Re: [Zope] Re: [Zope-dev] Proposed installation changes for review
On Tuesday 11 March 2003 10:48 pm, Jamie Heilman wrote: You'd probably still want a single master config file for the whole thing, and a tool to check the configuration is valid separate from the process that uses the file to configure itself. Not I. Large applications with a master config file are to be held with suspicion. Their longevity inevitably suffers because they are difficult to adapt to new situations. Im not sure the big config file approach is necessarily less adaptable than the big /etc directory approach. It is the details that make the difference - both approaches can be done well. Another way to ease configuration is to make things modular so its easier to visualize the flow of data. There is no amount of reconfiguration that can improve this in Zope2. Zope3 promises to fix this, but with modular python components rather than modular unix components. I would be interested in your thoughts on whether this makes a difference. -- Toby Dickenson http://www.geminidataloggers.com/people/tdickenson ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: Pydoc and Zope
Hi! Joachim Werner wrote: Is there a HOWTO for using Pydoc with a current Zope? Are there any new adapted versions of Pydoc? Or is there any better way of browsing the source code? Well. It depends on what you need. To get an overview of inherited methods, base classes and how they are related, I prefer epydoc. http://epydoc.sourceforge.net For a general comparison see this thread: http://mail.python.org/pipermail/doc-sig/2002-October/002815.html You can find outdated Zope3 docs generated with epydoc here: http://www.objectrealms.net/zope3/api/public/ I recently hacked epydoc to work with ExtensionClasses and got some useful Zope2 output. But there are still some bugs in my patch. It's not in a state to release, but if you want I can send you my patch. HTH, Yuppie BTW: I like these trees generated with epydoc :-) Base --+ | CopyContainer --+ | Base --+ | | | Navigation --+ | Base --+ | | | Tabs --+ | Acquirer --+ | Persistent --+ | Base --+ | | | EtagSupport --+ | | | | | LockableItem --+ | | | Resource --+ | | | Collection --+ | Traversable --+ | ObjectManager --+ | Base --+ | | | Node --+ | | | | | Element --+ | | | | | ElementWithAttributes --+ | | | PropertyManager --+ | Base --+ | | | RoleManager --+ | | | RoleManager --+ | Base --+ | | | EtagSupport --+ | | | | | LockableItem --+ | | | Resource --+ | | | Collection --+ | Base --+ | | | Base --+ | | | | | EtagSupport --+ | | | | | | | LockableItem --+ | | | | | Resource --+ | | | Base --+ | | | | | CopySource --+ | | | Base --+ | | | | | Tabs --+ | | | Traversable --+ | | | Node --+ | | | | | Element --+ | | | Base --+ | | | | | Owned --+ | | | Base --+ | | | | | UndoSupport --+ | | | Item --+ | Base --+ | | | FindSupport --+ | Folder ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Documentation
I was wanting make my jobs with a good presentation. So I downloaded Zope Website Documentation Tool. I followed the instructions. Unpacked the file, copy it to the import folder, gonne to root folder in Zope and then clicked import button. Unceremoniousness Zope said to me : The object broken does not support this operation! Why? What this is mean? Did I make something wrong? Maybe I broke the object? Anybody can help me? I'm running Zope 2.6 in a Pentium 233 stand alone, under Windows 98SE and ZServer. Do you mean this? http://www.zope.org/Members/fquin/ZWebsiteDocumentationTool If so, I see two possibilities: 1) you haven't installed Transparent Folder. 2) it seems somewhat old (Oct 2001), and may not work in newer versions of Zope. You can contact the author to see if it is known to work on 2.6. It may not be too hard to replicate this functionality (although I can't really glean from the website what that is, and I'm surprised you can.) BTW, TransparentFolders are known to have serious performance penalties in some situations, so perhaps you would want to avoid something that makes heavy use of them. Also, this seems to me more of a [EMAIL PROTECTED] question than a zope-dev one. --jcc ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope] Re: [Zope-dev] Proposed installation changes for review
Toby Dickenson wrote: There is no amount of reconfiguration that can improve this in Zope2. Zope3 promises to fix this, but with modular python components rather than modular unix components. I would be interested in your thoughts on whether this makes a difference. I don't think modular component libraries are a replacement for modular programs, or vice versa. They both have their place, they both can be good or bad depending on the implementation. (How's that for a wishy-washy say-nothing statement. g) I simply haven't looked seriously at Zope3 yet, because my needs and Zope3's timeline don't coincide. So unfortunately any opinons I could offer on Zope3's direction would be wholely uninformed. -- Jamie Heilman http://audible.transient.net/~jamie/ We must be born with an intuition of mortality. Before we know the words for it, before we know there are words, out we come bloodied and squalling with the knowledge that for all the compasses in the world, there's only one direction, and time is its only measure. -Rosencrantz ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] How (in)secure is Zope?
