[Zope] Disable configuration of 3rd party packages with z3c.unconfigure
When relying on a third-party package with ZCML configuration, it is sometimes desirable to disable certain directives, for instance when the third-party package defines an event subscriber that you'd like to disable. This is now possible with z3c.unconfigure. While zope.configuration (the package that implements ZCML) itself supports overriding existing configuration and the zc.configuration package supports excluding whole ZCML files from being loaded, z3c.unconfigure allows you to disable specific directives. More information is available at http://pypi.python.org/pypi/z3c.unconfigure. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Python Security Vulnerabilities
I first apologize for cross posting, but this is a critical issue for my organization. We have several applications built with Plone, ranging from v 2.0.5 to v 2.5.3 and Zope, ranging from 2.7.3 to 2.9.7. With the August 2008 release of a Python security vulnerability (http://secunia.com/advisories/31305/), we are trying to determine how this affects our web applications and how to mitigate and detect any attacks. We have seen no discussion among the Zope and Plone communities regarding this security threat. Is this an indication that Zope and Plone are immune from these exploits due to the additional security model it puts in place or is everyone simply waiting for Python to release a patch? Any advice or guidance on this issue is greatly appreciated. -- Stacy Ladnier, Senior Software Engineer General Dynamics Information Technology/NOAA National Coastal Data Development Center Phone: (228) 688-1878 email: [EMAIL PROTECTED] ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: Python Security Vulnerabilities
On Fri, 08 Aug 2008 08:09:56 -0700, Stacy Ladnier [EMAIL PROTECTED] wrote: I first apologize for cross posting, but this is a critical issue for my organization. We have several applications built with Plone, ranging from v 2.0.5 to v 2.5.3 and Zope, ranging from 2.7.3 to 2.9.7. With the August 2008 release of a Python security vulnerability (http://secunia.com/advisories/31305/), we are trying to determine how this affects our web applications and how to mitigate and detect any attacks. We have seen no discussion among the Zope and Plone communities regarding this security threat. Is this an indication that Zope and Plone are immune from these exploits due to the additional security model it puts in place or is everyone simply waiting for Python to release a patch? Most of the issues mentioned seem to be irrelevant to Plone from a casual glance (disclaimer: I'm not a coder :) — but this one could probably do with some investigation: 3) Integer overflow errors in the processing of unicode strings can be exploited to cause buffer overflows on 32-bit systems. In general, we have to wait until Python releases new versions that fix these issues when they happen. I'm sure that will be the easiest and quickest way to resolve this too. -- Alexander Limi · http://limi.net ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: [Plone-Users] Python Security Vulnerabilities
--On 8. August 2008 10:09:56 -0500 Stacy Ladnier [EMAIL PROTECTED] wrote: I first apologize for cross posting, but this is a critical issue for my organization. We have several applications built with Plone, ranging from v 2.0.5 to v 2.5.3 and Zope, ranging from 2.7.3 to 2.9.7. With the August 2008 release of a Python security vulnerability (http://secunia.com/advisories/31305/), we are trying to determine how this affects our web applications and how to mitigate and detect any attacks. We have seen no discussion among the Zope and Plone communities regarding this security threat. Is this an indication that Zope and Plone are immune from these exploits due to the additional security model it puts in place or is everyone simply waiting for Python to release a patch? I don't see any imminent thread for Zope based on the vague advisories. As Limi said: wait until fixed Python versions are available. Andreas pgpmYxTXHHgSn.pgp Description: PGP signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope-dev] Zope Tests: 5 OK
Summary of messages to the zope-tests list. Period Thu Aug 7 11:00:00 2008 UTC to Fri Aug 8 11:00:00 2008 UTC. There were 5 messages: 5 from Zope Tests. Tests passed OK --- Subject: OK : Zope-2.8 Python-2.3.6 : Linux From: Zope Tests Date: Thu Aug 7 20:54:37 EDT 2008 URL: http://mail.zope.org/pipermail/zope-tests/2008-August/009975.html Subject: OK : Zope-2.9 Python-2.4.4 : Linux From: Zope Tests Date: Thu Aug 7 20:56:07 EDT 2008 URL: http://mail.zope.org/pipermail/zope-tests/2008-August/009976.html Subject: OK : Zope-2.10 Python-2.4.4 : Linux From: Zope Tests Date: Thu Aug 7 20:57:38 EDT 2008 URL: http://mail.zope.org/pipermail/zope-tests/2008-August/009977.html Subject: OK : Zope-2.11 Python-2.4.4 : Linux From: Zope Tests Date: Thu Aug 7 20:59:08 EDT 2008 URL: http://mail.zope.org/pipermail/zope-tests/2008-August/009978.html Subject: OK : Zope-trunk Python-2.4.4 : Linux From: Zope Tests Date: Thu Aug 7 21:00:38 EDT 2008 URL: http://mail.zope.org/pipermail/zope-tests/2008-August/009979.html ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] zc.authorizedotnet
