54
*** projekt01 has quit IRC19:22
*** avoinea has quit IRC19:31
*** avoinea has joined #zope19:31
*** Jan_Garaj3 has joined #zope20:25
*** Jan_Garaj3 has quit IRC20:32
*** Jan_Garaj3 has joined #zope20:53
*** Jan_Garaj3_ has joined #zope21:30
*** Jan_Garaj3 has quit IRC21:30
*** menesis has quit IRC21:32
*** __mac__ has joined #zope21:37
*** __mac__ has joined #zope21:38
*** menesis has joined #zope22:21
*** yvl has quit IRC22:27
*** yvl has joined #zope22:28
*** __mac__ has quit IRC23:03
*** stereo_ has joined #zope23:29
*** grasbauer has joined #zope23:39
*** grasbauer has left #zope23:40

Generated by 2.15.1 by Marius Gedminas - find it at!