Re: [Zope-dev] Preview of a Stackless Zope Application
Leonardo Rochael Almeida wrote: On Thu, 2003-12-11 at 01:50, Christian Tismer wrote: [Stackless Zope App] The key to this surprizing solution is tasklets, channels, and thread pickling. Let me know your thoughts... http://www.centera.de/tismer/stackless/zope_demo This is very impressive. Can we get the rest of the source code? like, what is the definition of channel_send()? Well, this is all still a little ugly, and I didn't want to spoil the nice effect by such details. Actually, there are restrictions on what I can use from Stackless, since I'm writing in Restricted python. Without further additions to Stackless (which I din't understand, yet), Zope doesn't allow me to call methods on tasklets and channels, so I had to put things into external methods, which do these calls for me. channel_send(ch, data) is just a wrapper and actually does ch.send(data) same here: stackless_tasklet(prog) is a wrapper that calls stackless.tasklet(prog) since I cannot import my module. Furthermore, these channels are not the builtin Stackless channels, but a fake Python class, which implements channels in Python. The reason was that Stackless channels don't have pickling support, yet. Also a reason why I call this a preview. Anyway, it works and is not cheating. You might be interested in the driver code, which is a Python script as well (the other side that reads form the channel): runDemo script: # Example code: # Import a standard function, and get the HTML request and response objects. from Products.PythonScripts.standard import html_quote request = container.REQUEST RESPONSE = request.RESPONSE # see whether we have a channel stored in the session chname ='demo_channel' session = request.SESSION if not session.has_key(chname): ch = container.stackless_channel() t = container.stackless_tasklet(container.program) t(ch) # bind parameter del t session[chname] = ch ch = session[chname] data = container.channel_receive(ch) last = 0 if data is None: del session[chname] last = 1 return container.index_html(value=data, show_source=last) I will put some more work into this if I get more feedback, and add more infos to the website. An interesting version would be to not use the session at all, but send the pickle together with the web page. That means to pickle by hand and to use encryption of course. ciao - chris -- Christian Tismer :^) mailto:[EMAIL PROTECTED] Mission Impossible 5oftware : Have a break! Take a ride on Python's Johannes-Niemeyer-Weg 9a :*Starship* http://starship.python.net/ 14109 Berlin : PGP key - http://wwwkeys.pgp.net/ work +49 30 89 09 53 34 home +49 30 802 86 56 mobile +49 173 24 18 776 PGP 0x57F3BF04 9064 F4E1 D754 C2FF 1619 305B C09C 5A3B 57F3 BF04 whom do you want to sponsor today? http://www.stackless.com/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Preview of a Stackless Zope Application
Howdy, I made a little demo of Stackless Zope. It is just a quick hack to see how things can work. The example is a long-running Python method which prints lines to the browser. The key to this surprizing solution is tasklets, channels, and thread pickling. Let me know your thoughts... http://www.centera.de/tismer/stackless/zope_demo -- Christian Tismer :^) mailto:[EMAIL PROTECTED] Mission Impossible 5oftware : Have a break! Take a ride on Python's Johannes-Niemeyer-Weg 9a :*Starship* http://starship.python.net/ 14109 Berlin : PGP key - http://wwwkeys.pgp.net/ work +49 30 89 09 53 34 home +49 30 802 86 56 mobile +49 173 24 18 776 PGP 0x57F3BF04 9064 F4E1 D754 C2FF 1619 305B C09C 5A3B 57F3 BF04 whom do you want to sponsor today? http://www.stackless.com/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] OrderSupport and ExternalEditor
Hi Zopistas, I had sume trouble to get the extra sorting controls to work for the Ordered Folders. The Ordered Folders just appear(ed) the same as regular folders. After quite some code browsing, I found out: (and there is a not on DZug as well) The problem is, that I'm using ExternalEditor, and this product does a monkey patch on the ObjectManager: It replaces the manage_main dtml with its own version, which has no support for ordered folders, yet. The reason why this patch happens is just to ad that little edit pen next to each row in the view. Quick solution, until the author updates his product: copy OFS/dtml/main.dtml to Products/ExternalEditor/manage_main edit that file and add this after line 170: dtml-comment This is the only different line: /dtml-comment dtml-var expr=externalEditLink_(this()) Here the same with more context, added lines marked by * dtml-except /dtml-try * dtml-comment This is the only different line: /dtml-comment * dtml-var expr=externalEditLink_(this()) /div /td dtml-with sequence-key Remark: I don't know a general good way how products should cope with such problems. It would be nicer if they didn't carry a copy of maybe outdated code, but if they could obtain a copy during installation time (would require some setup script), and identify the place where to insert their ads. But this looks hard if the patched code doesn't provide something like a tag that tells where the place to patch is. ciao - chris -- Christian Tismer :^) mailto:[EMAIL PROTECTED] Mission Impossible 5oftware : Have a break! Take a ride on Python's Johannes-Niemeyer-Weg 9a :*Starship* http://starship.python.net/ 14109 Berlin : PGP key - http://wwwkeys.pgp.net/ work +49 30 89 09 53 34 home +49 30 802 86 56 pager +49 173 24 18 776 PGP 0x57F3BF04 9064 F4E1 D754 C2FF 1619 305B C09C 5A3B 57F3 BF04 whom do you want to sponsor today? http://www.stackless.com/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: Zope 2.7 running with Stackless 3.0
