[Zope-dev] Re: [Zope3-dev] Proposal: Move to subversion for source code control of the Zope and ZODB projects

2004-04-12 Thread Lennart Regebro
From: Jim Fulton [EMAIL PROTECTED] Initially, I propose to move just the repository heads. Maintenamce branches (e.g. Zope 2.6 and Zope 2.7) will remain in CVS. What is the rationale behind not moving it all? ___ Zope-Dev maillist - [EMAIL

[Zope-dev] Re: [ZODB-Dev] Re: [Zope3-dev] Proposal: Move to subversion for source code control of the Zope and ZODB projects

2004-04-12 Thread Andreas Jung
--On Montag, 12. April 2004 13:07 Uhr +0200 Lennart Regebro [EMAIL PROTECTED] wrote: From: Jim Fulton [EMAIL PROTECTED] Initially, I propose to move just the repository heads. Maintenamce branches (e.g. Zope 2.6 and Zope 2.7) will remain in CVS. What is the rationale behind not moving it all?

[Zope-dev] [patch] More secure cookie crumbler?

2004-04-12 Thread Chris Withers
Hi Shane and zope-dev, I think the attached patch (against CookieCrumbler 1.1) makes CookieCrumbler a little more secure. It makes CookieCrumbler not store the user's password and username on the browser side and rotates the token stored on the browser side ever 10 seconds or time between

[Zope-dev] Re: [patch] More secure cookie crumbler?

2004-04-12 Thread Shane Hathaway
On Mon, 12 Apr 2004, Chris Withers wrote: I think the attached patch (against CookieCrumbler 1.1) makes CookieCrumbler a little more secure. Your patch won't work with multiple ZEO app servers. It appears to store the tokens in a module global. Do not apply it. PS: To make cookie auth

Re: [Zope-dev] [patch] More secure cookie crumbler?

2004-04-12 Thread Jamie Heilman
Chris Withers wrote: PS: To make cookie auth properly secure, you really need to be working over SSL only, and in addition, you should tweak CookieCrumbler further so that it sets the secure session bit, meaning your sessions should only get returned over a secure connection... mindyou, to

[Zope-dev] Re: [ZODB-Dev] Re: [Zope3-dev] Proposal: Move to subversion for source code control of the Zope and ZODB projects

2004-04-12 Thread Sidnei da Silva
On Mon, Apr 12, 2004 at 08:11:44AM -0400, Tres Seaver wrote: | Lennart Regebro wrote: | From: Jim Fulton [EMAIL PROTECTED] | | Initially, I propose to move just the repository heads. Maintenamce | branches (e.g. Zope 2.6 and Zope 2.7) will remain in CVS. | | What is the rationale behind not

[Zope-dev] Re: [patch] More secure cookie crumbler?

2004-04-12 Thread Chris Withers
Shane Hathaway wrote: I think the attached patch (against CookieCrumbler 1.1) makes CookieCrumbler a little more secure. Your patch won't work with multiple ZEO app servers. It appears to store the tokens in a module global. Do not apply it. Well, that's a little harsh. The default methods will

Re: [Zope-dev] [patch] More secure cookie crumbler?

2004-04-12 Thread Chris Withers
Jamie Heilman wrote: The problem of using cookies for auth creds is a little more complex than that. The reality is, in a well written application, cookies should never be used to store auth creds, even if you only send them over SSL. The patch means that auth creds are never sent, only an

[Zope-dev] Re: [patch] More secure cookie crumbler?

2004-04-12 Thread Shane Hathaway
On Mon, 12 Apr 2004, Chris Withers wrote: For me, that's worth patching for, it's up to you if you want to include it in an offical CookieCrumbler release or not ;-) Making cookie authentication secure is surprisingly difficult, and you've barely taken one step. I don't want CookieCrumbler to

[Zope-dev] Re: circular referenced persistent objects

2004-04-12 Thread Casey Duncan
On Sat, 10 Apr 2004 14:11:56 -0500 [EMAIL PROTECTED] wrote: I have the following setup (unrelated lines are omitted): class Deliverer(Folder): def manage_afterAdd(self, item, container): if item is self: self.__ac_local_roles__ = dr_localroles(self) class

[Zope-dev] Re: [Zope3-dev] Proposal: Move to subversion for source code control of the Zope and ZODB projects

2004-04-12 Thread Jim Fulton
Lennart Regebro wrote: From: Jim Fulton [EMAIL PROTECTED] Initially, I propose to move just the repository heads. Maintenamce branches (e.g. Zope 2.6 and Zope 2.7) will remain in CVS. What is the rationale behind not moving it all? - Reduce risk - Provide a more gradual transition Jim -- Jim

Re: [Zope3-dev] Re: [Zope-dev] Proposal: Move to subversion for source code control of the Zope and ZODB projects

2004-04-12 Thread Jim Fulton
Jamie Heilman wrote: Jim Fulton wrote: I propose to move from CVS to subversion for the Zope and ZODB projects; http://dev.zope.org/Zope3/MovingSCMToSubversion No complaints from me. I do wonder though... one thing I've noticed about ZC's CVS usage in the past is that you folks never export

RE: [Zope-dev] Re: circular referenced persistent objects

2004-04-12 Thread zope
Casey, Thanks for the clarification. - Is there an equivalent of sys.getrefcount for ZODB persistent objects? This is still a question. Is there any way, to determine how many times a zodb persistent object is referenced? sys.getrefcount seems to tell me only those references which are

Re: [Zope-dev] Re: circular referenced persistent objects

2004-04-12 Thread Casey Duncan
On Mon, 12 Apr 2004 10:57:43 -0500 [EMAIL PROTECTED] wrote: Casey, Thanks for the clarification. - Is there an equivalent of sys.getrefcount for ZODB persistent objects? This is still a question. Is there any way, to determine how many times a zodb persistent object is

RE: [Zope-dev] Re: circular referenced persistent objects

2004-04-12 Thread Tim Peters
[Sandor] This is still a question. Is there any way, to determine how many times a zodb persistent object is referenced? ZODB itself doesn't keep track of that, although it's possible to write a storage that does. FileStorage does not. BerkeleyStorage did (past tense because Zope Corp has

[Zope-dev] ZConfig 2.1 released

2004-04-12 Thread Fred Drake
I've posted a distribution for ZConfig 2.1 on the ZConfig page: http://zope.org/Members/fdrake/zconfig/ This fixes a few bugs and improves the ability to set default values in schemas. It also adds some helpful schema building blocks, including a general mapping type and support for

[Zope-dev] start_new_thread / user issue

2004-04-12 Thread Toby Gustafson
Hi, Within a python file I do a call to thread.start_new_thread(...). Before this call, I am the admin user (verified by calling AccessControl.getSecurityManager().getuser().getUserName()). After the call, however, in the new thread, the user is now Anonymous User. Is there any way to

Zope + Ape + Subversion (was: RE: [Zope-dev] Using a truely revis ion based storage for Zope ?)

2004-04-12 Thread Jean-Francois . Doyon
G'Day, Well, step one is done ... I now have Zope + Ape using Subversion as it's filesystem !! This is step one because, as Shawn suggested (Thanks for the pointer, that's what I needed!), this simply means that Zope uses SVN purely as a filesystem. Because of subversion's nature, I want to

Re: [Zope-dev] [patch] More secure cookie crumbler?

2004-04-12 Thread Jamie Heilman
Chris Withers wrote: The patch means that auth creds are never sent, only an auth token that's valid for 20 mins or so, or you could set it to less. The token *is* the cred in that scenario, you can't not send some form credentials. Can you explain the XSS risk when a client user is not

[Zope-dev] Re: Proposal: Move to subversion for source code control of the Zope and ZODB projects

2004-04-12 Thread Kapil Thangavelu
fwiw, i've been able to get good results at migrating the plone repository and branches using the refinecvs migration script http://lev.serebryakov.spb.ru/refinecvs/ the cvs2svn script included with subversion had several issues with branches, although it was a few months ago (prior to svn 1.0)

Re: [Zope-dev] Re: [patch] More secure cookie crumbler?

2004-04-12 Thread Stuart Bishop
On 12/04/2004, at 10:39 PM, Shane Hathaway wrote: On Mon, 12 Apr 2004, Chris Withers wrote: I think the attached patch (against CookieCrumbler 1.1) makes CookieCrumbler a little more secure. Your patch won't work with multiple ZEO app servers. It appears to store the tokens in a module global.

Re: Zope + Ape + Subversion (was: RE: [Zope-dev] Using a truely revis ion based storage for Zope ?)

2004-04-12 Thread Shane Hathaway
On Mon, 12 Apr 2004 [EMAIL PROTECTED] wrote: Well, step one is done ... I now have Zope + Ape using Subversion as it's filesystem !! That's fantastic! I'll write a more detailed reply soon. :-) Shane ___ Zope-Dev maillist - [EMAIL PROTECTED]

Re: [Zope-dev] Re: [patch] More secure cookie crumbler?

2004-04-12 Thread Shane Hathaway
On 04/12/04 09:04, Chris Withers wrote: For me, that's worth patching for, it's up to you if you want to include it in an offical CookieCrumbler release or not ;-) BTW, I wouldn't mind if you or Stuart took over maintainership of CookieCrumbler after the next release. Then you'd be able to

[Zope-dev] Re: [patch] More secure cookie crumbler?

2004-04-12 Thread Tres Seaver
Stuart Bishop wrote: On 12/04/2004, at 10:39 PM, Shane Hathaway wrote: On Mon, 12 Apr 2004, Chris Withers wrote: I think the attached patch (against CookieCrumbler 1.1) makes CookieCrumbler a little more secure. Your patch won't work with multiple ZEO app servers. It appears to store the

[Zope-dev] Re: [patch] More secure cookie crumbler?

2004-04-12 Thread Tres Seaver
Jamie Heilman wrote: Chris Withers wrote: The patch means that auth creds are never sent, only an auth token that's valid for 20 mins or so, or you could set it to less. The token *is* the cred in that scenario, you can't not send some form credentials. Can you explain the XSS risk when a

[Zope-dev] Re: start_new_thread / user issue

2004-04-12 Thread Tres Seaver
Toby Gustafson wrote: Hi, Within a python file I do a call to thread.start_new_thread(...). Before this call, I am the admin user (verified by calling AccessControl.getSecurityManager().getuser().getUserName()). After the call, however, in the new thread, the user is now Anonymous User. Is