-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martijn Faassen wrote: > Malthe Borch wrote: >> Martijn Pieters wrote: >>> I object as well, and have asked for Malthe to provide his reasoning >>> here at the Plone Performance Sprint in Bristol, but so far his only >>> motivation is that he wants to see if he can get this to work without >>> a C-extension. I am sceptical he'll be able to, and am not convinced >>> it'll be worth introducing risks. >> The obvious motivation for this is to: >> >> * Reduce code complexity >> * Allow operation in a pure-Python environment >> >> As for cons, any change is a risk and I believe the concensus seen in >> this thread is that it outweighs the above mentioned motivation. > > Allowing operation in a pure-Python environment is a worthwhile goal, > which I support. > > Unless it can be clearly demonstrated that the new method is equivalent > in both performance and security, talk of dropping the C extension seems > somewhat premature. A pure Python fallback for this module would however > be interesting to everybody, I think. > > My suspicion from observing the discussions in this thread so far > indicate that a drop in code complexity doesn't seem to be a necessary > consequence of rewriting to Python either.
I question the *actual* security benefits of making the message IDs truly read-only: I think the real intent is to avoid a common class of programming error, rather than to keep Black Hats out. For that side of the problem, we could use read-only properties for the data, and used something like the '__' prefix for the real backing-store attributes, then only folks who were being silly would ever change them. This is Python, after all: "we're all grownups" should apply. I'm willing to be shown wrong, of course, but I want to see a non-hypothetical attack vector which doesn't involve running trusted code from the filesystem. ;) (smiley because what other kind of code do we have in Z3 applications, anyway?) Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 [email protected] Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJQtrc+gerLs4ltQ4RAh6zAKC11lXsLS4aiLEmi97Bst5TXjemOQCeMx3R J4N59zGMJ4+hGY+bq4i8nEY= =Rplt -----END PGP SIGNATURE----- _______________________________________________ Zope-Dev maillist - [email protected] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
