Re: [Zope-dev] KGS 3.4.1 versions
Hello Christophe, Sunday, April 18, 2010, 2:54:08 AM, you wrote: CC Adam GROSZER a écrit : Hello, There is a sheet with versions for KGS 3.4.1 http://spreadsheets.google.com/pub?key=tUE5Q72d4Kg1FXaacCA3EKQoutput=html Anyone for/against those versions? The open questions that remain: * What about pytz 2010g? * Which lxml version to take? 1.3.6? * What about zope.app.container 3.6.2? * Would be nice to have zope.testbrowser 3.5.1 Comments are welcome. CC For the KGS 3.4.1, I think we should upgrade zc.buildout to at least 1.3.1. CC while releasing z3c.layer, I've run into a bug of zc.buildout 1.1 that prevented CC from adding extras dependencies for tests. Versions updated. -- Best regards, Adam GROSZERmailto:agros...@gmail.com -- Quote of the day: God hides things by putting them all around us. - Anonymous ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] KGS 3.4.1 versions
On Thu, Apr 15, 2010 at 12:29 PM, Adam GROSZER agros...@gmail.com wrote: Hello, There is a sheet with versions for KGS 3.4.1 http://spreadsheets.google.com/pub?key=tUE5Q72d4Kg1FXaacCA3EKQoutput=html Anyone for/against those versions? Tres Seaver just released zope.securitypolicy 3.4.4 (3.4.3 was buggy). There was a subtle bug, which was triggered if you used zope.securitypolicy's security policy without having zope.dublincore package already loaded. See https://bugs.launchpad.net/bugs/564525 for more informations. Could I suggest you to include this version (3.4.4) in Zope KGS 3.4.1 ? Thanks, Jonathan ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] KGS 3.4.1 versions
Hello Jonathan, done Monday, April 19, 2010, 6:56:34 PM, you wrote: JB On Thu, Apr 15, 2010 at 12:29 PM, Adam GROSZER agros...@gmail.com wrote: Hello, There is a sheet with versions for KGS 3.4.1 http://spreadsheets.google.com/pub?key=tUE5Q72d4Kg1FXaacCA3EKQoutput=html Anyone for/against those versions? JB Tres Seaver just released zope.securitypolicy 3.4.4 (3.4.3 was buggy). JB There was a subtle bug, which was triggered if you used JB zope.securitypolicy's security policy without having zope.dublincore JB package already loaded. JB See https://bugs.launchpad.net/bugs/564525 for more informations. JB Could I suggest you to include this version (3.4.4) in Zope KGS 3.4.1 ? JB Thanks, JB Jonathan -- Best regards, Adam GROSZERmailto:agros...@gmail.com -- Quote of the day: 'Tis mad idolatry to make the service greater than the god. - William Shakespeare ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] KGS 3.4.1 versions
Christophe Combelles a écrit : Roger a écrit : Hi Betreff: Re: [Zope-dev] KGS 3.4.1 versions Adam GROSZER a écrit : Hello, There is a sheet with versions for KGS 3.4.1 http://spreadsheets.google.com/pub?key=tUE5Q72d4Kg1FXaacCA3EKQoutput= html Anyone for/against those versions? The open questions that remain: * What about pytz 2010g? * Which lxml version to take? 1.3.6? * What about zope.app.container 3.6.2? * Would be nice to have zope.testbrowser 3.5.1 Comments are welcome. z3c.layer has a major security issue, because of trusted traversing adapters that removes the security proxy everywhere. yes and no, only miss use could end in security issues It's not really a security issue, it's the only concept which allows to use nested sites with more then one IAuthentication utility and allows to authenticate on objects behind the first site. But since this was such a rare use case, we decided to split the package in different packages which also supports a non trusted setup. This makes the packages more general usable without to run into security issues based on trusted confirgurations where non trusted is needed. This package has been retired and splitted into its 3 subpackages : z3c.layer.minimal z3c.layer.pagelet Both package above should not use trusted traverser z3c.layer.trusted This package should still use trusted traverser There is no problem upgrading to branch 1.0 of these packages, as they don't have any significant changes, excepted the splitting. However: z3c.layer.pagelet should be in version 1.0.2. Nothing below. z3c.layer.minimal has no corrected 1.0 branch. A new maintenance release 1.0.2 of this package should be released. z3c.layer.trusted is OK, since this is trusted in purpose. (I think) Yes Ok thanks, I'll release z3c.layer.minimal during the WE. I've released z3c.layer.minimal 1.0.2 with the fix, and z3c.layer 0.2.4 with the same fix. For the KGS 3.4.1, we just have to upgrade z3c.layer to 0.2.4. No need to add z3c.layer.[pagelet|minimal|trusted] Christophe Regards Roger Ineichen Christophe ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] KGS 3.4.1 versions