El lun, 04-08-2008 a las 19:31 -0400, Gary Poster escribió: Hi Juan. Certainly we'd hate to see an unnecessary fork. yes... I think so too... Are you a Zope Contributor? no I don't keep up with all the preferred mechanisms for external contributors, so we'll ask around if not. You'll have to make some license assignments (to Zope Foundation and contributors, I believe) and assertions (Zope Public License). no problem... We would want tests for the changes, of course. my changes are full of test... almost mimic the original tests at README.txt Thanks Gary... see you... ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: zcml filtering
Previously Philipp von Weitershausen wrote: Marius Gedminas wrote: On Tue, Aug 05, 2008 at 10:36:30PM +0100, Martin Aspeli wrote: Subscribers and subscription adapters are particularly bad in this way, since they are unnamed and thus can't be overridden, only amended to. We've talked about an off switch for ZCML before. Given that we have a configuration machine that's capable of doing overrides based on discriminators, why couldn't we have support for negatives, e.g. unconfigure utility ... / /unconfigure This could use a special _context that would record callables and discriminators, and then look for the corresponding callables/discriminators in the real context and remove them before that context was configured. Subscribers don't have discriminators, unfortunately. Indeed they don't. That just makes them harder to track down, though. I'm working on a package for this functionality in z3c.unconfigure right now. Name inspired by Martin's suggestion above; my original prototype used had a different name but this is much better :). I am using z3c.unconfigure now and it works perfectly. Wichert. -- Wichert Akkerman [EMAIL PROTECTED]It is simple to make things. http://www.wiggy.net/ It is hard to make things simple. ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] KGS buildbot news
News about the KGS buildbot at http://zope3.pov.lt/buildbot/: * all builds are done in a virtualenv sandbox uncontaminated by system python packages * the waterfall display shows a brief summary (ntests/errors/failures) * there are short logs with summaries only (lists of tests that failed, had errors, or could not be imported) * there are bookmarkable links to the latest summaries (and logs) at http://zope3.pov.lt/ Latest test results * Python 2.4, 32-bit Linux: - zope.server tests fail horribly with invalid file descriptor errors. I cannot reproduce this error in isolation (bin/test -m zope.server), but I can reproduce it when I run all the tests together. Some previous test is mucking stuff up. - z3c.rml depends on PIL but doesn't express that in its setup.py. It also depends on Reportlab. Neither PIL not Reportlab can be installed as eggs from PyPI. There are working eggs for both PIL and Reportlab available on the Internet, AFAIK, but so far nobody worked with the respective upstreams to get those into PyPI. Since I don't use z3c.rml myself, and since repeated import errors for every test layer clutter the output a lot, I've disabled z3c.rml tests for now. * Pytohn 2.4, 64-bit Linux: - same as Python 2.4 on 32-bit Linux, plus - one or two zdaemon tests fail nondeterministically (the daemon process, usually sleep 10 or sleep 100, exits before the test can invoke zdaemon stop I can reproduce it (nondeterministically) on various machines. I do not understand how sleep 100 can terminate in under 18 seconds that it takes for the tests to fail. - zope.app.apidoc, zope.app.renderer and zope.app.generations errors that end up as an ImportError: No module named roman inside a docutils. I suspect a problem in the environment and I'm tempted to rm -rf the buildout working dir and see if I can reproduce it starting from a clean state. * Python 2.5, 32-bit Linux: - same as Python 2.4 on 32-bit Linux, plus - z3c.form expects a certain behaviour from Exception.__repr__, which changed in Python 2.5 * Python 2.5, 64-bit Linux - a horrifying amount of errors (80 total), I'll retry after cleaning up the buildbot slave dir. Marius Gedminas -- C is a language that combines all the elegance and power of assembly language with all the readability and maintainability of assembly language. signature.asc Description: Digital signature ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] zc.authorizedotnet
