I'm going to be travelling very shortly and offline for ~ 36 hours. I think we should improve our testing in this area.
I don't think that having the core factory proxy the objects it returns is very faithful to how things are wired up in prod - jml's mail reinforces this for me. We can fail on security problems in two directions: 1 - miss something that will block a user inappropriately 2 - miss something that fails to block a user Having more proxies around objects that talk to each other in tests than there are around those objects in production will bias our test failures to (2). IMO This is a risk with more severe consequences than having a test suite biased to (1). Discuss. If you guys agree that the bias would shift to (2), and that that is a greater risk, please consider backing out the change and rethinking it - perhaps along the lines I suggested, perhaps along some other lines. -Rob _______________________________________________ Mailing list: https://launchpad.net/~launchpad-dev Post to : [email protected] Unsubscribe : https://launchpad.net/~launchpad-dev More help : https://help.launchpad.net/ListHelp
