On Jul 16, 2006, at 7:29 PM, Richard Jones wrote:
On Sunday 09 July 2006 22:56, Jim Fulton wrote:
Whoever integrated reST didn't even read the documentation, much less
the code.
FWIW.
The ZReST product was originally released by me around 2002 -
before those
directives existed. According
On Sunday 09 July 2006 22:56, Jim Fulton wrote:
> Whoever integrated reST didn't even read the documentation, much less
> the code.
FWIW.
The ZReST product was originally released by me around 2002 - before those
directives existed. According to the docutils HISTORY file, the directives
themsel
Jim Fulton wrote at 2006-7-9 09:10 -0400:
> ...
>On Jul 8, 2006, at 3:51 PM, [EMAIL PROTECTED] wrote:
>>...
>> I agree with you that a feature ("file/url" inclusion code)
>> physically removed from the shipped code can be considered no longer
>> causing security risks -- even without extensive test
--On 9. Juli 2006 08:51:12 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
We need a better chain of responsibility than that, especially when
there is a known security thread.
See above...it's not a question of general responsibility...it's a
question of taking over the responsibility for a
On Jul 8, 2006, at 5:38 PM, Tino Wildenhain wrote:
Jim Fulton wrote:
...
You mean auditing. Testing would not help imho. Testing
only checks if expected behavior still works. And nobody
expects the spanish inquisiton *wink* ;)
You can test that trying to do fil-inclusion fails.
For exa
On Jul 8, 2006, at 3:51 PM, [EMAIL PROTECTED] wrote:
...
This, time I am on your side, Andreas :-)
I agree with you that a feature ("file/url" inclusion code)
physically removed from the shipped code can be considered no longer
causing security risks -- even without extensive tests.
Your rece
On Jul 8, 2006, at 3:27 PM, Andreas Jung wrote:
--On 8. Juli 2006 15:05:21 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
I think this applies here as well.
1. ZClasses are not a security threat. reST is. That's a huge
difference.
Being a security thread or not ...how will you prove tha
On Jul 8, 2006, at 3:06 PM, Andreas Jung wrote:
No, it is not. I haven't worked on the hotfix...so why would it be
up to me
write tests?
It's not. The person who *did* write the hot-fix didn't want the
feature in the first place. Tres stepped up and helped us in an
emergency. I imagine
--On 9. Juli 2006 12:29:24 +0200 Willi Langenberger <[EMAIL PROTECTED]>
wrote:
@Tres: what is the reason to keep the 'raw' code in docutils? I am in
favor to remove it and replace it with a NotImplementedError exception
(same as for the the 'include' code). The related tests (for
reStruc
According to Andreas Jung:
> >> Tres' patch is looking in fine to me. I don't see a need right now
> >> for dropping reST with having file inclusing *removed*.
> >
> > Has anyone written tests for Tres' patch? Apparently no one wrote
> > adequate tests for the last hot fix, which helped put us in
--On 8. Juli 2006 07:45:01 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
On Jul 8, 2006, at 1:11 AM, Andreas Jung wrote:
--On 7. Juli 2006 11:03:06 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
I think we should do a 2.9.4 release to incorporate the recent hot
fix.
This is easy for me to s
Jim Fulton wrote:
>
...
>> You mean auditing. Testing would not help imho. Testing
>> only checks if expected behavior still works. And nobody
>> expects the spanish inquisiton *wink* ;)
>
> You can test that trying to do fil-inclusion fails.
>
For example if I'd were the one who would have wri
Andreas Jung wrote at 2006-7-8 14:12 +0200:
> ... removing TTW reST ...
[Andreas]
>In addition I don't see a big problem for Zope-only(!) apps.
Of course, you must also consider applications built on top
of Zope -- such as "ZWiki" and "Plone". They, too, need to be
protected.
[Jim] ... retain
--On 8. Juli 2006 15:05:21 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
I think this applies here as well.
1. ZClasses are not a security threat. reST is. That's a huge difference.
Being a security thread or not ...how will you prove that a module X is a
thread or not? Without source code
--On 8. Juli 2006 14:42:31 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
This can happen all the time. A problem in the release process does
not justify the removal of a feature until we tried our best to
solve the problem. Use the sledge hammer as a last resort.
The problem in the release pro
On Jul 8, 2006, at 2:47 PM, Andreas Jung wrote:
--On 8. Juli 2006 14:37:06 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
On Jul 8, 2006, at 11:32 AM, Tino Wildenhain wrote:
...
You seem to be the only one championing TTW reST?
I am only champion against crude removal of features and a
On Jul 8, 2006, at 10:53 AM, Sidnei da Silva wrote:
Just to make the matters clear, when you say 'the last hotfix' Jim, do
you mean the Hotfix-20060705?
No, I was referring to the one before that. The November '0f
hot fix purported to solve the same problem.
Jim
--
Jim Fulton
--On 8. Juli 2006 14:37:06 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
On Jul 8, 2006, at 11:32 AM, Tino Wildenhain wrote:
...
You seem to be the only one championing TTW reST?
I am only champion against crude removal of features and against
and a
shortsighted preception.
