October 2000 - Zope-Announce

October 25th Zope Weekly News
by emf 26 Oct '00

26 Oct '00

Thanks to community reviewers of the Zope Book, Zope has a Process, Replicating ZEO Servers, XHTML comingles with HiperDOM, and silly cloak and daggers stuff, all in this week's ZWN. The opinions expressed in Zope Weekly news are solely the authors', and not the opinions of Digital Creations, The Zope Community at-large, or the Spanish Inquisition. If you or your company are doing something cool with zope, "submit it to the Zope Weekly News", mailto:zope-web@zope.org for possible inclusion. And Now For Something Completely Different: <hr NOSHADE SIZE="0" WIDTH=95%> Documentation by Michel Pelletier No time really to write a comprehensive report, we're in the final crunch! I would however like to take a moment to recognize our official community technical reviewers: o Tom Deprez o Dwayne Morrison o Kathy Hester o Michael Bernstein o Bill Anderson o Tom Deprez Thanks to everyone who volunteered to become an O'Reilly reviewer. We wish we could have picked you all; everyone was very qualified. Screenshots are one their way! --- Zope Status by Brian Lloyd Summary Projects and Process Recent News Last week saw some new active projects added to dev.zope.org. Jeffrey Shell's "Write Locking" project will add some missing infrastructure to support DAV-aware Web tools that require DAV locking support on the server. Jim Fulton added the "ZEO Storage Replication" project, which will allow "distributed commit" and prevent ZEO storage servers from being a single point of failure. If you enjoy playing in the deep end of the pool, check this project out! :^) The project formerly known as "XHTMLTemplates" has now been changed to "HiperDom Templates" in the active projects area - Hiperlogica will be taking the lead on this and we at DC will be working closely with them to put this project on the fast track. Zopistas interested in this project to add XMLC-like templating to Zope should visit the new HiperDom development home and get their licks in now while the requirements are being formalized. Though I talked about this last week, Michel has released alpha one of the "upcoming Zope book", http://www.zope.org/Members/michel/ZB/ Now is the time to get him your feedback. Documentation has been an albatross for Zope for a long time and this book is a huge opportunity to rectify that - please do your part in making it the best it can be by taking an early look and contributing your thoughts or concerns! Near Future I have a todo list for a 2.2.3 release (expect that in the next few weeks). Work will also be proceeding on several of the items on the Zope 2.3 plan (which is available on dev.zope.org) We have also recently done an internal review of how things have been going on dev.zope.org and identified some general problems that we want to fix. A big one is the difficulty of finding out what is going on and what the status of various things are "at a glance". Lisa Reushling who recently joined the DC team will be working on streamlining the site and the process on dev.zope.org. --- Zope Web -- by Ethan Fremen Mission Quite Improbable I am deeply engaged in a stealth mission. I could tell you more, but then I'd have to kill you. -EOT-

1 0

PythonMethods plus Unicode
by Toby Dickenson 19 Oct '00

19 Oct '00

You may be familiar with my patches to make it easy to use Unicode content in Zope. Here is a similar patch for PythonMethods: <http://www.zope.org/Members/htrd/wstring/PythonMethods> Please enjoy, Toby Dickenson tdickenson(a)geminidataloggers.com

1 0

Zope Weekly News for October 18th
by ethan mindlace fremen 18 Oct '00

18 Oct '00

New PTK Release, Zope Book gets feedback, How to control access on a protocol basis, WriteLocking proposal, XHTMLTemplate and HiperDOM, Membership, and docs get organized on Zope.org. The opinions expressed in Zope Weekly news are solely the authors', and not the opinions of Digital Creations, The Zope Community at-large, or the Spanish Inquisition. If you or your company are doing something cool with zope, "submit it to the Zope Weekly News", mailto:zope-web@zope.org for possible inclusion. And Now For Something Completely Different: --- Documentation by Michel Pelletier The response to book's alpha release was spectacular, with people sending us many great comments. We're listening! The book is improving every day, and very, very soon we plan on handing over *the complete technical draft* to O'Reilly! As allways, "keep reading", http://www.zope.org/Members/michel/ZB/ and "keep sending us comments", mailto:docs@digicool.com and we'll keep listening. Many people have send us mail asking for PDF versions of the book, this is planned, but at the moment the code isn't in place yet to output PDF from structured text, so it will be a while. We hope you can be patient with us because we're really busy making this a good book and we don't have all the time to make the HTML look much better than it does or to produce PDF documentation. Also, lots of people have sent us mail about the screenshots on the book, yes, we know they look pretty bad in Netscape (fine in Mozilla, though) but all of the existing screenshots are going to be thrown away soon anyway and a whole new set of them will be done for the book, so once again, we ask for your patience and suggest maybe trying out Mozilla (which we will hopefully be using for the new screenshots!) if it really bugs you. --- Zope Status by Brian Lloyd Summary A busy week in the Fishbowl Recent News Last week was a busy one. Evan scoped out a hole in subscript-notation support in ObjectManagers that required a Hotfix release :( Jeffrey Shell refined his WriteLocking proposal (to support DAV-aware Web tools that require DAV locking support). Shane Hathaway is putting on the sleuth hat to track down some reports of oddities with ZClasses when upgrading sites to 2.2+. Debate continues to simmer on the zope-dev list on the right way to control access to objects from various protocols - it is a hard problem and there are several viewpoints on this. This is something that we should ponder for the notional Zope 3. Also on dev.zope.org Monty Taylor is working on a proposal for implementing stored procedure support for the Oracle DA. Hopefully this will eventually lead to a more general interface that other DAs could implement. On a somewhat belated note, Michel has released alpha one of the upcoming Zope book: http://www.zope.org/Members/michel/ZB/ Now is the time to get him your feedback. Documentation has been an albatross for Zope for a long time and this book is a huge opportunity to rectify that - please do your part in making it the best it can be by taking an early look and contributing your thoughts or concerns! Near Future We are still planning to supercede the XHTMLTemplate project on dev.zope.org with the HiperDOM project - Martijn will be working to get the project updated and herd interested parties to the new development home. There are a number of outstanding issues that we want to address soon with a 2.2.3 release - we are still in the process of investigating and reproducing some of the issues, but I would expect that this will happen in the next few weeks. --- State of the PTK, 2000/10/17 * Michael Bernstein (mbernstein(a)profitscape.com) has made significant progress in his quest to re-integrate the Membership product with the PTK, especially in the area of listing members: - http://lists.zope.org/pipermail/zope-ptk/2000-September/001753.html - http://lists.zope.org/pipermail/zope-ptk/2000-September/001758.html * Bill Anderson <bill(a)noreboots.com> "announced", http://lists.zope.org/pipermail/zope-ptk/2000-October/001761.html that he was very selfishly taking time off from responding to list traffic, including messages about his Membership product, in order to get married! :) Congratulations and best wishes from the PTK community abound! * Tres Seaver "released version 0.9.0", http://lists.zope.org/pipermail/zope-ptk/2000-October/001797.html of the PTK. "...and there was much rejoicing". * Tres then had to "pull one of the tarballs of the release", http://lists.zope.org/pipermail/zope-ptk/2000-October/001798.html because the "distribution tab" products for Wizard and DemoPortal depend on a stock ZClass (Products.OFSP._ZClass_for_DTMLMethod) which is not created at import time, but at product initialization time. Tres has "submitted a patch", http://classic.zope.org:8080/Collector/Collector/1687/view for this problem to the Zope Collector, but in the meanwhile, the distribution tab versions are not useful. * Bjorn Stabell <bjorn(a)exoweb.net> posted an "insightful summary": http://lists.zope.org/pipermail/zope-ptk/2000-October/001801.html of the issues involved in distributing part of the PTK as "through-the-web" software (i.e., DemoPortal). * Phillip Eby (pje(a)telecommunity.com) "announced new ZPatterns documentation", http://lists.zope.org/pipermail/zope-ptk/2000-October/001806.html including explanations of triggers and rules and a completed SkinScript reference. PTK Tracker Vitals, 2000/10/17 (since 2000/09/25) Here is is the current state of the tracker:: Type / Status New Closed Current Bug Reports 4 20 11 Feature/Doc Requests 0 5 9 --- Zope Web -- by Ethan Fremen Find The Docs The ZDP folks are really taking off. They've categorized all the how-tos and tips, and we're getting set to roll out with a new Documentation guide. Itamar Shull-Turing has already written a "Guide to Documentation for Developers", http://www.zope.org/Members/itamar/LearningZope which will be used in the creation of the documentation guide. -EOT-

1 0

new LocalFS release: 0.9.6
by Jonothan Farr 17 Oct '00

17 Oct '00

Changes v0.9.6 - Fixed saving large File and Image objects. - Added ZCatalog support. http://www.zope.org/Members/jfarr/Products/LocalFS/ --jfarr

1 0

Zope Hotfix: ObjectManager subscripting
by ethan mindlace fremen 11 Oct '00

11 Oct '00

This hotfix addresses an important security issue that affects Zope versions up to and including Zope 2.2.2. The issue involves the fact that the 'subscript notation' that can be used to access items of ObjectManagers (Folders) did not correctly restrict return values to only actual sub items. This made it possible to access names that should be private from DTML (objects with names beginning with the underscore '_' character). This could allow DTML authors to see private implementation data structures and in certain cases possibly call methods that they shouldn't have access to from DTML. While we know of no instances of this issue being used to exploit a site, we recommend that any Zope 2.2.x site that allows DTML to be edited by untrusted users apply this Hotfix. http://www.zope.org/Products/Zope/Hotfix_2000-10-11/Hotfix_2000-10-11.tgz The hotfix will work for all versions of Zope 2.2.0 and higher. A future version of Zope will contain the fix for this issue, and you will be able to uninstall the hot fix after upgrading.

1 0

Updated Compilation of Zope Howtos and Tips
by Alexandre Ratti 08 Oct '00

08 Oct '00

Hello, I updated the compilations of Zope Howtos and Tips in PDF format. The new PDF files contain 227 Howtos and 75 Tips. You can download them from here: <http://www.zope.org/Members/AlexR/ZopeDocs/> Secondary download site (where uncompressed PDFs are also available): <http://alexandre.ratti.free.fr/ZopeDocs/> Cheers. Alexandre

1 0

Hotfix_2000-10-02
by Shane Hathaway 02 Oct '00

02 Oct '00

http://www.zope.org/Products/Zope/Hotfix_2000-10-02/Hotfix_2000-10-02.tar.gz This hotfix addresses an important security issue that affects Zope versions 2.2.0, 2.2.1, and 2.2.2. It is sometimes possible to access, through a URL only, objects protected by a role which the user has in some context, but not in the context of the accessed object. Currently, the validate() method of all known user folder implementations validates against the users' roles in the context of PARENTS[0]. PARENTS[0] refers to the acquisition context of the object being published. All security checks, however, should check an object's containment, not its acquisition context. validate(), therefore, needs to verify the user's roles in the context of the object being published. This hotfix forces that to occur by temporarily leaving the object at PARENTS[0] then removing it after validation has been performed. Unfortunately, this is not an ideal correction. In the near future all user folder validate() implementations need to perform security checks using the new Zope security policy subsystem. Until that is completed, this hotfix should close the security problem. While we know of no instances of this issue being used to exploit a site, we recommend that any Zope 2.2.x site that is accessible by untrusted clients have this hotfix product installed to mitigate the issue. The hotfix will work for all versions of Zope 2.2.0 and higher. A future version of Zope will contain the fix for this issue, and you will be able to uninstall the hot fix after upgrading.

1 0

Linux New Media Award (Readers Choice 2000)
by Maik Roeder 01 Oct '00

01 Oct '00

Hi Zopers ! It would be great if many people would vote for Zope at the Linux New Media Award on the Linux Community site: http://www.linux-community.de/News/story?storyid=349 (It's a german Linux site, and you'll have to first create an account to be able to vote.) Thanks for your support. Best regards, Maik Röder -- Uzopia - Digging la vida Zopa - http://uzopia.editthispage.com

1 0