Shane Hathaway wrote: Christian Tismer wrote: Stackless 3.0 does all of it, whatever is possible. That means, you can switch whatever, even extension C code with Python callbacks. But cooperative code can switch faster. I'm very happy to hear you've forged onward. I was concerned you had given up. I never give up. Giving up is for me the equivalent to death. I'm undead. ;-) ... No continuations, tasklets. :-) Did you switch the terminology? Where can I read about Stackless 3.0? You will be able to, soon. At the moment, just read help(stackless). Stackless 3.0 no longer has the primitive, most powerful concept of continuations, it just has tasklets. Tasklets are like one-shot continuations, so they are no longer immutable. In other words, they are like tiny threads. The reasons for that are multiple. But the main reason is the hardware switching capability. It is a feature of SLP 3.0. SLP 2.0 did only this. SLP 3.0 does this, and a subset of the 1.0 continuations, but reduced to a common subset. With the presence of hardware C stack snapshot, it is not trivially possible to provide immutable, re-runnable instances of such C stacks. I only can (almost) guarantee, that they can continue once, after they have been freezed. This is so, since I was (so far) unable to provide a platform/compiler independent way to completely analyse them for the presence of Python objects. In summary, that means, allowing for C stack captures in a compatible way kills the concept of pure continuations. On the other hand, killing the concept of pure continuations allows me to make C stack snapshots and pure Python frame chains to be rather compatible. So what I do is to wrap an abject around both, called a tasklet. And such a tasklet can be run just once, since it has mutable state. But this is exactly what peaople want. For the uninitiated: Stackless lets a Python program break out of the rigid constraints of a simple stack. It lets Python code manipulate its own execution. It provides new solutions to problems like threading, debugging, network communication, etc. It's a very interesting shift. This is still true! BTW, here's one avenue you might pursue, Christian: Python IDEs. When I wrote the debugger for Boa Constructor, I hit a big wall. *You* wrote the Boa debugger? Well, this is great. We need to talk. Since Python is a dynamic language, one would expect to be able to pause the execution of a function, change the function, and resume execution with new code--never skipping a beat. But CPython makes this nearly impossible. I imagine Stackless would provide an answer for this. If it does, get in contact with ActiveState, Secret Labs, or the Wing IDE folks and tell them you can make their debugger twice as good as any other. Just an idea. A very good idea. Although all of these people know me well, and I think I don't need to talk so much. Instead, they are kind of waiting. Actually, they don't need to wait so long, since SLP 3.0 final is coming in the next three weeks, with a decent C API. cheers thanks -- chris -- Christian Tismer :^) mailto:[EMAIL PROTECTED] Mission Impossible 5oftware : Have a break! Take a ride on Python's Johannes-Niemeyer-Weg 9a :*Starship* http://starship.python.net/ 14109 Berlin : PGP key - http://wwwkeys.pgp.net/ work +49 30 89 09 53 34 home +49 30 802 86 56 mobile +49 173 24 18 776 PGP 0x57F3BF04 9064 F4E1 D754 C2FF 1619 305B C09C 5A3B 57F3 BF04 whom do you want to sponsor today? http://www.stackless.com/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Zope 2.7 running with Stackless 3.0
Dear friends, just by chance, I got into the position to try out Zope 2.7.0 beta 1/2, and since it needs Python 2.2.3 at least, and Stackless 3.0 was just ported to that, I tried to build Zope with Stackless 3.0. It works very very well! After a few patches to get the includes right, here the installation instructions. Get the current Stakless 3.0 beta. CVSROOT=:pserver:[EMAIL PROTECTED]:/home/cvs export CVSROOT cvs co stackless cd stackless/src ./configure make # su if your weren't root make install Then, install the Zope source, and make the same dance as usual. Just a note: Zope doesn't (yet) use any of the Stackless features. It just builds and works with it. But of course, *you* can use the stackless features, of course. I also expect, that Zope will create a branch in some future and implement a new Medusa which doesn't need real threads. cheers and let me know of your experience -- chris -- Christian Tismer :^) mailto:[EMAIL PROTECTED] Mission Impossible 5oftware : Have a break! Take a ride on Python's Johannes-Niemeyer-Weg 9a :*Starship* http://starship.python.net/ 14109 Berlin : PGP key - http://wwwkeys.pgp.net/ work +49 30 89 09 53 34 home +49 30 802 86 56 mobile +49 173 24 18 776 PGP 0x57F3BF04 9064 F4E1 D754 C2FF 1619 305B C09C 5A3B 57F3 BF04 whom do you want to sponsor today? http://www.stackless.com/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Zope 2.7 running with Stackless 3.0
