[Zope-dev] 3rd party product migrations
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, We're now migrating our product stack to Zope2.8/Plone2.1 and have been considering how best to proceed with this. We have one overriding objective in that we're very interested in reducing the window between core releases and third party developers making new releases both now and into the future. To this end, we've set up a development channel, synonymous with Rawhide for those familiar with Redhat/Fedora release management practices. Using yum or up2date, you can access this channel at https://linux.last-bastion.net/RPC2/up2date/development to transparently upgrade to the latest core. We will be producing regular releases of things Zope and Plone into the future here. At this stage, you do need to create an account on the portal as you need to be Authenticated to download. The Zope2.8/Plone2.1 packages happily sit alongside older installations. If you're an author of anything on https://linux.last-bastion.net/RPC2/up2date/plope, we're particularly keen upon getting you involved. If you've a Plope product you'd like to get put on this channel, then please do feel free to contact us. We're hoping to grow the list of successfully migrated packages as quickly as possible. We of course realise that the Zope and Plone landscape is diverse, both in terms of finding source code, and operating system environments, but if you're even remotely interested in packaging, or have something to say, please feel free to subscribe to [EMAIL PROTECTED] Cheers, Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFDDv8KCfroLk4EZpkRAkyUAJ92Ydp6nX+7uyoBQEv/+Qg96NceGQCgk7Dt nslcj7V7konlwbDMyAxYWU4= =glS5 -END PGP SIGNATURE- ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: Puzzling change to guarded_getitem in Zope 2.8
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Richard Jones wrote: On Fri, 26 Aug 2005 10:00 am, Richard Jones wrote: I'm migrating our 2.7-developed Product to 2.8. The following change has me puzzled. In 2.7, AccessControl.ZopeGuards guarded_getitem has the following code: OK, Tres made the change, with the relevant bit of the log message being: Iteration over sequences could in some cases fail to check access to an object obtained from the sequence. Subsequent checks (such as for attributes access) of such an object would still be performed, but it should not have been possible to obtain the object in the first place. List and dictionary instance methods such as the get method of dictionary objects were not security aware and could return an object without checking access to that object. Subsequent checks (such as for attributes access) of such an object would still be performed, but it should not have been possible to obtain the object in the first place. So I presume that the change *intended* to move the onus of validation from the guarded_getitem method to the __getitem__ method of the container? No more trusted access to custom (ie. not builtin) sequence/mapping objects? Disclaimer: while I committed those changes, they were the result of a month-long audit by most of ZC's staff in December 2003; my memory of the rationale for each change is thus extra suspect. IIRC, the decision was that the ability to enforce access based on key (rather than attribute name) was an accidental artifact; further, that passing the key as 'name' to validate caused a bunch of other weird side effects, which all went away if we passed 'None', as originally intended for checks on __getitme__. Tres. - -- === Tres Seaver +1 202-558-7113 [EMAIL PROTECTED] Palladion Software Excellence by Designhttp://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDDyga+gerLs4ltQ4RAroRAJ0QQKNFCpFxQHD7NPYokToMTY2h9ACg00zs 4i3Z1kTEzg29apTS2iPpFfk= =NrGV -END PGP SIGNATURE- ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: Move Zope trunk to ZODB 3.5
Heads up! If you have a Zope trunk checkout, you'll need to recursively delete directory lib/python/Persistence before an update will succeed. If you try to update before deleting that directory, you'll see something like: Failed to add directory 'lib/python/Persistence': object of the same name already exists. You may also need to do svn cleanup and try again, if you don't delete the directory before trying to update. [Tim Peters] If there are no sane wink objections, I'd like to move Zope trunk to using ZODB 3.5 tomorrow (Friday). ... This didn't happen. There's a chicken-and-egg problem with incorporating zpkg changes too, and that's probably going to wait for a newer release of Five. A related changed would happen soon after (probably also on Friday): the ExtensionClass-based Persistence package still lives in the ZODB part of the repository, despite that it can't even be compiled from a ZODB checkout (the prerequisite ExtensionClass implementation lives in the Zope part of the repository). So the plan there is to remove the svn:externals stitching Persistence into Zope from ZODB, and move the Persistence package from ZODB trunk to Zope trunk. That part did happen. Removing the svn:externals line for Persistence from Zope trunk's lib/python, followed by an ``svn move`` of the Persistence package (from ZODB trunk to Zope trunk), caused the headaches at the top of this message. I'm afraid current SVN gets a bit lost when switching from copies to externals, or vice versa. ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Puzzling change to guarded_getitem in Zope 2.8
Richard Jones wrote at 2005-8-26 10:00 +1000: I'm migrating our 2.7-developed Product to 2.8. The following change has me puzzled. In 2.7, AccessControl.ZopeGuards guarded_getitem has the following code: ... def guarded_getitem(object, index): [ snip handling of slices ] ... v = object[index] if Containers(type(object)) and Containers(type(v)): # Simple type. Short circuit. return v if getSecurityManager().validate(object, object, None, v): return v raise Unauthorized, 'unauthorized access to element %s' % `i` where index has become None. This would appear to imply that we can't perform access controls on a per-item basis in sequences or mappings, unless we do so in the actual __getitem__ method I remember a posting from Jim (Fulton) where he pointed out that this (access control for individual items based on their name) is not longer supported. I conclude that the change you see was by purpose (although I do not see *why* Jim removed this possibility). -- Dieter ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