Dear Zope community, please excuse my ignorance, but I am asked from time to time how secure or insecure Zope actually is, and I always have to say that I actually don't know. There are people claiming that Zope opens a system to quite some level, others claim the opposite. Can someone please enlighten me and give me some details? Especially, are there some Zope products considered especially insecure? And, pondering more on security, are these issues, if they exist, bounded to Zope itself, or becomes a system generally more open to attacks, after Zope was installed? I don't mean to offend anybody by this, it is just a very simple question which I cannot answer alone. thanks so much in advance -- chris -- Christian Tismer :^) mailto:[EMAIL PROTECTED] Mission Impossible 5oftware : Have a break! Take a ride on Python's Johannes-Niemeyer-Weg 9a :*Starship* http://starship.python.net/ 14109 Berlin : PGP key - http://wwwkeys.pgp.net/ work +49 30 89 09 53 34 home +49 30 802 86 56 pager +49 173 24 18 776 PGP 0x57F3BF04 9064 F4E1 D754 C2FF 1619 305B C09C 5A3B 57F3 BF04 whom do you want to sponsor today? http://www.stackless.com/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Navigation Structure
Hi All, I am new to Zope and have Plone running on top of Zope. I wish to change the navigation structure that is currently in the left_slot to be rendered as a footer. Any sugestions? Regards, John ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] How (in)secure is Zope?
On March 13, Christian Tismer wrote: please excuse my ignorance, but I am asked from time to time how secure or insecure Zope actually is, and I always have to say that I actually don't know. How secure is your wallet? You will never answer this until you define what you mean by security, and what you are securing *against*. Zope is perfectly secure or some uses, and perfectly insecure for others. For example, for safe delegation of responsibility within a web application, in a trusted environment, Zope is secure. However, as a mission-critical service exposed to the internet, it is wide-open. a. -- Adrian van den Dries [EMAIL PROTECTED] Development team www.dev.flow.com.au FLOW Communications Pty. Ltd. www.flow.com.au ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] How (in)secure is Zope?
Christian Tismer wrote: please excuse my ignorance, but I am asked from time to time how secure or insecure Zope actually is, and I always have to say that I actually don't know. Thats a good answer. Another one you might consider is, 2 liters because there is no simple answer to that question. There are people claiming that Zope opens a system to quite some level, others claim the opposite. Ideally, Zope only opens the system to the extent the system administator allows it to. Resource limits, chroot jails, and so forth, are effective ways to de-fang many of the avenues available to zope users with the ability to instantiate dtml, script, and other such objects. Zope's ACLs also help an admin carve up their users into realms of trust. Can someone please enlighten me and give me some details? Especially, are there some Zope products considered especially insecure? And, pondering more on security, are these issues, if they exist, bounded to Zope itself, or becomes a system generally more open to attacks, after Zope was installed? Generally, the more software you install, the more open to attack you are. If you don't need it, don't run it, and don't install it. Some Zope products may open up more avenues of exploit than others, thats why the admin should audit them before installing. I don't mean to offend anybody by this, it is just a very simple question which I cannot answer alone. No, its not a very simple question. If Zope was a small program with a single clear purpose, it might be. But Zope is a large framework with a multitude of directions. (A small program with a single clear purpose can not do what Zope does; let it be known I'm not suggesting Zope should be somehow packed into a small program with a single clear purpose. Broken up into several... perhaps, but thats a different thread.) Outside of the ideal world, unless extreme care is taken, software tends to have flaws with security ramifications. Last time I counted (March 1st.) there were 16 unaddressed issues in the Zope bug collector that had been marked as having security ramifications. Two of them are mine, and thus I feel confident in saying Zope is not as secure as it should or could be, but that if nothing else, the maintainers have been made aware of these shortcomings and that one can assume (if they should or not is a different matter) the issues will be taken care of. I will go on record as saying that, recently, response times to security related issues in the Zope2 tree have been disapointing. Construe from that what you will. -- Jamie Heilman http://audible.transient.net/~jamie/ Paranoia is a disease unto itself, and may I add, the person standing next to you may not be who they appear to be, so take precaution. -Sathington Willoughby ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] How (in)secure is Zope?
