This is more of an idea than a proposal at this point, so I thought I would post it here for discussion. There is a fishbowl project for creating an automated Product installation system. Something like Debian and FreeBSD have. Now, one of the issues that has been raised is whether you could make it so that Products could be installed TTW.
As it stands right now, that is not possible since the Zope system user generally would not (and should not) have write access to the Products directory. It also seems there is some doubt as to the merit of TTW product installation. Well, speaking from a human interface perspective, I think a TTW interface for product management would be a good thing[tm] and could be a "bullet point" feature for zope. It would also be useful in making Zope slightly easier for hosting services to deal with. You wouldn't have deal with the shell and therefore it would be greatly more accessible. It would also make "trying out zope" easier and more fun for newbies and damn it, making Zope more fun is what I'm all about 8^) This morning I thought of one potential solution to this whole Product folder write access thing. There needs to be two types of product folders. The standard type, which would continue to work as we have come to know it and a "User Product" directory which would be writable from inside Zope. Now there would be at least two important restrictions on products in the "User Product" directory: 1. Installation of a User Product could not add or change files in the Zope core. 2. User Products can not "Monkey Patch" Zope. Restriction 1 is implicit and doesn't take any additional steps other than setting the Zope lib directory read-only from inside Zope. Restriction 2 is there to protect against trojan products that could easily expose restricted methods and attributes to the web or create deliberate security holes. Now obviously this doesn't prevent this from happening other ways, so this may not be sufficient. How to impose this restriction is not entirely clear to me, but it seems that there should be some way to do it in Python 2.2. Another possible but more severe restriction would be that "User Products" could not access certain attributes like "aq_base" or the like and would be subject to stringent security checking on attribute access. Whether that would be necessary I guess is one of the points of this discussion. Again, we may have to wait for Py 2.2 to make this happen. Now, once there is a "User Products" folder an infrastructure would need to be setup so that products could be downloaded in installed TTW. But that is another story... Whaddaya think? /---------------------------------------------------\ Casey Duncan, Sr. Web Developer National Legal Aid and Defender Association [EMAIL PROTECTED] \---------------------------------------------------/ _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )