Re: [Zope-dev] Plans for Zope 2.12
Lennart Regebro wrote: On Thu, Jan 22, 2009 at 10:38, Chris Withers ch...@simplistix.co.uk wrote: Note that Jim never explained to me how he does these audits, but I gathered some methods he used in conversations. I think I did a pretty thorough job during the review. Yeah, this disturbs me a lot still though :-S I know the feeling. :) I completely trust that Stephan did a good job if he thinks he did, but I would be happy if we could gather a bunch of smart people to spread the knowledge. Maybe a security review sprint at PyCon, or somesuch? I'd like to hang in a corner and suck up the smartness. :) The problem is that all the PyPy people smart enough to help just go that's a bad idea, go away, and it seems only Jim is really confident enough to say how things should be with RestrictedPython in its current form... cheers, Chris -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
Tres Seaver wrote: Ugh. -1 to any attempt to use space suits in Z2. I would rather move to a model which made it easy to mark some / all TTW objects as trusted, disabling security checks altogether: the untrusted users can edit TTW code use case is pretty much irrelevant for any site I have worked on, with the exception of old Zope.org, in ten years of working with Zope. Well yeah, but there's two cases which I bump into a lot: - semi-trusted and clued users editting ttw - paranoia over damage to anything other than the ZODB in the case of a TTW site having its auth compromised. (eg: someone writing their password on a post-it note) For both of these, RestrictedPython working as advertising would be a good thing... cheers, Chris -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
On Thu, Jan 22, 2009 at 10:38, Chris Withers ch...@simplistix.co.uk wrote: Note that Jim never explained to me how he does these audits, but I gathered some methods he used in conversations. I think I did a pretty thorough job during the review. Yeah, this disturbs me a lot still though :-S I know the feeling. :) I completely trust that Stephan did a good job if he thinks he did, but I would be happy if we could gather a bunch of smart people to spread the knowledge. Maybe a security review sprint at PyCon, or somesuch? I'd like to hang in a corner and suck up the smartness. :) Or, I'd love to help in a sprint to move to security proxies. It's a major job of course, and the minimal job is to make proxies that replicate the current very complex and idiosyncratic Zope2 security. At least such a sprint should be able to locate any big problems and impossibilities so we can think of a path to fix that. -- Lennart Regebro: Zope and Plone consulting. http://www.colliberty.com/ +33 661 58 14 64 ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Lennart Regebro wrote: On Thu, Jan 22, 2009 at 10:38, Chris Withers ch...@simplistix.co.uk wrote: Note that Jim never explained to me how he does these audits, but I gathered some methods he used in conversations. I think I did a pretty thorough job during the review. Yeah, this disturbs me a lot still though :-S I know the feeling. :) I completely trust that Stephan did a good job if he thinks he did, but I would be happy if we could gather a bunch of smart people to spread the knowledge. Maybe a security review sprint at PyCon, or somesuch? I'd like to hang in a corner and suck up the smartness. :) Or, I'd love to help in a sprint to move to security proxies. It's a major job of course, and the minimal job is to make proxies that replicate the current very complex and idiosyncratic Zope2 security. At least such a sprint should be able to locate any big problems and impossibilities so we can think of a path to fix that. Ugh. -1 to any attempt to use space suits in Z2. I would rather move to a model which made it easy to mark some / all TTW objects as trusted, disabling security checks altogether: the untrusted users can edit TTW code use case is pretty much irrelevant for any site I have worked on, with the exception of old Zope.org, in ten years of working with Zope. Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software Excellence by Designhttp://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJhhrS+gerLs4ltQ4RAmeKAKDZTlDw2MYeMeb3m44MH0DSdnLP+ACfddS/ 9HkJcd4AVUQ0wE/WlFiwmd0= =PH69 -END PGP SIGNATURE- ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
Dieter Maurer wrote: Chris Withers wrote at 2009-1-22 09:38 +: ... One thing that myself and Shane talked briefly about on this list was re-implementing the AST manipulation as dissallow-by-default filter rather than a straight manipulation. That way, unexpected stuff should be allowed by default. The terms do not seem to match: disallow-by-default would mean that unexpected stuff would be disallowed by default. Sorry, you're correct, I meant unexpected stuff should be disallowed by default... cheers, Chris -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
Shane Hathaway wrote: Chris Withers wrote: I don't think this is such a huge change, it's a change in the style of what RP does already, not a complete re-implementation... OTOH, with Python 3 now released, it seems unlikely that we'll see any new syntax added to Python 2.x. So RP doesn't really need any sort of overhaul until we start switching to Python 3. I'm still curious as to how hard a job this will be, part of me hopes this will be a lot easier than expected ;-) Chris -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
Andreas Jung wrote at 2009-1-21 14:55 +0100: ... TARGET=Python 2.6.X ACCEPTABLE=Python 2.5 Python 2.4.X would be basically not acceptable but could be used at your own risk using the --with-python option. ... - - removing ZClasses completely But hopefully provided by a separate package, instead. -- Dieter ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
Chris Withers wrote at 2009-1-22 09:38 +: ... One thing that myself and Shane talked briefly about on this list was re-implementing the AST manipulation as dissallow-by-default filter rather than a straight manipulation. That way, unexpected stuff should be allowed by default. The terms do not seem to match: disallow-by-default would mean that unexpected stuff would be disallowed by default. -- Dieter ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
Hanno Schlichting wrote at 2009-1-23 19:36 +0100: Wichert Akkerman wrote: Previously Tres Seaver wrote: Andreas Jung wrote: - removing ZClasses completely This is done now. Wow. This was quick! Much quicker than fixing bugs reported in the collector :-( -- Dieter ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 25.01.2009 12:44 Uhr, Dieter Maurer wrote: Hanno Schlichting wrote at 2009-1-23 19:36 +0100: Wichert Akkerman wrote: Previously Tres Seaver wrote: Andreas Jung wrote: - removing ZClasses completely This is done now. Wow. This was quick! Much quicker than fixing bugs reported in the collector :-( Please stop bitching and fix your favorite bugs in the collector. You have svn commit right *wink* Andreas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkl8UsQACgkQCJIWIbr9KYxwrgCgvG3EtVLNxwxQ38ViGMAPgmrT MVUAoOMQgULfvw2PbPaTwyQYCM+fkpb/ =uuOZ -END PGP SIGNATURE- begin:vcard fn:Andreas Jung n:Jung;Andreas org:ZOPYX Ltd. Co. KG adr;quoted-printable:;;Charlottenstr. 37/1;T=C3=BCbingen;;72070;Germany email;internet:i...@zopyx.com title:CEO tel;work:+49-7071-793376 tel;fax:+49-7071-7936840 tel;home:+49-7071-793257 x-mozilla-html:FALSE url:www.zopyx.com version:2.1 end:vcard ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
Andreas Jung wrote at 2009-1-25 10:21 +0100: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 25.01.2009 9:27 Uhr, Dieter Maurer wrote: Andreas Jung wrote at 2009-1-21 14:55 +0100: ... TARGET=Python 2.6.X ACCEPTABLE=Python 2.5 Python 2.4.X would be basically not acceptable but could be used at your own risk using the --with-python option. ... - - removing ZClasses completely But hopefully provided by a separate package, instead. Unless someone volunteers for doing a separate package: no. I plan to provide such a package as dm.ZClasses or (maybe) Zope2.ZClasses -- of course with some complaints against the Zope release management in the documentation: * cutting away useful features without any serious need * lacking commitment wrt backward compatibility * enforcing philosophical opinions (applications should be created programmatically not via configuration only (such as with ZClasses)) -- Dieter ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
Andreas Jung wrote at 2009-1-25 12:53 +0100: ... - removing ZClasses completely This is done now. Wow. This was quick! Much quicker than fixing bugs reported in the collector :-( Please stop bitching and fix your favorite bugs in the collector. You have svn commit right *wink* I will instead try to preserse useful functionality dropped without need from the Zope core *wink*. -- Dieter ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 25.01.2009 12:56 Uhr, Dieter Maurer wrote: Andreas Jung wrote at 2009-1-25 10:21 +0100: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 25.01.2009 9:27 Uhr, Dieter Maurer wrote: Andreas Jung wrote at 2009-1-21 14:55 +0100: ... TARGET=Python 2.6.X ACCEPTABLE=Python 2.5 Python 2.4.X would be basically not acceptable but could be used at your own risk using the --with-python option. ... - - removing ZClasses completely But hopefully provided by a separate package, instead. Unless someone volunteers