Hello All, And as you may know, I maintain Spyne. I also wrote most of it. Also, correct me if I'm wrong here, Spyne is the oldest maintained Soap codebase written in Python. It's also WS-I compliant.
First, this long post won't conclude that Spyne is best and we should all use it. I'll say something different. Please read on. I'm sure we all agree that implementing a SOAP library is a huge undertaking. Implementing SOAP really means implementing Xml Schema, Wsdl 1.1 Wsdl 2.0 Soap 1.1 and Soap 1.2 standards, both in a client and server setting. Implementing daemons in Python is also a minefield. Depending on the project requirements, you need to use gevent, twisted or WSGI and learn about quirks of its many implementations etc. Without a proper abstraction in place, it is very difficult to switch between these. Spyne is not just a Soap library anymore, it also became that abstraction. Because that's what I had fun working on. There's more than 1000 commit difference between 2.10 and 2.11. There's a lot more goodies in there but lower level efforts make up the bigger part of the 2.11 effort. So if you go your your own way and re-implement Soap from the ground up, you'll run into the issues we already ran into, and you'll have to deal with them just like we had to. Perhaps you'll end up with a more complete Soap implementation than Spyne, but you'll also have a less robust RPC codebase than Spyne. A couple of concrete examples: 1) For an xsd:sequence (the default class declaration method in both soapbox and spyne) to pass validation, the tags in it must be *in the same order it's defined in the wsdl document*. I'm looking at this example and seeing the same naive mistake that we did in Spyne: https://github.com/FelixSchwarz/soapbox-bsd/blob/master/examples/xml_complex_types.py The field order in the sequence is defined by the dict passed to xsd.ComplexType metaclass. The order in python dicts are *random* and change according to a wild array of factors, especially now that we have PYTHONHASHSEED=random as an option. So when you add an innocent new field to an existing object declaration, be ready to have all cached wsdl documents invalidated. See https://github.com/arskom/spyne/pull/313 and https://github.com/arskom/spyne/pull/343 to see how we solved that problem. Fixing it in Python 2 wasn't easy! 2) what are your precautions for parsing XML documents from untrusted sources? https://github.com/FelixSchwarz/soapbox-bsd/blob/31aff9f5825f1d6520a84bd938663851a45b5a03/soapbox/xsd.py#L859 None, from what I can tell. This part of spyne documentation is full of security-related xml links: http://spyne.io/docs/2.10/reference/protocol/xml.html#spyne.protocol.xml._base.XmlDocument The most famous one: https://en.wikipedia.org/wiki/Billion_laughs 3) Are you using incremental xml generation? Can you produce a 8 gigabyte xml document without having it all in memory with SoapBox? Apparently not: https://github.com/FelixSchwarz/soapbox-bsd/blob/31aff9f5825f1d6520a84bd938663851a45b5a03/soapbox/xsd.py#L920 With Spyne 2.11, you can, thanks to lxml's incremental generation api. I could go on and on. (The above points also apply to PySimpleSoap but I'm don't want to compare it with Spyne as PySimpleSoap's code is really naive and seemingly deliberately so as it says simple right there in the project's name. I feel the two projects serve two very different audiences. ) So my point is: If you go and make rude statements like this: On 05/09/14 17:30, Felix Schwarz wrote: > (Disclaimer: I'm one of the maintainers of "soapbox-bsd".) > > I think you should check out soapbox-bsd which is the only real option for > server-side SOAP in Python: https://github.com/FelixSchwarz/soapbox-bsd you're not doing open source. (only *real* option? come on, Felix Schwarz, you shouldn't be so full of yourself) Open source is about collaboration. What I'm seeing so far is not a willingness to collaborate but wasteful chest-pounding fed by ignorance about the delicacies of our craft I'm sadly used to see in corporate environments. You may or may not like Spyne, or PySimpleSoap or, soapbox, (or Ladon, it did Soap with Python last time I looked as well). None of them are perfect. But you must recognise that 1) everybody will benefit from unifying these efforts. 2) our lives will be made easier once the iniatial integration works are done with, because now we're a team. So here's what I suggest: Let's put our egos aside, look at each other's code, identify the strengths of each project, make sacrifices and unify Soap efforts in Python. If doing my part will mean doing a git rm -r spyne/protocol/soap or git rm -r spyne/interface/wsdl and simply import an adapter for SoapBox when importing spyne.protocol.soap, i'll do it, provided it will result in a better Soap experience for Spyne users. So, awaiting your feedback. Best regards, Burak _______________________________________________ Soap mailing list [email protected] https://mail.python.org/mailman/listinfo/soap