Hi Betreff: Re: [Zope-dev] KGS 3.4.1 versions Adam GROSZER a écrit : Hello, There is a sheet with versions for KGS 3.4.1 http://spreadsheets.google.com/pub?key=tUE5Q72d4Kg1FXaacCA3EKQoutput= html Anyone for/against those versions? The open questions that remain: * What about pytz 2010g? * Which lxml version to take? 1.3.6? * What about zope.app.container 3.6.2? * Would be nice to have zope.testbrowser 3.5.1 Comments are welcome. z3c.layer has a major security issue, because of trusted traversing adapters that removes the security proxy everywhere. yes and no, only miss use could end in security issues It's not really a security issue, it's the only concept which allows to use nested sites with more then one IAuthentication utility and allows to authenticate on objects behind the first site. But since this was such a rare use case, we decided to split the package in different packages which also supports a non trusted setup. This makes the packages more general usable without to run into security issues based on trusted confirgurations where non trusted is needed. This package has been retired and splitted into its 3 subpackages : z3c.layer.minimal z3c.layer.pagelet Both package above should not use trusted traverser z3c.layer.trusted This package should still use trusted traverser There is no problem upgrading to branch 1.0 of these packages, as they don't have any significant changes, excepted the splitting. However: z3c.layer.pagelet should be in version 1.0.2. Nothing below. z3c.layer.minimal has no corrected 1.0 branch. A new maintenance release 1.0.2 of this package should be released. z3c.layer.trusted is OK, since this is trusted in purpose. (I think) Yes Regards Roger Ineichen Christophe ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] KGS 3.4.1 versions
On Thu, Apr 15, 2010 at 12:29, Adam GROSZER agros...@gmail.com wrote: The open questions that remain: * What about pytz 2010g? I'm not sure it makes sense fixing it to a particular version at all, as you might want timezone updates separately. Just sayin'. :) -- Lennart Regebro: Python, Zope, Plone, Grok http://regebro.wordpress.com/ +33 661 58 14 64 ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] KGS 3.4.1 versions
Hello, I think it's about having a known set of versions for the tests. Not that test run picks up some newer versions and the tests suddenly fail. On Fri, Apr 16, 2010 at 2:21 PM, Lennart Regebro rege...@gmail.com wrote: On Thu, Apr 15, 2010 at 12:29, Adam GROSZER agros...@gmail.com wrote: The open questions that remain: * What about pytz 2010g? I'm not sure it makes sense fixing it to a particular version at all, as you might want timezone updates separately. Just sayin'. :) -- Lennart Regebro: Python, Zope, Plone, Grok http://regebro.wordpress.com/ +33 661 58 14 64 -- Best regards, Adam ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] KGS 3.4.1 versions
Roger a écrit : Hi Betreff: Re: [Zope-dev] KGS 3.4.1 versions Adam GROSZER a écrit : Hello, There is a sheet with versions for KGS 3.4.1 http://spreadsheets.google.com/pub?key=tUE5Q72d4Kg1FXaacCA3EKQoutput= html Anyone for/against those versions? The open questions that remain: * What about pytz 2010g? * Which lxml version to take? 1.3.6? * What about zope.app.container 3.6.2? * Would be nice to have zope.testbrowser 3.5.1 Comments are welcome. z3c.layer has a major security issue, because of trusted traversing adapters that removes the security proxy everywhere. yes and no, only miss use could end in security issues It's not really a security issue, it's the only concept which allows to use nested sites with more then one IAuthentication utility and allows to authenticate on objects behind the first site. But since this was such a rare use case, we decided to split the package in different packages which also supports a non trusted setup. This makes the packages more general usable without to run into security issues based on trusted confirgurations where non trusted is needed. This package has been retired and splitted into its 3 subpackages : z3c.layer.minimal z3c.layer.pagelet Both package above should not use trusted traverser z3c.layer.trusted This package should still use trusted traverser There is no problem upgrading to branch 1.0 of these packages, as they don't have any significant changes, excepted the splitting. However: z3c.layer.pagelet should be in version 1.0.2. Nothing below. z3c.layer.minimal has no corrected 1.0 branch. A new maintenance release 1.0.2 of this package should be released. z3c.layer.trusted is OK, since this is trusted in purpose. (I think) Yes Ok thanks, I'll release z3c.layer.minimal during the WE. Regards Roger Ineichen Christophe ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] KGS 3.4.1 versions
Adam GROSZER a écrit : Hello, There is a sheet with versions for KGS 3.4.1 http://spreadsheets.google.com/pub?key=tUE5Q72d4Kg1FXaacCA3EKQoutput=html Anyone for/against those versions? The open questions that remain: * What about pytz 2010g? * Which lxml version to take? 1.3.6? * What about zope.app.container 3.6.2? * Would be nice to have zope.testbrowser 3.5.1 Comments are welcome. z3c.layer has a major security issue, because of trusted traversing adapters that removes the security proxy everywhere. This package has been retired and splitted into its 3 subpackages : z3c.layer.minimal z3c.layer.pagelet z3c.layer.trusted There is no problem upgrading to branch 1.0 of these packages, as they don't have any significant changes, excepted the splitting. However: z3c.layer.pagelet should be in version 1.0.2. Nothing below. z3c.layer.minimal has no corrected 1.0 branch. A new maintenance release 1.0.2 of this package should be released. z3c.layer.trusted is OK, since this is trusted in purpose. (I think) Christophe ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