Adrian van den Dries wrote: On March 13, Christian Tismer wrote: please excuse my ignorance, but I am asked from time to time how secure or insecure Zope actually is, and I always have to say that I actually don't know. How secure is your wallet? I won't tell you (since this is insecure:). You will never answer this until you define what you mean by security, and what you are securing *against*. This is quite a silly argument, IMHO. My simple question was alike what kind of insecurity do I buy when I install Zope on my server. This question is asked from the POV of a system administrator. It is simple: Do I increase the possibility of somebody to obtain root rights, or do I not? Zope is perfectly secure or some uses, and perfectly insecure for others. Either it is secure for my server, in the sense I depicted above, or it is not. I don't see any relevance to any use, if I am using it on an exposed server in the internet. I think there should be one single answer, nothing else is relevant. ? For example, for safe delegation of responsibility within a web application, in a trusted environment, Zope is secure. Run in an intranet service? Run on the same machine? What is your definition of secure, if there is any? However, as a mission-critical service exposed to the internet, it is wide-open. Why is it wide open, and when is it wide open? Thanks a lot, but this doesn't help me at all. sorry - chris -- Christian Tismer :^) mailto:[EMAIL PROTECTED] Mission Impossible 5oftware : Have a break! Take a ride on Python's Johannes-Niemeyer-Weg 9a :*Starship* http://starship.python.net/ 14109 Berlin : PGP key - http://wwwkeys.pgp.net/ work +49 30 89 09 53 34 home +49 30 802 86 56 pager +49 173 24 18 776 PGP 0x57F3BF04 9064 F4E1 D754 C2FF 1619 305B C09C 5A3B 57F3 BF04 whom do you want to sponsor today? http://www.stackless.com/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: [Zope3-dev] How (in)secure is Zope?
On Wed, 2003-03-12 at 19:54, Christian Tismer wrote: Dear Zope community, please excuse my ignorance, but I am asked from time to time how secure or insecure Zope actually is, and I always have to say that I actually don't know. There are people claiming that Zope opens a system to quite some level, others claim the opposite. Can someone please enlighten me and give me some details? Especially, are there some Zope products considered especially insecure? And, pondering more on security, are these issues, if they exist, bounded to Zope itself, or becomes a system generally more open to attacks, after Zope was installed? I don't mean to offend anybody by this, it is just a very simple question which I cannot answer alone. I think the problem is that the question isn't really simple, because the different configurations in which Zope is used vary so much. For instance, let me describe a configuration which is in production todday: - Zope is configured such that it listens for requests only on a single, non-routed interface. - Public access is mediated by a caching reverse proxy. - The user and group as which Zope runs in this setup hass extremely reduced privilegss: it has read access to Python, the standard Python libraries, the Zope sofware, and its configuration files; it has write access only to the var directory in which it keeps its database, PID, and log files. - Anonymous users in this Zope instance have only one permission, which allows them to view published content. They cannot create objects in the ZODB at all. - Content managers never log into this Zope instance at all; instead, they use a separate instance, behind the company's firewall, with an entirely different set of permissions; yet, the content is shared directly with the public site, via mounted storages. In this scenario, the Zope process itself has a very small vulnerability set: - The proxy shields Zope from most forms of DoS attacks (cleverly constructed query strings might still be able to get through). - Because the Zope instance uses Python's string handling facilities, it is not vulnerable to many of the buffer overflow attacks which plague C-based daemons. - If a user could gain control of the Zope process, the only scope for damage would be the ZODB itself. Now let me describe another configuraton, running in production now for years (one process in the cluster had an uptime of 400 days at a recent hardware-induced reboot): - Two Zope application servers run behind a load balancer and an Apache proxy (non-caching), serving requests against data in a shared storage server. - The server permits through-the-web registration, with minimal identity check (only a valid e-mail address. As of this writing, there are 18000+ user accounts. - Users of the site get a member folder where they can create templates, Python scripts, and content within the ZODB. Some minimal workflow exists, controlling basically whether the user's content is included in site searches. This configuration is perhaps the most vulnerable I can think of: nearly-anonymous users can create applications, using as much of Python as the through-the-web Python scripts allow. Yet, in the years this site has been running, it has suffered from only mild forms of abuse: - Malice-free