-----BEGIN PGP SIGNED MESSAGE-----
Martijn Faassen wrote:
> Malthe Borch wrote:
>> Martijn Pieters wrote:
>>> I object as well, and have asked for Malthe to provide his reasoning
>>> here at the Plone Performance Sprint in Bristol, but so far his only
>>> motivation is that he wants to see if he can get this to work without
>>> a C-extension. I am sceptical he'll be able to, and am not convinced
>>> it'll be worth introducing risks.
>> The obvious motivation for this is to:
>> * Reduce code complexity
>> * Allow operation in a pure-Python environment
>> As for cons, any change is a risk and I believe the concensus seen in
>> this thread is that it outweighs the above mentioned motivation.
> Allowing operation in a pure-Python environment is a worthwhile goal,
> which I support.
> Unless it can be clearly demonstrated that the new method is equivalent
> in both performance and security, talk of dropping the C extension seems
> somewhat premature. A pure Python fallback for this module would however
> be interesting to everybody, I think.
> My suspicion from observing the discussions in this thread so far
> indicate that a drop in code complexity doesn't seem to be a necessary
> consequence of rewriting to Python either.
I question the *actual* security benefits of making the message IDs
truly read-only: I think the real intent is to avoid a common class of
programming error, rather than to keep Black Hats out.
For that side of the problem, we could use read-only properties for the
data, and used something like the '__' prefix for the real backing-store
attributes, then only folks who were being silly would ever change them.
This is Python, after all: "we're all grownups" should apply. I'm
willing to be shown wrong, of course, but I want to see a
non-hypothetical attack vector which doesn't involve running trusted
code from the filesystem. ;) (smiley because what other kind of code do
we have in Z3 applications, anyway?)
Tres Seaver +1 540-429-0999 tsea...@palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -