Tres Seaver wrote:
The change from 2.4 to 2.5 is *massively* disruptive for a framework
like Zope:  much more so than any change since 2.2, I think (maybe even
2.0/2.1).  The hardest bit is the change to the way the compiler works:
 RestrictedPython is completely incompatible with the new AST-based

Yup.  Also, everything I've tried (I haven't tried much) has had test
breakage.  Most of this is probably shallow, but it will take some time to
sort it all out.

As we move toward splitting things up into eggs, people can help out by
getting things working on an egg-by-egg basis.

So unless a volunteer steps up to do lots of hard work between now and
march next year, let's stick with Python 2.4. Otherwise let's plan it in
for Zope 3.5 and Zope 2.12
I really really really hope it doesn't take that long to be able to
at least run on Python 2.5: even if it has to be with some caveats or
mild warnings.

If security and restricted python / security proxies are the main
issue, what about if one is running Zope sites with absolutely ZERO
through the web code - no page templates, nothing - can't there be a
lighter weight security implementation that wouldn't take half a year
of "lots of hard work"?

Even if you have no templates defined TTW, Zope3's security machiner
still needs some support from RestrictedPython for handling
filesystem-based templates.

File-system-based templates are trusted in Zope 3. (I wonder if 
templates are still untrusted in Zope 2.) Still official
releases have to be backward compatible and thus have to support TTW

I very much hope that will switch to egg-based development and distribution
over the coming months.  If we do that, it might be possible and would
be interesting for people to create alternate distributions focused on
on different needs.  It would be interesting to have distributions that
didn't support untrusted Python code.


Zope3-dev mailing list

Reply via email to