templating triggered DoS-like bursts of activity (looping, or pathologically-nested acquisition). - Warez r00erz were using the site to serve ripped-off tarballs, before the site added upload filters which made the practice unprofitable. - Some users used the templating features to construct sub-sites which violated the terms of use for their accounts, which were eventually terminated. - Occasionally, the site sees bursts of DoS-like activity (which may be malicious, or may simply be incompetently-written spiders). The normal defense to such attacks is to block packets from their IPs (or ranges) at the border router. How could such a site not have been wrecked? I can offer a couple of hypotheses: - Trashing it hasn't been attractive enough to sufficiently determined blackhats. - Zope's restrictions on through-the-web code are mostly successful: in particular, such code can see only white-listed library modules, and has limited access to attributes and methods of objects in the object database. thanks so much in advance -- chris There *are* add-on products which can potentially increase the vulnerability of a Zope application, by expanding access to the kinds of modules which allow an attacker to springboard from Zope (Python's urllib, os, etc.). Zope has issued a number of security advisories, accompanied by installable hot-fix products: http://www.zope.org/Products/Zope/hotfixes Note that almost all of these advisories relate to issues with through- the-web
Re: [Zope-dev] How (in)secure is Zope?
Christian Tismer wrote: This is quite a silly argument, IMHO. No its not, you can't give exact answers to inexact questions with no prior understanding of how much foreknowledge the audience has. Especially when you're talking about security. It is simple: Do I increase the possibility of somebody to obtain root rights, or do I not? Given that there is no good reason to run Zope as root, assuming you don't configure Zope to fly in the face of reason, and assuming you discount the possiblity of exacerbating other external vulnerabilities your system may have (which is a stupid thing to discount IMO), then no, Zope doesn't increase the possiblity of obtaining root privileges. -- Jamie Heilman http://audible.transient.net/~jamie/ You came all this way, without saying squat, and now you're trying to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile? I liked you better when you weren't saying squat kid. -Buddy ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] RE: [Zope3-dev] How (in)secure is Zope?
[Christian Tismer] ... I don't mean to offend anybody by this, it is just a very simple question which I cannot answer alone. There may be a simple question hiding in this, but it's hard to find wink. You try: how secure is sendmail? how secure is ssh? how secure is Python? Answer those simple(?!) questions in the way you're looking for, and maybe someone can do the same wrt Zope. As is, you *appear* to be asking for a one-word summary of an encyclopedia. Big wink. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] How (in)secure is Zope?
On 03/12/2003 07:54 PM, Christian Tismer wrote: Dear Zope community, please excuse my ignorance, but I am asked from time to time how secure or insecure Zope actually is, and I always have to say that I actually don't know. There are people claiming that Zope opens a system to quite some level, others claim the opposite. Can someone please enlighten me and give me some details? Especially, are there some Zope products considered especially insecure? Well, here's the way I read this. Let's say you're a system administrator and someone wants to add a service you've never heard of. Here's what you would ask to assess its security: - Is there any way this service can grant root privileges? If so, are there adequate protections? - Can this service do things to the server that are difficult to control, like fork bombs or lock starvation? - Can this service be hijacked to do unexpected things on the network (like assist in a DDoS attack or relay spam)? - Even if it can't hurt the server or other servers, does the service protect itself from vandalism, information theft, and DoS attempts? - Have there been a lot of security vulnerability patches for this service? I think this list is pretty comprehensive. I think if stock Zope provides satisfactory answers to all of these questions, we can legitimately call it secure. First, even if you run Zope as root, Zope drops root privileges as soon as it can. By the time it accepts requests, it can no longer do anything as root. The Zope internal security model is fully confined to the limitations of the owner of the Zope process. So stock Zope is secure in this regard. Second, certain features of modern kernels aren't quite mature, and if abused, these features can lead to a denial of service. Zope uses long-running Python threads, so it doesn't make much use of kernel services like forking and massive locking. (Other resources like RAM, CPU, and hard disk space are more mature and easier to control using ulimits, quotas, and partitions.) Stock Zope is secure in this regard. Third, Zope is designed to be a self-contained network service. Other than the