Re: [Zope-dev] Re: Discussion Story Building Mediums

2000-10-02 Thread Chris Withers

Michael Bernstein wrote:
 It seems to me that there is a potential 'bridge' between
 the mailing lists and the wikis - The mailing list archives!

snip details

I like this idea a lot :-)

 Hmm, if ZDiscussions and the mailing lists were gatewayed
 into each other, that would get you a much better archive
 interface almost immediately, and you could concentrate on
 'promoting' ZDiscussion postings to a wiki page instead.

The email gateway is one of the major things I want to introduce in
Swishdot, when I get a window to work on it again...

cheers,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




Re: [Zope-dev] Re: CoreSessionTracking proposal

2000-10-02 Thread Chris McDonough

I suppose I could implement something like this (encode the IP address
into the token) and provide a knob to turn it on and off on the id
manager.  I'm not going to do this for the first iteration, I need to
get it working first.  :-)

Steve Spicklemire wrote:
 
 I forget now where I saw this but one of the session managers I looked
 at once checked the IP address of the visitor to make sure it was the
 same for the entire session, or longer. This at least makes it much harder
 to hijack a session, even though it means that long-lived cookies might
 be fooled as a user gets a new dynamic IP address...
 
 -steve
 
  "Chris" == Chris McDonough [EMAIL PROTECTED] writes:
 
 Chris Session tokens, AFAICT, cannot be secured.  They can only
 Chris be obfuscated, which mitigates the risk that they will be
 Chris guessed.  However, there's no way to completely secure
 Chris them, no matter how many MD5 hashing algorithms you run on
 Chris them.  If a session token is stolen, that's the key that
 Chris the "attacker" needs to visit the website "as you".  I've
 Chris addressed this in the implementation by giving the session
 Chris token a random element, and this mitigates a guessing
 Chris attack, but not a theft attack.

-- 
Chris McDonough
Digital Creations, Publishers of Zope
http://www.zope.org

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




Re: [Zope-dev] Re: Discussion Story Building Mediums

2000-10-02 Thread Michael Bernstein

Chris Withers wrote:
 
 Michael Bernstein wrote:
  It seems to me that there is a potential 'bridge' between
  the mailing lists and the wikis - The mailing list archives!
 
 snip details
 
 I like this idea a lot :-)

After some more thought, I realized that this really needs
to be a three-way gateway betrween a mailing list, a 'blog,
and a newsgroup. The 'blog is obviously the most different
from the other two, as 'blogs usually excersize editorial
control over the root items, but none (or little) over the
ensuing discussion. This is markedly different from both
mailing lists and newsgroups, where moderation is on all of
the postings.

Assuming that gets accomplished, this should take care of
everyones 'discussion' needs, after which the trick is
promoting certain things to permanent collaborative
artefacts, like wikis.

Michael Bernstein.

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




[Zope-dev] Re: CoreSessionTracking proposal

2000-10-02 Thread gotcha

--- In [EMAIL PROTECTED], Chris McDonough [EMAIL PROTECTED] wrote:
 I suppose I could implement something like this (encode the IP 
address
 into the token) and provide a knob to turn it on and off on 
the id
 manager.  I'm not going to do this for the first iteration, I 
need to
 get it working first.  :-)
 
 Steve Spicklemire wrote:
  
  I forget now where I saw this but one of the session 
managers I looked
  at once checked the IP address of the visitor to make sure 
it was the
  same for the entire session, or longer. This at least makes 
it much harder
  to hijack a session, even though it means that long-lived 
cookies might
  be fooled as a user gets a new dynamic IP address...

I think WebHub is using the IP address. WebHub is a product 
built and working witrh Delphi. I tried to find where they 
mention it on their website (http://www.webhub.com) but could 
not find it.

In fact, if I remember well the server remembers the IP address 
(instead of crunching it into the id) and check the 
correspondence between the session id and the IP address when 
answering request.

I was told that some ISP change your IP address during a 
connection but never took the time to check if it is true.
  
  -steve
  
   "Chris" == Chris McDonough [EMAIL PROTECTED] writes:
  
  Chris Session tokens, AFAICT, cannot be secured.  They 
can only
  Chris be obfuscated, which mitigates the risk that they 
will be
  Chris guessed.  However, there's no way to completely 
secure
  Chris them, no matter how many MD5 hashing algorithms 
you run on
  Chris them.  If a session token is stolen, that's the 
key that
  Chris the "attacker" needs to visit the website "as 
you".  I've
  Chris addressed this in the implementation by giving 
the session
  Chris token a random element, and this mitigates a 
guessing
  Chris attack, but not a theft attack.
 
 -- 
 Chris McDonough
 Digital Creations, Publishers of Zope
 http://www.zope.org


Cheers,  


Godefroid Chapelle

-
BubbleNet sprl
rue Victor Horta 30
1348 Louvain-la-Neuve 
Belgium

-
This mail sent through SwinG Webmail: http://mail.swing.be 

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




Re: [Zope-dev] Re: CoreSessionTracking proposal

2000-10-02 Thread Phillip J. Eby

At 05:17 PM 10/2/00 +0200, [EMAIL PROTECTED] wrote:

I was told that some ISP change your IP address during a 
connection but never took the time to check if it is true.

Whether the actual user's IP changes isn't relevant.  The question is, can
the IP of a proxy server between the user and you change.  And that's quite
possible.  Consider the situation where the round-robin DNS of a bank of
proxy servers expires during the user's browsing session, or a bank of
proxy servers behind a load balancer on the user's side.  Since all the
HTTP server ends up seeing is the proxy server's IP, you could potentially
have the same user dancing around all over the place, IP address-wise.


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




[Zope-dev] HiperDom 0.1 is out

2000-10-02 Thread Lalo Martins

We released HiperDom 0.1 Saturday (this message is dated Monday
because it's when the objects got cataloged).

This version is Python-based, fully functional to the last
letter of the spec (except for hdom:method where we cleaned up
the interface a bit), fully HelpSys'ed, heck, it even has an
icon.

Oh, it has an undocumented feature too. Actually lots of 'em;
I have to write about manage_getTemplate somewhere for the next
version... but what I'm talking about right now is the hdom:id
directive used for creating "assets" like we discussed
previously in the "HiperDOM and xmlc" thread.

When you expand a section marked with hdom:text, before
discarding the contents, the engine hunts for elements marked
with hdom:id in it. Those found are added to the namespace.

...
p hdom:text="greeting"This paragraph will be replaced by a
greeting to span hdom:id="person"Lalo/span and span
hdom:id="company"Hiperl├│gica/span./p
...

The method "greeting" will be executed with a namespace as **kw
(I don't know how flexible is this, but it's how DTML does it).
In this namespace there will be at least
{'person': 'spanLalo/span', 'company': 'spanHiperl├│gica/span'}.

This feature isn't documented on purpose, since this subject is
far from settled and it is very possible that this isn't the
best sollution. But it's _a_ sollution and it's there to be
tested - "running code" :-)


We'll be away from this code for about two weeks, as we have an
urgent job to deliver to a big customer whose identity is so
ironic that I'll have to tell you folks as soon as I'm sure I'm
allowed to.

Anyway, I'd like everyone interested to try it out in this
meantime, send us your feedback, and discuss it here and/or on
the HiperDomWiki. I'll have an eye (and a few fingers) on this
discussion.

Thank you for your time, have a nice day. :-)

[]s,
   |alo
   +
--
  Hack and Roll  ( http://www.hackandroll.org )
News for, uh, whatever it is that we are.


http://zope.gf.com.br/lalo   mailto:[EMAIL PROTECTED]
 pgp key: http://zope.gf.com.br/lalo/pessoal/pgp

Brazil of Darkness (RPG)--- http://zope.gf.com.br/BroDar

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




Re: [Zope-dev] mailing list 'noise'

2000-10-02 Thread Karl Anderson

Ken Manheimer [EMAIL PROTECTED] writes:

 In fact, i'm *really* interested in "turning answers into stories".  That
 is, not just getting answers to questions, but preserving them in a way
 that makes them easy to find when they're next needed - organizing them so
 they collectively serve to describe the topic they're about, to make the
 topic, as a whole, discoverable.  While i think there are many modes of
 discussion that can serve this purpose, depending on the application and
 collaborative context, i think mailling list discussion threads need more.  
 They're a step towards that building-together, but fail to organize beyond
 that - so the answers they provide are fragmentary glimpses into the topic
 at hand.

 One key way wiki documents help bind the fragments is by providing more
 "fixed points" around which discussions can range.  The fixed points
 are not immutable - they can evolve - but they're easy to point at, and
 provide a definite manifestation of the topic at some stage of its life.

That's a good point.  Mailing list threads are great if you're around
when they come up.  After that, searching is doable, but not easy enough -
witness that the same threads tend to come up for any list.