I'm for kee
On Jul 8, 2006, at 10:41 AM, Andreas Jung wrote:
--On 8. Juli 2006 10:16:30 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
Yes, someone has to write the tests at some time, soon.
Right. Before 2.10.
...so we have some time...
Sadly, but that's a different problem.
As I pointed out th
On Jul 8, 2006, at 11:32 AM, Tino Wildenhain wrote:
...
You seem to be the only one championing TTW reST?
I am only champion against crude removal of features and against
and a
shortsighted preception.
I'm for keeping it (or something like it) too.
Are you volunteering to do a decen
On Jul 8, 2006, at 12:05 PM, Alec Mitchell wrote:
On 7/8/06, Sidnei da Silva <[EMAIL PROTECTED]> wrote:
Just to make the matters clear, when you say 'the last hotfix'
Jim, do
you mean the Hotfix-20060705?
I ask because I'm about to roll a hotfix installer for Plone and if
there's an issue w
On 7/8/06, Sidnei da Silva <[EMAIL PROTECTED]> wrote:
Just to make the matters clear, when you say 'the last hotfix' Jim, do
you mean the Hotfix-20060705?
I ask because I'm about to roll a hotfix installer for Plone and if
there's an issue with that one I can hold back the installer.
It looks
...
>>
>>> You seem to be the only one championing TTW reST?
>>
>> I am only champion against crude removal of features and against and a
>> shortsighted preception.
I'm for keeping it (or something like it) too.
> That doesn't deserve an answer.
>
>>> Are you unwilling to
>>> write the tests n
Just to make the matters clear, when you say 'the last hotfix' Jim, do
you mean the Hotfix-20060705?
I ask because I'm about to roll a hotfix installer for Plone and if
there's an issue with that one I can hold back the installer.
--
Sidnei da Silva
Enfold Systemshttp://enfoldsys
--On 8. Juli 2006 10:16:30 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
Yes, someone has to write the tests at some time, soon.
Right. Before 2.10.
...so we have some time...
As I pointed out the risk is minimal for Zope-apps because you need
to have access to the ZMI..
No, it's not.
On Jul 8, 2006, at 10:09 AM, Andreas Jung wrote:
--On 8. Juli 2006 09:53:47 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
...
Tres came up with this sledge hammer because he has no confidence
in people's willingness to test and implement this feature
properly.
I am fine with the sledge-ha
--On 8. Juli 2006 09:53:47 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
Maybe you aren't listening.
I am listening very well.
Tres came up with this sledge hammer because he has no confidence
in people's willingness to test and implement this feature properly.
I am fine with the sledge-
On Jul 8, 2006, at 9:17 AM, Andreas Jung wrote:
On Jul 8, 2006, at 8:12 AM, Andreas Jung wrote:
--On 8. Juli 2006 07:45:01 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
Only if there is no other option. Tres' patch seems to resolve this
issue and with further testing there is no need to r
On Jul 8, 2006, at 8:12 AM, Andreas Jung wrote:
--On 8. Juli 2006 07:45:01 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
Only if there is no other option. Tres' patch seems to resolve this
issue and with further testing there is no need to remove the
functionality.
"Seems" isn't good enoug
On Jul 8, 2006, at 8:12 AM, Andreas Jung wrote:
--On 8. Juli 2006 07:45:01 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
On Jul 8, 2006, at 1:11 AM, Andreas Jung wrote:
--On 7. Juli 2006 11:03:06 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
I think we should do a 2.9.4 release to incor
--On 8. Juli 2006 07:45:01 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
On Jul 8, 2006, at 1:11 AM, Andreas Jung wrote:
--On 7. Juli 2006 11:03:06 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
I think we should do a 2.9.4 release to incorporate the recent hot
fix.
This is easy for me to s
On Jul 8, 2006, at 1:11 AM, Andreas Jung wrote:
--On 7. Juli 2006 11:03:06 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
I think we should do a 2.9.4 release to incorporate the recent hot
fix.
This is easy for me to say, since I won't be doing it. :)
Because this recent fix actually fixe
--On 7. Juli 2006 11:03:06 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
I think we should do a 2.9.4 release to incorporate the recent hot fix.
This is easy for me to say, since I won't be doing it. :)
Because this recent fix actually fixed the same problem that the
previous hot fix was suppo
On Jul 7, 2006, at 12:17 PM, Stefan H. Holek wrote:
Tres' patch (removing 'include' and 'raw' altogether) looks fairly
low on violence to me. No reason to drop reST from Zope, IMO.
Well, I wouldn't want to apply the patch for Z3, as we use
reST on the file system and include and raw have leg
Tres' patch (removing 'include' and 'raw' altogether) looks fairly
low on violence to me. No reason to drop reST from Zope, IMO.
Stefan
On 7. Jul 2006, at 17:03, Jim Fulton wrote:
BTW, I suspect that a less violent patch could be created, if
anyone wants to champion TTW reStructuedText suppo
Jim Fulton wrote:
BTW, I suspect that a less violent patch could be created, if
anyone wants to champion TTW reStructuedText support in
Zope 2. Personally, I'm for dropping it.
+1 on dropping it completely, but then I hate all types of structured
text so I doubt I'm in the majority...
Chri
36 matches
Mail list logo
