Bug#753404: zope.security: Port python-zope.security-untrustedpython from Ubuntu

Gediminas Paulauskas menesis at pov.lt
Tue Jul 1 16:49:46 UTC 2014 

2014-07-01 18:52 GMT+03:00 Barry Warsaw <barry at debian.org>:

> On Jul 01, 2014, at 05:24 PM, Brian Sutherland wrote:
>
> >The reason it was not added in Debian is because it requires the
> >RestrictedPython package:
> >
> >    https://pypi.python.org/pypi/RestrictedPython
> >
> >That has security implications, and no-one wanted to take responsibility
> >for that.
>
> I don't blame "them".
>
> As it turns out, I'd forgotten that I already sync'd zope.security into
> Ubuntu, so already dropped this package.  This will break a few reverse
> dependencies which only exist in Ubuntu:
>
> Reverse-Depends
> ===============
> * python-zope.app.pagetemplate
> * python-zope.browserpage
> * python-zope.pagetemplate
> * python-zope.ptresource
>
> Still, I don't want to block on updating this stack.  If no one steps up to
> take this on in Debian, and it's a critical need in Ubuntu, we'll deal
> with it
> there.
>

I've merged zope.security to Ubuntu a few times, keeping the delta.

The code requiring RestrictedPython was extracted to a separate package.

Newer zope.pagetemplate lists this as an optional dependency and only on
python 2.

4.0.2 (2013-02-22)
------------------

- Migrated from ``zope.security.untrustedpython`` to
``zope.untrustedpython``.

- Made ``zope.untrustedpython`` an extra dependency.  Without it, python
  expressions are not protected, even though path expressions are still
  security wrapped.


zope.browserpage 4.1.0a1 is updated for this split and requires plain
zope.security
zope.ptresource 4.0.0a1 too.

zope.app.pagetemplate needs a similar change to dependencies upstream.

I will deal with this in Ubuntu and upstream if necessary.
To keep the same functionality, a new source package zope.untrustedpython
should be added to Ubuntu. But can live without it.

-- 
Gediminas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-zope-developers/attachments/20140701/8157878c/attachment-0003.html>

More information about the pkg-zope-developers mailing list