for doing a separate package: no. I plan to provide such a package as dm.ZClasses or (maybe) Zope2.ZClasses Thanks for stepping up. -- of course with some complaints against the Zope release management in the documentation: * cutting away useful features without any serious need * lacking commitment wrt backward compatibility We had this discussion about the future of ZClasses already several time. Point taken but I have little interest discussing the same topic over and over again. ZClasses have been deprecated in Zope 2.10 and now they are gone. Users of ZClasses have enough options and a lot of time for modernizing their apps. We don't want and need to support any cruft until doomsday. Andreas - -- ZOPYX Ltd. Co. KG - Charlottenstr. 37/1 - 72070 Tübingen - Germany Web: www.zopyx.com - Email: i...@zopyx.com - Phone +49 - 7071 - 793376 Registergericht: Amtsgericht Stuttgart, Handelsregister A 381535 Geschäftsführer/Gesellschafter: ZOPYX Limited, Birmingham, UK - E-Publishing, Python, Zope Plone development, Consulting -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkl8VrQACgkQCJIWIbr9KYwkLwCfeF4Vc/9DxqC1YmL1yg30JrsJ UvsAoJg8SzglgYOz0RykexTOozQ0ysIk =vlFW -END PGP SIGNATURE- begin:vcard fn:Andreas Jung n:Jung;Andreas org:ZOPYX Ltd. Co. KG adr;quoted-printable:;;Charlottenstr. 37/1;T=C3=BCbingen;;72070;Germany email;internet:i...@zopyx.com title:CEO tel;work:+49-7071-793376 tel;fax:+49-7071-7936840 tel;home:+49-7071-793257 x-mozilla-html:FALSE url:www.zopyx.com version:2.1 end:vcard ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
On Sun, Jan 25, 2009 at 12:56, Dieter Maurer die...@handshake.de wrote: I plan to provide such a package as dm.ZClasses or (maybe) Zope2.ZClasses -- of course with some complaints against the Zope release management in the documentation: * cutting away useful features without any serious need * lacking commitment wrt backward compatibility * enforcing philosophical opinions (applications should be created programmatically not via configuration only (such as with ZClasses)) Oh, please come off it. You have checkin rights and could have stepped up to maintain the code. This is not about enforcing philosophical choices, this is about being pragmatic. If the feature was truely useful, more developers would be maintaining and fixing it. Obviously the complexity of keeping it working is outweighing it's usefulness. -- Martijn Pieters ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
Andreas Jung wrote: On 21.01.2009 14:55 Uhr, Andreas Jung wrote: - complete eggification (apparently pretty much done) I tried to make an old-style full-tarball release yesterday and ran into a problem. The setup.py in the created tarball references the 'src' folder in some steps, which isn't available in the full-tarball release (it's all in old lib/python). As setup.py is also used for the cmmi dance, you couldn't build or install from the generated tarball. At least the idea so far has been to replace the Zope2 SVN trunk in its current form with the Zope2-egg structure at which point the above needs to work. We have to define what eggification means exactly. By now the Zope2.buildout seems to work fine with Python 2.4-2.6. I think we want to see Zope2 being easy_install-able. This means basically: - a source code release of Zope 2 can be done using (python2.X setup.py sdist (upload) - a user can easy_install Zope 2 from PyPI Hurdle: - setup.py defines all dependencies without version information (which is kept in the versions-zope2|3.cfg files. In order to make the version information available information I added the setup2.py file to the Zope2.buildout/trunk codebase (for experimenting). However this approach does not work with the dev packages like zope.app.locales. Also working with zc.sourcerelease won't solve this issue. Any idea how to deal with that? We just need new releases for all those packages. I'm willing to do those, but need PyPi access to all of them [1]. I asked Stephan Richter in a private mail for that already. If someone else can provide me with access, that would be awesome :) As a second step I think we should at least provide the versions.cfg file in a public well defined location. Zope3 has this as http://download.zope.org/zope3.4/versions.cfg and Plone has http://dist.plone.org/release/3.2/versions.cfg If we can make it part of the release process to make the versions.cfg file available at maybe: http://download.zope.org/zope2/2.12.0a1/versions.cfg that would be a good first step. I see value in a simple minimal index like Zope3 has in http://download.zope.org/zope3.4/minimal-3.4.0c7/ but that needs someone to figure out the exact process to maintain it. Hanno [1] zope.copypastemove, zope.dublincore, zope.formlib, zope.sendmail, zope.viewlet, zope.app.http, zope.app.locales ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
Andreas Jung wrote: - complete eggification (apparently pretty much done) We have to define what eggification means exactly. By now the Zope2.buildout seems to work fine with Python 2.4-2.6. I think we want to see Zope2 being easy_install-able. This means basically: - a source code release of Zope 2 can be done using (python2.X setup.py sdist (upload) - a user can easy_install Zope 2 from PyPI Hurdle: - setup.py defines all dependencies without version information (which is kept in the versions-zope2|3.cfg files. In order to make the version information available information I added the setup2.py file to the Zope2.buildout/trunk codebase (for experimenting). However this approach does not work with the dev packages like zope.app.locales. Also working with zc.sourcerelease won't solve this issue. Any idea how to deal with that? It's possible to have egg dependencies on development versions of other eggs so long as there is an svn egg link on the pypi page. For example in zope.sqlalchemy's pypi page I include a link like to: svn://svn.zope.org/repos/main/zope.sqlalchemy/trunk#egg=zope.sqlalchemy-dev And in the past I have had the trunk setup.py instal_requires include: 'SQLAlchemy=0.5.0beta3dev-r4954', or 'SQLAlchemy=0.4.7dev', Laurence ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
Previously Laurence Rowe wrote: It's possible to have egg dependencies on development versions of other eggs so long as there is an svn egg link on the pypi page. For example in zope.sqlalchemy's pypi page I include a link like to: svn://svn.zope.org/repos/main/zope.sqlalchemy/trunk#egg=zope.sqlalchemy-dev And in the past I have had the trunk setup.py instal_requires include: 'SQLAlchemy=0.5.0beta3dev-r4954', or 'SQLAlchemy=0.4.7dev', Which also shows that using a setup.cfg to put revision numbers in dev versions is extremely useful :) Wichert. -- Wichert Akkerman wich...@wiggy.netIt is simple to make things. http://www.wiggy.net/ It is hard to make things simple. ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
Martijn Pieters wrote at 2009-1-25 13:29 +0100: On Sun, Jan 25, 2009 at 12:56, Dieter Maurer die...@handshake.de wrote: I plan to provide such a package as dm.ZClasses or (maybe) Zope2.ZClasses -- of course with some complaints against the Zope release management in the documentation: * cutting away useful features without any serious need * lacking commitment wrt backward compatibility * enforcing philosophical opinions (applications should be created programmatically not via configuration only (such as with ZClasses)) Oh, please come off it. You have checkin rights and could have stepped up to maintain the code. The last necessity to do something with ZClasses was for Zope 2.8. Then, Jim did the work. There was no need now to ditch ZClasses. For me, it looks like hostility towards building applications via menues rather than programming. This is not about enforcing philosophical choices, this is about being pragmatic. If the feature was truely useful, more developers would be maintaining and fixing it. Obviously the complexity of keeping it working is outweighing it's usefulness. I do not see something obvious here. I do not know how much work Jim has invested for Zope 2.8 but I am almost sure that other efforts since then have at most been in the order of hours (probably nothing at all). You will now get an externally maintained ZClasses implementation and I am quite confident that the necessary effort will be small (though larger of course then when it remained part of Zope). If you like I report back or even better I document it. -- Dieter ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 25.01.2009 20:09 Uhr, Dieter Maurer wrote: Martijn Pieters wrote at 2009-1-25 13:29 +0100: On Sun, Jan 25, 2009 at 12:56, Dieter Maurer die...@handshake.de wrote: I plan to provide such a package as dm.ZClasses or (maybe) Zope2.ZClasses -- of course with some complaints against the Zope release management in the documentation: * cutting away useful features without any serious need * lacking commitment wrt backward compatibility * enforcing philosophical opinions (applications should be created programmatically not via configuration only (such as with ZClasses)) Oh, please come off it. You have checkin rights and could have stepped up to maintain the code. The last necessity to do something with ZClasses was for Zope 2.8. Then, Jim did the work. There was no need now to ditch ZClasses. For me, it looks like hostility towards building applications via menues rather than programming. Please stop the discussion. The majority of Zope developers considers the ZClasses programming model as not up2date and not flexible enough when it comes to extensibility and scalability. That's why we don't want ZClasses being part of Zope 2 anymore. This has been our message for years. ZClasses are deprecated since Zope 2.10 and now it's time to say goodbye. This is not about enforcing philosophical choices, this is about being pragmatic. If the feature was truely useful, more developers would be maintaining and fixing it. Obviously the complexity of keeping it working is outweighing it's usefulness. I do not see something obvious here. I do not know how much work Jim has invested for Zope 2.8 but I am almost sure that other efforts since then have at most been in the order of hours (probably nothing at all). You will now get an externally maintained ZClasses implementation and I am quite confident that the necessary effort will be small (though larger of course then when it remained part of Zope). If you like I report back or even better I document it. All ZClasses user will appreciate your work as we do stepping in but you should accept that your opinion on ZClasses does not reflect the majority of the other Zope developers. Andreas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkl8u1IACgkQCJIWIbr9KYzecwCg4UKyjiM03R529qZ397OU4QZB Pt0An3udA2BBvRvvG3z/1HR4+OQfvcID =xOLE -END PGP SIGNATURE- begin:vcard fn:Andreas Jung n:Jung;Andreas org:ZOPYX Ltd. Co. KG adr;quoted-printable:;;Charlottenstr. 37/1;T=C3=BCbingen;;72070;Germany email;internet:i...@zopyx.com title:CEO tel;work:+49-7071-793376 tel;fax:+49-7071-7936840 tel;home:+49-7071-793257 x-mozilla-html:FALSE url:www.zopyx.com version:2.1 end:vcard ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
Andreas Jung wrote at 2009-1-25 20:19 +0100: ... Please stop the discussion. The majority of Zope developers considers the ZClasses programming model as not up2date and not flexible enough when it comes to extensibility and scalability. That's why we don't want ZClasses being part of Zope 2 anymore. We see clearly: philosophical opinions -- not complexity of keeping it working -- Dieter ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 25.01.2009 20:34 Uhr, Dieter Maurer wrote: Andreas Jung wrote at 2009-1-25 20:19 +0100: ... Please stop the discussion. The majority of Zope developers considers the ZClasses programming model as not up2date and not flexible enough when it comes to extensibility and scalability. That's why we don't want ZClasses being part of Zope 2 anymore. We see clearly: philosophical opinions -- not complexity of keeping it working The ZClasses discussion is over - point. Andreas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkl9QX4ACgkQCJIWIbr9KYyWOgCfeBYI+75faITRfzSGH4DFGgle uUsAoKGx8Oq0UyXk23oDAANvmK3DdD2m =gsrE -END PGP SIGNATURE- begin:vcard fn:Andreas Jung n:Jung;Andreas org:ZOPYX Ltd. Co. KG adr;quoted-printable:;;Charlottenstr. 37/1;T=C3=BCbingen;;72070;Germany email;internet:i...@zopyx.com title:CEO tel;work:+49-7071-793376 tel;fax:+49-7071-7936840 tel;home:+49-7071-793257 x-mozilla-html:FALSE url:www.zopyx.com version:2.1 end:vcard ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 21.01.2009 14:55 Uhr, Andreas Jung wrote: - complete eggification (apparently pretty much done) We have to define what eggification means exactly. By now the Zope2.buildout seems to work fine with Python 2.4-2.6. I think we want to see Zope2 being easy_install-able. This means basically: - a source code release of Zope 2 can be done using (python2.X setup.py sdist (upload) - a user can easy_install Zope 2 from PyPI Hurdle: - setup.py defines all dependencies without version information (which is kept in the versions-zope2|3.cfg files. In order to make the version information available information I added the setup2.py file to the Zope2.buildout/trunk codebase (for experimenting). However this approach does not work with the dev packages like zope.app.locales. Also working with zc.sourcerelease won't solve this issue. Any idea how to deal with that? Andreas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkl8DwgACgkQCJIWIbr9KYwCsQCg6Q08PLPptM6jCRQQ9HIqBxGc aKcAniHpd5h4cVInJmmOS33XZh9yGZJ2 =mpyi -END PGP SIGNATURE- begin:vcard fn:Andreas Jung n:Jung;Andreas org:ZOPYX Ltd. Co. KG adr;quoted-printable:;;Charlottenstr. 37/1;T=C3=BCbingen;;72070;Germany email;internet:i...@zopyx.com title:CEO tel;work:+49-7071-793376 tel;fax:+49-7071-7936840 tel;home:+49-7071-793257 x-mozilla-html:FALSE url:www.zopyx.com version:2.1 end:vcard ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
Previously Tres Seaver wrote: Andreas Jung wrote: - removing ZClasses completely - -0. I don't want to invest effort in maintaining them, but if they are still working for people in 2.11, I don't think we need to rip them out. +1 There is a whole lot of legacy code surrounding Zope startup and the persistent control panel that is only there to support ZClasses. Removing them would allow for a lot of further cleanups in a particularly crufty part of the Zope2 codebase. - how do to a traditional SVN checkout of the Zope 2 and the related Zope 3 modules? The Zope2.buildout maintains its dependencies through a KGS - the old-style SVN checkout uses svn:external. I think there is a need for having both and don't know of a save way for keeping the svn:externals and the KGS in sync (without additional manual effort). I'm actually willing to abandon the big tree altogether, unless somebody comes up with a clever way to automate it from some Z2-specific KGS index. I think the canonical source install would be something like a tarball of a buildout tree, with the 'download-cache' directory already populated (maybe). Judging by the awesome lack of interest in a Zope 3 big tree release, and observing that Zope 2 is going down a similar eggification path I see no reason to keep a big tree for Zope 2 long term. Wichert. -- Wichert Akkerman wich...@wiggy.netIt is simple to make things. http://www.wiggy.net/ It is hard to make things simple. ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
On Jan 22, 2009, at 9:34 PM, Tres Seaver wrote: I'm actually willing to abandon the big tree altogether, unless somebody comes up with a clever way to automate it from some Z2- specific KGS index. I think the canonical source install would be something like a tarball of a buildout tree, with the 'download-cache' directory already populated (maybe). Yup (sort a). See zc.sourcerelease. Jim -- Jim Fulton Zope Corporation ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
On Friday 23 January 2009, Wichert Akkerman wrote: I'm actually willing to abandon the big tree altogether, unless somebody comes up with a clever way to automate it from some Z2-specific KGS index. I think the canonical source install would be something like a tarball of a buildout tree, with the 'download-cache' directory already populated (maybe). Judging by the awesome lack of interest in a Zope 3 big tree release, and observing that Zope 2 is going down a similar eggification path I see no reason to keep a big tree for Zope 2 long term. Note that I have a script in zope.release that can update a big tree. The Zope 3.4 release will feature an update of that tree. Now that I have this script, I can use it for future releases, but we'll probably fade it out soon. (I just feel really bad not providing a migration path; note that people working with Zope 3.3 have probably never seen an egg-based release.) Regards, Stephan -- Stephan Richter Web Software Design, Development and Training Google me. Zope Stephan Richter ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
Wichert Akkerman wrote: Previously Tres Seaver wrote: Andreas Jung wrote: - removing ZClasses completely This is done now. There is a whole lot of legacy code surrounding Zope startup and the persistent control panel that is only there to support ZClasses. Removing them would allow for a lot of further cleanups in a particularly crufty part of the Zope2 codebase. I removed the code that was obviously only used to support ZClasses. I expect there to be more that could be deprecated or removed after further inspection. Anyone is welcome to contribute to that ;) Hanno ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
Andreas Jung wrote: - - removing ZClasses completely ...into a seperate egg/product, right? - - how do to a traditional SVN checkout of the Zope 2 and the related Zope 3 modules? The Zope2.buildout maintains its dependencies through a KGS - the old-style SVN checkout uses svn:external. I think there is a need for having both and don't know of a save way for keeping the svn:externals and the KGS in sync (without additional manual effort). Why do we need the old-style svn:external? If they really need to be kept in sync, then I'd suggest a tag creation script that created the svn tag from the kgs in question... cheers, Chris -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
Stephan Richter wrote: On Wednesday 21 January 2009, Andreas Jung wrote: - RestrictedPython security audit: such an audit has been made by Stefan and Sidnei. I am not qualified to speak about the correctness of the audit. I assume they know what they were doing. Unless objections one might consider this issue as resolved - if not, please speak up. Note that Jim never explained to me how he does these audits, but I gathered some methods he used in conversations. I think I did a pretty thorough job during the review. Yeah, this disturbs me a lot still though :-S It's a shame Jim has so little time to spend on this... It's also a shame that no one seems to be able to get any sense out of the PyPy guys in this area... One thing that myself and Shane talked briefly about on this list was re-implementing the AST manipulation as dissallow-by-default filter rather than a straight manipulation. That way, unexpected stuff should be allowed by default. That feels like it might be a lot safer when it comes to python version changes, but I must admit, I haven't looked closely enough to give a definitive answer... cheers, Chris -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 22.01.2009 10:38 Uhr, Chris Withers wrote: Stephan Richter wrote: On Wednesday 21 January 2009, Andreas Jung wrote: - RestrictedPython security audit: such an audit has been made by Stefan and Sidnei. I am not qualified to speak about the correctness of the audit. I assume they know what they were doing. Unless objections one might consider this issue as resolved - if not, please speak up. Note that Jim never explained to me how he does these audits, but I gathered some methods he used in conversations. I think I did a pretty thorough job during the review. Yeah, this disturbs me a lot still though :-S It's a shame Jim has so little time to spend on this... Take your hat and collect some money for hiring Jim :-) It's also a shame that no one seems to be able to get any sense out of the PyPy guys in this area... One thing that myself and Shane talked briefly about on this list was re-implementing the AST manipulation as dissallow-by-default filter rather than a straight manipulation. That way, unexpected stuff should be allowed by default. That feels like it might be a lot safer when it comes to python version changes, but I must admit, I haven't looked closely enough to give a definitive answer... You know the difference between fiction and the reality. We have RP now and have to deal with it within a reasonable amount of time. Andreas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkl4Wp4ACgkQCJIWIbr9KYxNnwCeOcvTqwCPsoXvPFh6lJ03+un2 NaEAn2kU7climKJQXvnnmOhJPJ3ZVkhJ =fUMO -END PGP SIGNATURE- begin:vcard fn:Andreas Jung n:Jung;Andreas org:ZOPYX Ltd. Co. KG adr;quoted-printable:;;Charlottenstr. 37/1;T=C3=BCbingen;;72070;Germany email;internet:i...@zopyx.com title:CEO tel;work:+49-7071-793376 tel;fax:+49-7071-7936840 tel;home:+49-7071-793257 x-mozilla-html:FALSE url:www.zopyx.com version:2.1 end:vcard ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
Andreas Jung wrote: It's a shame Jim has so little time to spend on this... Take your hat and collect some money for hiring Jim :-) Zope Corp chose to assume the Zope brand for themselves, given the prevelence of Zope 2 and RestrictedPython, it'd be nice if they could devote some of Jim's time to this... One thing that myself and Shane talked briefly about on this list was re-implementing the AST manipulation as dissallow-by-default filter rather than a straight manipulation. That way, unexpected stuff should be allowed by default. That feels like it might be a lot safer when it comes to python version changes, but I must admit, I haven't looked closely enough to give a definitive answer... You know the difference between fiction and the reality. We have RP now and have to deal with it within a reasonable amount of time. I don't think this is such a huge change, it's a change in the style of what RP does already, not a complete re-implementation... Chris -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
While we are at it... The biggest offender is the zodbcode package, which does not appear to pass its tests at all under Python 2.6. Not having investigated this further I can imagine three courses of action: 1) Fix zodbcode (me shrugs) 2) Exclude zodbcode tests from the test suite 3) Remove zodbcode from Zope 2 (who's using it anyway?) Stefan On 21.01.2009, at 14:55, Andreas Jung wrote: - focus on Python 2.6 support for the final release (although there are still some tests failing - more than with Python 2.5). Possibly focus on Python 2.5 support for the alpha phase. Not sure if we want to support Python 2.5 and 2.6 officially at the same time. With the current classification of Python versions within the configure script I would suggest: TARGET=Python 2.6.X ACCEPTABLE=Python 2.5 Python 2.4.X would be basically not acceptable but could be used at your own risk using the --with-python option. ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Jung wrote: Hi there, based on an earlier Zope 2.12 thread http://mail.zope.org/pipermail/zope-dev/2008-October/033572.html I propose that we get out an alpha version of Zope 2.12 by end of February. http://mail.zope.org/pipermail/zope-dev/2008-October/033572.html Major changes: - dropping Python 2.4 support officially (Python 2.4 is no longer officially supported by the Python developers so we can not safely support it) - focus on Python 2.6 support for the final release (although there are still some tests failing - more than with Python 2.5). Possibly focus on Python 2.5 support for the alpha phase. Not sure if we want to support Python 2.5 and 2.6 officially at the same time. With the current classification of Python versions within the configure script I would suggest: TARGET=Python 2.6.X ACCEPTABLE=Python 2.5 Python 2.4.X would be basically not acceptable but could be used at your own risk using the --with-python option. - complete eggification (apparently pretty much done) - reducing Zope 3 dependencies (apparently pretty much done) Kudos to Hanno and others for the work, here. - removing ZClasses completely - -0. I don't want to invest effort in maintaining them, but if they are still working for people in 2.11, I don't think we need to rip them out. - ship with ZODB 3.9 (currently in alpha stage) I would add: - - Rip out remaining support for raising / hooking string exceptions, mostly becuase it makes things messier, and will need to go for 2.6 compatibility anyway. - - Fix any other deprecation warnings emitted by either the testrunner or by startup (there is one in zope.configuration right now which shows in in an ftest layer). Rough edges/open points I encountered so far: - RestrictedPython security audit: such an audit has been made by Stefan and Sidnei. I am not qualified to speak about the correctness of the audit. I assume they know what they were doing. Unless objections one might consider this issue as resolved - if not, please speak up. I believe we can reasonably trust the effort Stephan and Sidnei made, here. - creation of some skripts e.g. mkzeoinstance when easy_install-ing the Zope 2 source distro does not seem to work or it is still missing - how do to a traditional SVN checkout of the Zope 2 and the related Zope 3 modules? The Zope2.buildout maintains its dependencies through a KGS - the old-style SVN checkout uses svn:external. I think there is a need for having both and don't know of a save way for keeping the svn:externals and the KGS in sync (without additional manual effort). I'm actually willing to abandon the big tree altogether, unless somebody comes up with a clever way to automate it from some Z2-specific KGS index. I think the canonical source install would be something like a tarball of a buildout tree, with the 'download-cache' directory already populated (maybe). Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software Excellence by Designhttp://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJeSzB+gerLs4ltQ4RArG6AJ94PDULNCka4+hN3kV6iUZdH2DUuQCfdyz+ dJVpFknWxqmIrZ/gZYeuVZM= =M4xx -END PGP SIGNATURE- ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
Chris Withers wrote: I don't think this is such a huge change, it's a change in the style of what RP does already, not a complete re-implementation... OTOH, with Python 3 now released, it seems unlikely that we'll see any new syntax added to Python 2.x. So RP doesn't really need any sort of overhaul until we start switching to Python 3. Shane ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Plans for Zope 2.12
On Wednesday 21 January 2009, Andreas Jung wrote: - RestrictedPython security audit: such an audit has been made by Stefan and Sidnei. I am not qualified to speak about the correctness of the audit. I assume they know what they were doing. Unless objections one might consider this issue as resolved - if not, please speak up. Note that Jim never explained to me how he does these audits, but I gathered some methods he used in conversations. I think I did a pretty thorough job during the review. - how do to a traditional SVN checkout of the Zope 2 and the related Zope 3 modules? The Zope2.buildout maintains its dependencies through a KGS - the old-style SVN checkout uses svn:external. I think there is a need for having both and don't know of a save way for keeping the svn:externals and the KGS in sync (without additional manual effort). You can write the svn:externals via a script. I did that for the big Zope 3 tree in zope.release. http://svn.zope.org/zope.release/branches/3.4/src/zope/release/tree.py?rev=81907view=auto The documentation is here: http://svn.zope.org/zope.release/branches/3.4/src/zope/release/README.txt?rev=81907view=auto Regards, Stephan -- Stephan Richter Web Software Design, Development and Training Google me. Zope Stephan Richter ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )