Wichert Akkerman schrieb:
Previously Raphael Ritz wrote:
For two reasons I'm not so sure:
1. PIL isn't necessarily the most trivial package to install
and as of now be didn't require our users to fiddle with
their Python installation (except for providing an appropriate
version).
I suspect (but I can't prove that) that most users will want to use PIL
and they can be divided in two categories:
- people who just want Plone to work. These people should use the full
installers, which already install PIL as far as I know.
AFAICT that's correct
This group
will also be hurt by image rescaling not working normally
but this won't be an issue anyway for those if the above is correct.
- Plone developers who want to work with the Plone stack directly and
install from sources (either .tar.gz, .zip or subversion). I would
expect this group to have enough clue to be able to install PIL as
well.
2. I do run sites where we didn't install PIL simply because
we aren't specifically dealing with images on them.
That puts you firmly into the second category.
Looking at the code it should be quite simple to remove the hard PIL
dependency though.
I didn't want to imply that this would be hard to do.
All I'm asking in the end is whether this was a concious decision
or just an oversite as this differs from our current policy.
A (very quick) look at the code does suggest that
doing so might introduce a security risk: it will also remove a real
sanity-check that a member portrait is an actual image. Something which
is nicely exploited by the spam we've been seeing lately on plone sites.
that's a good point indeed but maybe just one more thing to
educate people when it comes to best practices regarding
dev boxes versus production sites.
I could live with PIL being required but I would also
like to hear opinions from those who didn't comment
on this yet.
Just my 2 cents
Raphael
Wichert.
_______________________________________________
Framework-Team mailing list
Framework-Team@lists.plone.org
http://lists.plone.org/mailman/listinfo/framework-team