El vie, 08-08-2008 a las 14:05 -0400, Gary Poster escribió: Sorry Juan; been busy, Jim's been unavailable, and I'm out of the office today. I intend to get back to you next week. Thanks Gary... ok... ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] KGS buildbot news
On Fri, Aug 08, 2008 at 07:26:08PM +0300, Marius Gedminas wrote: Latest test results Now updated after * nuking buildbot slave directories that had some contamination from previous contacts with system python * disabling z3c.rml tests because of missing PIL and Reportlab eggs in PyPI * upgrading zope.security and zope.proxy in the KGS to fix issues with Python2.5 on 64-bit machines Many of the errors have gone away. I'm quoting only the remaining ones * Python 2.4, 32-bit Linux: - zope.server tests fail horribly with invalid file descriptor errors. I cannot reproduce this error in isolation (bin/test -m zope.server), but I can reproduce it when I run all the tests together. Some previous test is mucking stuff up. * Pytohn 2.4, 64-bit Linux: - same as Python 2.4 on 32-bit Linux * Python 2.5, 32-bit Linux: - same as Python 2.4 on 32-bit Linux, plus - z3c.form expects a certain behaviour from Exception.__repr__, which changed in Python 2.5 * Python 2.5, 64-bit Linux - same as Python 2.5 on 32-bit Linux, plus - zc.zope3recipes gets unexpected test output about upgrading zc.buildout to version 1.1.1 The nondeterministic zdaemon test did not fail during *this* buildbot run. A reminder about what it is: - one or two zdaemon tests fail nondeterministically (the daemon process, usually sleep 10 or sleep 100, exits before the test can invoke zdaemon stop I can reproduce it (nondeterministically) on various machines. I do not understand how sleep 100 can terminate in under 18 seconds that it takes for the tests to fail. The reproduction is simply running bin/test -m zdaemon --repeat 10. Some of the iterations see one error, some see two, some are error-free. Having a busy machine helps. Hm, better change that helps to is essential, since now I cannot reproduce the bug any more. Marius Gedminas -- Unix gives you enough rope to shoot yourself in the foot. signature.asc Description: Digital signature ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] KGS buildbot news
On Sat, Aug 09, 2008 at 12:57:48AM +0300, Marius Gedminas wrote: - zope.server tests fail horribly with invalid file descriptor errors. I cannot reproduce this error in isolation (bin/test -m zope.server), but I can reproduce it when I run all the tests together. Some previous test is mucking stuff up. 'bin/test -m ZEO -m zope.server' is enough to reproduce this error. Marius Gedminas -- Change is inevitable, except from a vending machine. signature.asc Description: Digital signature ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] KGS buildbot news
On Fri, Aug 8, 2008 at 18:26, Marius Gedminas [EMAIL PROTECTED] wrote: News about the KGS buildbot at http://zope3.pov.lt/buildbot/: Impressive, can you show your buildbot configuration ? I want running the same here. -- Seb ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] KGS buildbot news (zope.server failure almost explained)
On Sat, Aug 09, 2008 at 01:50:33AM +0300, Marius Gedminas wrote: On Sat, Aug 09, 2008 at 12:57:48AM +0300, Marius Gedminas wrote: - zope.server tests fail horribly with invalid file descriptor errors. I cannot reproduce this error in isolation (bin/test -m zope.server), but I can reproduce it when I run all the tests together. Some previous test is mucking stuff up. 'bin/test -m ZEO -m zope.server' is enough to reproduce this error. Minimal test case: bin/test -pvc1 -m zope.server -t testAPPE -m ZEO -t insane The ZEO test that breaks zope.server.ftp is multiple_storages_invalidation_queue_is_not_insane (ZEO.tests.testZEO) For completeness, the full sequence of steps is check out zope.release branch 3.4 bootstrap and run buildout bin/generate-buildout cd test ../bin/buildout bin/test -pvc1 -m zope.server -t testAPPE -m ZEO -t insane Marius Gedminas -- Hoping the problem magically goes away by ignoring it is the microsoft approach to programming and should never be allowed. -- Linus Torvalds signature.asc Description: Digital signature ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] KGS buildbot news
On Sat, Aug 09, 2008 at 01:59:49AM +0200, Sebastien Douche wrote: On Fri, Aug 8, 2008 at 18:26, Marius Gedminas [EMAIL PROTECTED] wrote: News about the KGS buildbot at http://zope3.pov.lt/buildbot/: Impressive, can you show your buildbot configuration ? I want running the same here. http://zope3.pov.lt/master.cfg Extra requirement: virtualenv.py copied to /usr/local/bin on build slaves (I didn't feel comfortable checking it into zope.release SVN or trying to teach buildbot/bootstrap to use virtualenv and then re-exec itself with a sandboxed python interpreter). Marius Gedminas -- The *REAL* Y2K is the year 2048. signature.asc Description: Digital signature ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )