Hi all, I'm pretty sure most of the people who deploy plone for production will not have many problems with an hard dependency on PIL.
I'm a bit concerned about the new users who download the plone installer
for MS platforms.
At the moment it is very easy for them to install plone and play a bit
with the system, will the dependency on PIL complicate the installation
process?
Will they be forced to download and install a package they don't know at
all ? Or we'll include PIL in the windows distribution ?
Thanks,
vds
On Tue, 2006-09-12 at 13:35 +0200, Raphael Ritz wrote:
> Wichert Akkerman schrieb:
> > Previously Raphael Ritz wrote:
> >
> >> For two reasons I'm not so sure:
> >>
> >> 1. PIL isn't necessarily the most trivial package to install
> >> and as of now be didn't require our users to fiddle with
> >> their Python installation (except for providing an appropriate
> >> version).
> >>
> >
> > I suspect (but I can't prove that) that most users will want to use PIL
> > and they can be divided in two categories:
> >
> > - people who just want Plone to work. These people should use the full
> > installers, which already install PIL as far as I know.
> AFAICT that's correct
> > This group
> > will also be hurt by image rescaling not working normally
> >
> but this won't be an issue anyway for those if the above is correct.
> > - Plone developers who want to work with the Plone stack directly and
> > install from sources (either .tar.gz, .zip or subversion). I would
> > expect this group to have enough clue to be able to install PIL as
> > well.
> >
> >
> >> 2. I do run sites where we didn't install PIL simply because
> >> we aren't specifically dealing with images on them.
> >>
> >
> > That puts you firmly into the second category.
> >
> > Looking at the code it should be quite simple to remove the hard PIL
> > dependency though.
> I didn't want to imply that this would be hard to do.
> All I'm asking in the end is whether this was a concious decision
> or just an oversite as this differs from our current policy.
> > A (very quick) look at the code does suggest that
> > doing so might introduce a security risk: it will also remove a real
> > sanity-check that a member portrait is an actual image. Something which
> > is nicely exploited by the spam we've been seeing lately on plone sites.
> >
> >
> that's a good point indeed but maybe just one more thing to
> educate people when it comes to best practices regarding
> dev boxes versus production sites.
>
> I could live with PIL being required but I would also
> like to hear opinions from those who didn't comment
> on this yet.
>
> Just my 2 cents
>
> Raphael
> > Wichert.
> >
> >
>
>
> _______________________________________________
> Framework-Team mailing list
> Framework-Team@lists.plone.org
> http://lists.plone.org/mailman/listinfo/framework-team
>
--
Vincenzo Di Somma
REFLAB srl
design, development and consulting
T: +39 349 756 54 60 E: [EMAIL PROTECTED] W: www.reflab.com
Weblog: http://www.reflab.com/blogs/vdsblog
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Framework-Team mailing list Framework-Team@lists.plone.org http://lists.plone.org/mailman/listinfo/framework-team