One good quality of lists is that if you can tell your reader to
organize threads, then the discussion is broken up and shoved in your
face for you piece by piece.  In a wiki, on the other hand, you have
to return to the same page, find where you were last, and actively
look for changes.

 The dev.zope.org proposals site is one example where definite subjects are
 at hand.  As someone behind the WikiNG proposal, who *wants* to be able to
 reap the suggestions and details from a discussion, but knows i won't have
 the time for a while to actually concentrate attention on it, i dread
 having to collect all the messages, for later review for harvesting.  
 Furthermore, messages on the mailling list tend to diverge more and
 farther from the topic, than they do when placed within the wiki.
 
 What i'd like the best, for now, is to have discussion happen on the
 mailling list *when someone wants to feel something out*, *and then
 they're responsible for summarizing in the wiki discussion page, if they
 have anything to harvest*.

Note that we keep on acknowledging that the different fora are better
in different ways, and that what we keep on wanting is the right way
to communicate and propagate between the fora.

Here, you want it to be easy to pop a thread into a wiki.  Something
like a thread-to-wiki feature would be nice - tell the wiki "flatten
this thread  make a page for it", then edit it by hand.  But it's
still a one-way link, really, the best you can do is post a final
message to the thread - 'see the wiki for further discussion'.  Which
isn't that bad, really.

What I really want is for the different fora to just be interfaces on
the information.  I'm not sure how, it isn't that realistic, I can't
think of an implementation without it getting overfeatured.  Something
like wiki edits being reflected in the mailing list archive.  Nah.

-- 
Karl Anderson  [EMAIL PROTECTED]

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




Re: [Zope-dev] Re: CoreSessionTracking proposal

2000-10-02 Thread KevinL


Please, please, please, do _not_ use IP numbers to verify it's the same 
connection.  You guys don't have the problem in .us, but out here at the 
fringes (.au, and presumably .uk and similar), proxy server use is rampant - 
and leaning on IP breaks, because proxy's share the connection around.

Example:  Connect.com.au (backbone provider) have three proxy servers in 
melbourne, two in Sydney.  Their customers have their own proxies.  
An end user hits the customer's proxy, which requests via ICP from _all_ of 
CCA's proxies in their region - the fastest proxy at the time responds first.
Fastest can, and does, change very quickly when those boxes are close to the 
same load - a single session often chops between multiple IP's.
Then the customer's proxy is also leaning on telstra's proxy's, in a 
completely different netblock, and sometimes they decide upstream response is 
too slow and they'll go direct.

People leaning on the source IP for verification just means you get more 
complaints from .au people unable to use your site.  I wouldn't even offer it 
unless you made some passing attempt to get the browser's own IP (use 
the proxy header, can't remember which one, that reports browser IP), even 
then I'd be cautious as that's a voluntary header.

KevinL
(that one's a bugbear of mine ;)

 [EMAIL PROTECTED] wrote
 --- In [EMAIL PROTECTED], Chris McDonough [EMAIL PROTECTED] wrote:
  I suppose I could implement something like this (encode the IP 
 address
  into the token) and provide a knob to turn it on and off on 
 the id
  manager.  I'm not going to do this for the first iteration, I 
 need to
  get it working first.  :-)
[snip]
 In fact, if I remember well the server remembers the IP address 
 (instead of crunching it into the id) and check the 
 correspondence between the session id and the IP address when 
 answering request.

 I was told that some ISP change your IP address during a 
 connection but never took the time to check if it is true.
[snip]


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




[Zope-dev] Zope Suitability for Computer Lab Project

2000-10-02 Thread John Hopkins



Greetings from a "potential newbie".

I need to build an application for recording 
clients who use a computer lab. The idea is to collect demographic 
information on clients who use the lab, and session information such as 
date/time and whether the client attended a class. Objects include 
clients, sessions and classes (or I think they do; I'm more used to thinking in 
relational terms. I was going to build it in MS-Access, since it's 
available on all the PC's in the lab, can do everything I need (including 
reporting), and I know it well; on the other hand, there are undeniable 
advantages to having something server-based with minimal client 
dependencies.

I'm pretty sure it would take me more time to build 
it in Zope than in Access, mainly because I don't know Zope yet. What I 
don't know is whether this is an appropriate application for Zope; it's not 
really what I think of as "publishing"; more like data acquisition and 
subsequent reporting.

Observations based on experience will be gratefully 
received.

Thanks in advance,

John Hopkins[EMAIL PROTECTED]