Shane Hathaway wrote: On 08/27/2003 07:55 PM, Christian Tismer wrote: just by chance, I got into the position to try out Zope 2.7.0 beta 1/2, and since it needs Python 2.2.3 at least, and Stackless 3.0 was just ported to that, I tried to build Zope with Stackless 3.0. It works very very well! After a few patches to get the includes right, here the installation instructions. I am in awe. Cool. :-) However, I am also a little confused. As I understand it, Stackless needs all C code to be non-reentrant, i.e. C code must never call back into Python. This has never been so. It was so that Stackless 1.0 could only do its switching if there was no recursive call, sure. But it was always allowed. Stackless 2.0 does it the brute-force way, by moving C stacks around. Stackless 3.0 does all of it, whatever is possible. That means, you can switch whatever, even extension C code with Python callbacks. But cooperative code can switch faster. But Zope has a lot of reentrant code, especially in Acquisition and ZODB. Doesn't that prevent Zope from taking advantage of Stackless continuations? No continuations, tasklets. :-) ciao - chris -- Christian Tismer :^) mailto:[EMAIL PROTECTED] Mission Impossible 5oftware : Have a break! Take a ride on Python's Johannes-Niemeyer-Weg 9a :*Starship* http://starship.python.net/ 14109 Berlin : PGP key - http://wwwkeys.pgp.net/ work +49 30 89 09 53 34 home +49 30 802 86 56 pager +49 173 24 18 776 PGP 0x57F3BF04 9064 F4E1 D754 C2FF 1619 305B C09C 5A3B 57F3 BF04 whom do you want to sponsor today? http://www.stackless.com/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] How (in)secure is Zope?
Jamie Heilman wrote: [snipped many good things] Generally, the more software you install, the more open to attack you are. If you don't need it, don't run it, and don't install it. Some Zope products may open up more avenues of exploit than others, thats why the admin should audit them before installing. Yes, I know. Carelessly written products can do quite much. I used Zope for half a year, intensively, and also wrote a database driver, so I know what it is about. Just wanted to get an update, since so much has happened since I stopped looking for mroe than a year. ... No, its not a very simple question. If Zope was a small program with a single clear purpose, it might be. But Zope is a large framework with a multitude of directions. I know. simple question was not meant seriously. :-) Simple to formulate, like what is love. (A small program with a single clear purpose can not do what Zope does; let it be known I'm not suggesting Zope should be somehow packed into a small program with a single clear purpose. Broken up into several... perhaps, but thats a different thread.) This would interest me quite much, if it is possible to split this up into different small packages, which combine nicely. I fear I know the answer for the next few years already... Outside of the ideal world, unless extreme care is taken, software tends to have flaws with security ramifications. Last time I counted (March 1st.) there were 16 unaddressed issues in the Zope bug collector that had been marked as having security ramifications. Two of them are mine, and thus I feel confident in saying Zope is not as secure as it should or could be, but that if nothing else, the maintainers have been made aware of these shortcomings and that one can assume (if they should or not is a different matter) the issues will be taken care of. I will go on record as saying that, recently, response times to security related issues in the Zope2 tree have been disapointing. Construe from that what you will. Do I read a bit of disappointment between the lines? If you compare Zope's bug paranoia with Python's, would you say Zope is a bit less concerned, or there are not enough people being concerned to get things resolved? Why I'm asking is simply because I'm concerned that there are no bugtraq entries for Zope, and I don't buy that this comes from Zope being bug-free. Maybe not enough people care about this, but if the hackers also don't care, why should I :-) I-know-I-shouldn't-have-said-that-at-all - ciao - chris -- Christian Tismer :^) mailto:[EMAIL PROTECTED] Mission Impossible 5oftware : Have a break! Take a ride on Python's Johannes-Niemeyer-Weg 9a :*Starship* http://starship.python.net/ 14109 Berlin : PGP key - http://wwwkeys.pgp.net/ work +49 30 89 09 53 34 home +49 30 802 86 56 pager +49 173 24 18 776 PGP 0x57F3BF04 9064 F4E1 D754 C2FF 1619 305B C09C 5A3B 57F3 BF04 whom do you want to sponsor today? http://www.stackless.com/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: [Zope3-dev] How (in)secure is Zope?
Tim Peters wrote: [Christian Tismer] ... I don't mean to offend anybody by this, it is just a very simple question which I cannot answer alone. There may be a simple question hiding in this, but it's hard to find wink. You try: how secure is sendmail? how secure is ssh? how secure is Python? Answer those simple(?!) questions in the way you're looking for, and maybe someone can do the same wrt Zope. As is, you *appear* to be asking for a one-word summary of an encyclopedia. Big wink. Hey, you're right. Maybe, by simple question I meant short question, not necessarily easy to answer at all. :-) For the sysadmin's POV, I think it should be formulated like: If I install Zope, and I don't have the time to become a Zope guru, what are the newly accumulated risks for my system, if I use the default installation? The biggest fear would probably be a number of known exploits, and Joe Hacker just has to download some of those tools, and the system is open. It appears that at least *that* is not the case. I think the answers given on the list were quite useful, thanks to you all! cheers - chris p.s.: sendmail? ssh? Python? Security exploits are discussed in the bugtraq list. I can find them all in the list archive. What about Zope? It is not in bugtraq. -- Christian Tismer :^) mailto:[EMAIL PROTECTED] Mission Impossible 5oftware : Have a break! Take a ride on Python's Johannes-Niemeyer-Weg 9a :*Starship* http://starship.python.net/ 14109 Berlin : PGP key - http://wwwkeys.pgp.net/ work +49 30 89 09 53 34 home +49 30 802 86 56 pager +49 173 24 18 776 PGP 0x57F3BF04 9064 F4E1 D754 C2FF 1619 305B C09C 5A3B 57F3 BF04 whom do you want to sponsor today? http://www.stackless.com/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] How (in)secure is Zope?
Dear Zope community, please excuse my ignorance, but I am asked from time to time how secure or insecure Zope actually is, and I always have to say that I actually don't know. There are people claiming that Zope opens a system to quite some level, others claim the opposite. Can someone please enlighten me and give me some details? Especially, are there some Zope products considered especially insecure? And, pondering more on security, are these issues, if they exist, bounded to Zope itself, or becomes a system generally more open to attacks, after Zope was installed? I don't mean to offend anybody by this, it is just a very simple question which I cannot answer alone. thanks so much in advance -- chris -- Christian Tismer :^) mailto:[EMAIL PROTECTED] Mission Impossible 5oftware : Have a break! Take a ride on Python's Johannes-Niemeyer-Weg 9a :*Starship* http://starship.python.net/ 14109 Berlin : PGP key - http://wwwkeys.pgp.net/ work +49 30 89 09 53 34 home +49 30 802 86 56 pager +49 173 24 18 776 PGP 0x57F3BF04 9064 F4E1 D754 C2FF 1619 305B C09C 5A3B 57F3 BF04 whom do you want to sponsor today? http://www.stackless.com/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] How (in)secure is Zope?
Adrian van den Dries wrote: On March 13, Christian Tismer wrote: please excuse my ignorance, but I am asked from time to time how secure or insecure Zope actually is, and I always have to say that I actually don't know. How secure is your wallet? I won't tell you (since this is insecure:). You will never answer this until you define what you mean by security, and what you are securing *against*. This is quite a silly argument, IMHO. My simple question was alike what kind of insecurity do I buy when I install Zope on my server. This question is asked from the POV of a system administrator. It is simple: Do I increase the possibility of somebody to obtain root rights, or do I not? Zope is perfectly secure or some uses, and perfectly insecure for others. Either it is secure for my server, in the sense I depicted above, or it is not. I don't see any relevance to any use, if I am using it on an exposed server in the internet. I think there should be one single answer, nothing else is relevant. ? For example, for safe delegation of responsibility within a web application, in a trusted environment, Zope is secure. Run in an intranet service? Run on the same machine? What is your definition of secure, if there is any? However, as a mission-critical service exposed to the internet, it is wide-open. Why is it wide open, and when is it wide open? Thanks a lot, but this doesn't help me at all. sorry - chris -- Christian Tismer :^) mailto:[EMAIL PROTECTED] Mission Impossible 5oftware : Have a break! Take a ride on Python's Johannes-Niemeyer-Weg 9a :*Starship* http://starship.python.net/ 14109 Berlin : PGP key - http://wwwkeys.pgp.net/ work +49 30 89 09 53 34 home +49 30 802 86 56 pager +49 173 24 18 776 PGP 0x57F3BF04 9064 F4E1 D754 C2FF 1619 305B C09C 5A3B 57F3 BF04 whom do you want to sponsor today? http://www.stackless.com/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )