This upgrade system doesn't seem to work very well, or at least not as expected. First off, it needs to be:
easy_install -Ui http://turbogears.org/2.0/downloads/current/index/ TurboGears2 to actually pull 2.0.3, without index in the URL it doesn't seem to really do anything. Secondly it only updates that one package, but none of its dependencies...after preforming both versions, my Repoze installed is still at 1.0.10, when it should be now at 1.0.15. Personally, I'm just gonna do a new virtual environment with a fresh install...but would be nice to be able to upgrade All :/ (cross posted from trunk list) On Aug 13, 3:22 am, Jorge Vargas <[email protected]> wrote: > On Wed, Aug 12, 2009 at 10:38 PM, El Tea<[email protected]> wrote: > > The biggest problem with answering this is that you may be doing bad > things that are complete away from TG. For example there is no way for > TG to validate that you are not storing creditcard data in your > database. > > > I could really use a pointer to a set of documentation somewhere that > > lists all the requirements for securing my site. I would think it > > would include changing this "secret", getting the site out of debug > > mode, and maybe even validating every form (even if you don't assign a > > validator to a field - which I am hoping escapes injection attacks). > > Injection attacks are something that is caught at the SA level. In > theory it's query builder and object layer will catch all attempts at > it. I say in theory because a bug may be found or you could be using > sqlalchemy.sql.TEXT > > > I expect TG is used by many professionals - but many people like > > myself as well, who are not well experienced in web architectures and > > SQL. That's why I use TG - to abstract away and simplify, but I feel > > like it may leave my site and/or database open to vulnerabilities > > because I don't grasp all the nuances. > > Sadly this is not a TG issue. And even though I agree TG should tell > you all you need to do to close the holes TG opens we can't tell you > how to close the holes you open. > > > My previous approach was to buy Mark's book - and it was great, but > > I've since moved on to TG2. Is there any page of mandatory steps and > > best practices to properly secure a TG2 site? > > I don't think there is. That should be a chapter on the deployment guides. > > > > > Mike > > > On Aug 12, 9:47 am, Antoine Pitrou <[email protected]> wrote: > >> On Aug 12, 3:16 am, Mark Ramm <[email protected]> wrote: > > >> > You can also set it in development.ini using a key like: > > >> > sa_auth.cookie_secret = "mysupersecret" > > >> In [app:main] I assume? > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
