Hi all, I'm pretty sure most of the people who deploy plone for production will not have many problems with an hard dependency on PIL.
I'm a bit concerned about the new users who download the plone installer for MS platforms. At the moment it is very easy for them to install plone and play a bit with the system, will the dependency on PIL complicate the installation process? Will they be forced to download and install a package they don't know at all ? Or we'll include PIL in the windows distribution ? Thanks, vds On Tue, 2006-09-12 at 13:35 +0200, Raphael Ritz wrote: > Wichert Akkerman schrieb: > > Previously Raphael Ritz wrote: > > > >> For two reasons I'm not so sure: > >> > >> 1. PIL isn't necessarily the most trivial package to install > >> and as of now be didn't require our users to fiddle with > >> their Python installation (except for providing an appropriate > >> version). > >> > > > > I suspect (but I can't prove that) that most users will want to use PIL > > and they can be divided in two categories: > > > > - people who just want Plone to work. These people should use the full > > installers, which already install PIL as far as I know. > AFAICT that's correct > > This group > > will also be hurt by image rescaling not working normally > > > but this won't be an issue anyway for those if the above is correct. > > - Plone developers who want to work with the Plone stack directly and > > install from sources (either .tar.gz, .zip or subversion). I would > > expect this group to have enough clue to be able to install PIL as > > well. > > > > > >> 2. I do run sites where we didn't install PIL simply because > >> we aren't specifically dealing with images on them. > >> > > > > That puts you firmly into the second category. > > > > Looking at the code it should be quite simple to remove the hard PIL > > dependency though. > I didn't want to imply that this would be hard to do. > All I'm asking in the end is whether this was a concious decision > or just an oversite as this differs from our current policy. > > A (very quick) look at the code does suggest that > > doing so might introduce a security risk: it will also remove a real > > sanity-check that a member portrait is an actual image. Something which > > is nicely exploited by the spam we've been seeing lately on plone sites. > > > > > that's a good point indeed but maybe just one more thing to > educate people when it comes to best practices regarding > dev boxes versus production sites. > > I could live with PIL being required but I would also > like to hear opinions from those who didn't comment > on this yet. > > Just my 2 cents > > Raphael > > Wichert. > > > > > > > _______________________________________________ > Framework-Team mailing list > Framework-Team@lists.plone.org > http://lists.plone.org/mailman/listinfo/framework-team > -- Vincenzo Di Somma REFLAB srl design, development and consulting T: +39 349 756 54 60 E: [EMAIL PROTECTED] W: www.reflab.com Weblog: http://www.reflab.com/blogs/vdsblog
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Framework-Team mailing list Framework-Team@lists.plone.org http://lists.plone.org/mailman/listinfo/framework-team