internal SMTP relay service, stock Zope doesn't have a way to access services on other servers. In a way, this is a missing feature, but it also makes Zope unattractive as a potential DDoS relay node. As for relaying spam, the SMTP relay service is protected by Zope's security model. Only trusted users can send email. So if Zope's security model is secure, stock Zope is secure in this regard too. Fourth, Zope has its own security model independent of the system security that controls access to the Zope database, Python products, and the Python standard library. There have been mistakes in the internal security model before, but the mistakes only allowed already trusted users to do more than they should. I don't know of any security model breach ever that allowed untrusted or anonymous users to do something they shouldn't. And again, even if the internal security model is broken, Zope is still confined to the limitations of the owner of the process. So Zope is secure in this regard, as far as we know. Fifth, it is true that many hotfixes have been released for Zope, but Zope hotfixes are really quite different from patches to other products. Patches to other products tend to fix system-level things like buffer overflows, root exploits, temporary file race conditions, etc. Zope hotfixes operate at a much higher level than that, fixing only things that Zope cares about. If a system administrator installed an old version of Zope but ignored all the hotfixes ever released for Zope, the system would still be safe and Zope would still be protected against attacks by anonymous users. The only vulnerability would involve trusted users who want to vandalize Zope. So even though there have been many hotfixes, they are irrelevant--Zope is still secure. (Unless you can't trust your trusted users, which is a different problem.) So I think we can reliably say that stock Zope is secure. An insecure product, on the other hand, opens up many possibilities, but that ought to be the subject of a different discussion. Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] Proposed installation changes for review
On Tue, 2003-03-11 at 08:48, Chris McDonough wrote: On Tue, 2003-03-11 at 00:24, Edward Muller wrote: Once zope is installed in /opt/zope-2.7.0 can it be moved without damaging the install say to /home/virtual/some.host.name/opt/zope-2.7.0 ? Yes. Its location is only meaningful to the instance files that need to find it. In our hosting setup some things get run in a chroot, some things can't... Currently zope get's installed in a chroot environment for anyone who wants a zope install. It must be a complete install since when the user restarts it he will be in his chroot environment. So I'd ideally like to install zope in a way where all of the core of zope is in one place ... say ... /opt/zope/version # (/opt/zope/2.7.0, /opt/zope/2.7.1, etc...) This I can hardlink/symlink into each chroot and make permissions 755 root/root. I think this will work. The only thing that might be a little weird is tracebacks generated by pyc files, as they may report the filenames of the Python modules where they were originally installed, instead of where they live now. There is some contention about whether this happens under Python 2.2, but I know it's true for Python 2.1 and prior. Well I can install zope in /opt/zope/2.7.1 (in the real root) and then when I symlink/hardlink it into a virtual host I can link it into that hosts /opt/zope/2.7.1 ... So that's not a biggie From there I would like to be able to install an 'instance', which is ... in my case meaning the data.fs, /Products directory, log files, etc, etc. The stuff that make this users instance theirs. When the install is happening, the script executing it would most likely be outside of the chroot ... but I guess it could be configured to chroot as well.. You would need to chroot the run of makeinstance currently as it encodes paths to software within the instance files that start Zope. So if you ran it outside the chroot it would work, but when the user logged in to the chroot, the paths to the software would be wrong. That's not a problem ... at least IIRC. I can chroot when creating the account in a shell script and execute custom setup scripts. I think this might be made configurable with a switch to mkzopeinstance (--sw_location=/some/path), though. I will add this to the tentative TODO, thanks. all thought that would be nice. I already have start/stop scripts to go through the users that have a zope install and chroot into that users 'host' and then start zope as that 'hosts' administrative user. These scripts will unfortunately need to change for Zope 2.7 unless we create some sort of backwards compatibilty layer for startup. Yeah. Oh well. They aren't that complex. :-) I wouldn't worry about the backward compatibility layer myself. I don't know if there is a great value add to it, aside from keeping users from going 'WTF happened?' :-) -- Edward Muller Interlix - President Web Hosting - PC Service Support Custom Programming - Network Service Support Phone: 417-862-0573 Cell: 417-844-2435 Fax: 417-862-0572 http://www.interlix.com ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )