Thanks to community reviewers of the Zope Book, Zope has a
Process, Replicating ZEO Servers, XHTML comingles with HiperDOM,
and silly cloak and daggers stuff, all in this week's ZWN.
The opinions expressed in Zope Weekly news are solely the authors',
and not the opinions of Digital Creations, The Zope Community
at-large, or the Spanish Inquisition.
If you or your company are doing something cool with zope,
"submit it to the Zope Weekly News",
mailto:zope-web@zope.org
for possible inclusion.
And Now For Something Completely Different:
<hr NOSHADE SIZE="0" WIDTH=95%>
Documentation
by Michel Pelletier
No time really to write a comprehensive report, we're in the final
crunch!
I would however like to take a moment to recognize our official
community
technical reviewers:
o Tom Deprez
o Dwayne Morrison
o Kathy Hester
o Michael Bernstein
o Bill Anderson
o Tom Deprez
Thanks to everyone who volunteered to become an O'Reilly reviewer. We
wish
we could have picked you all; everyone was very qualified.
Screenshots are one their way!
---
Zope Status
by Brian Lloyd
Summary
Projects and Process
Recent News
Last week saw some new active projects added to dev.zope.org.
Jeffrey Shell's "Write Locking" project will add some missing
infrastructure to support DAV-aware Web tools that require DAV
locking support on the server.
Jim Fulton added the "ZEO Storage Replication" project, which
will allow "distributed commit" and prevent ZEO storage servers
from being a single point of failure. If you enjoy playing in the
deep end of the pool, check this project out! :^)
The project formerly known as "XHTMLTemplates" has now been changed
to "HiperDom Templates" in the active projects area - Hiperlogica
will be taking the lead on this and we at DC will be working closely
with them to put this project on the fast track. Zopistas interested
in this project to add XMLC-like templating to Zope should visit the
new HiperDom development home and get their licks in now while the
requirements are being formalized.
Though I talked about this last week, Michel has released alpha one
of the "upcoming Zope book",
http://www.zope.org/Members/michel/ZB/
Now is the time to get him your feedback. Documentation has been an
albatross for Zope for a long time and this book is a huge opportunity
to rectify that - please do your part in making it the best it can be
by taking an early look and contributing your thoughts or concerns!
Near Future
I have a todo list for a 2.2.3 release (expect that in the next
few weeks). Work will also be proceeding on several of the items
on the Zope 2.3 plan (which is available on dev.zope.org).
We have also recently done an internal review of how things have
been going on dev.zope.org and identified some general problems
that we want to fix. A big one is the difficulty of finding out
what is going on and what the status of various things are "at a
glance". Lisa Reushling who recently joined the DC team will be
working on streamlining the site and the process on dev.zope.org.
---
Zope Web
-- by Ethan Fremen
Mission Quite Improbable
I am deeply engaged in a stealth mission. I could tell
you more, but then I'd have to kill you.
-EOT-
You may be familiar with my patches to make it easy to use Unicode
content in Zope. Here is a similar patch for PythonMethods:
<http://www.zope.org/Members/htrd/wstring/PythonMethods>
Please enjoy,
Toby Dickenson
tdickenson(a)geminidataloggers.com
New PTK Release, Zope Book gets feedback, How to control access on a
protocol
basis, WriteLocking proposal, XHTMLTemplate and HiperDOM,
Membership, and docs get organized on Zope.org.
The opinions expressed in Zope Weekly news are solely the authors',
and not the opinions of Digital Creations, The Zope Community
at-large, or the Spanish Inquisition.
If you or your company are doing something cool with zope,
"submit it to the Zope Weekly News",
mailto:zope-web@zope.org
for possible inclusion.
And Now For Something Completely Different:
---
Documentation
by Michel Pelletier
The response to book's alpha release was spectacular, with
people sending us many great comments. We're listening!
The book is improving every day, and very, very soon we
plan on handing over *the complete technical
draft* to O'Reilly!
As allways, "keep reading",
http://www.zope.org/Members/michel/ZB/
and "keep sending us comments",
mailto:docs@digicool.com
and we'll keep listening.
Many people have send us mail asking for PDF versions of
the book, this is planned, but at the moment the code
isn't in place yet to output PDF from structured text, so
it will be a while. We hope you can be patient with us
because we're really busy making this a good book and we
don't have all the time to make the HTML look much better
than it does or to produce PDF documentation.
Also, lots of people have sent us mail about the
screenshots on the book, yes, we know they look pretty
bad in Netscape (fine in Mozilla, though)
but all of the existing screenshots are going to be thrown
away soon anyway and a whole new set of them will be done
for the book, so once again, we ask for your patience and
suggest maybe trying out Mozilla (which we will hopefully
be using for the new screenshots!) if it really bugs you.
---
Zope Status
by Brian Lloyd
Summary
A busy week in the Fishbowl
Recent News
Last week was a busy one. Evan scoped out a hole in subscript-notation
support in ObjectManagers that required a Hotfix release :( Jeffrey
Shell refined his WriteLocking proposal (to support DAV-aware Web
tools that require DAV locking support). Shane Hathaway is putting on
the sleuth hat to track down some reports of oddities with ZClasses
when upgrading sites to 2.2+.
Debate continues to simmer on the zope-dev list on the right way to
control access to objects from various protocols - it is a hard
problem and there are several viewpoints on this. This is something
that we should ponder for the notional Zope 3.
Also on dev.zope.org Monty Taylor is working on a proposal for
implementing stored procedure support for the Oracle DA. Hopefully
this will eventually lead to a more general interface that other
DAs could implement.
On a somewhat belated note, Michel has released alpha one of the
upcoming Zope book:
http://www.zope.org/Members/michel/ZB/
Now is the time to get him your feedback. Documentation has been an
albatross for Zope for a long time and this book is a huge opportunity
to rectify that - please do your part in making it the best it can be
by taking an early look and contributing your thoughts or concerns!
Near Future
We are still planning to supercede the XHTMLTemplate project on
dev.zope.org with the HiperDOM project - Martijn will be working
to get the project updated and herd interested parties to the new
development home.
There are a number of outstanding issues that we want to address
soon with a 2.2.3 release - we are still in the process of
investigating
and reproducing some of the issues, but I would expect that this will
happen in the next few weeks.
---
State of the PTK, 2000/10/17
* Michael Bernstein (mbernstein(a)profitscape.com) has made significant
progress in his quest to re-integrate the Membership product with
the
PTK, especially in the area of listing members:
-
http://lists.zope.org/pipermail/zope-ptk/2000-September/001753.html
-
http://lists.zope.org/pipermail/zope-ptk/2000-September/001758.html
* Bill Anderson <bill(a)noreboots.com> "announced",
http://lists.zope.org/pipermail/zope-ptk/2000-October/001761.html
that he was very selfishly taking time off from responding to list
traffic, including messages about his Membership product, in order
to get married! :) Congratulations and best wishes from the PTK
community abound!
* Tres Seaver "released version 0.9.0",
http://lists.zope.org/pipermail/zope-ptk/2000-October/001797.html
of the PTK. "...and there was much rejoicing".
* Tres then had to "pull one of the tarballs of the release",
http://lists.zope.org/pipermail/zope-ptk/2000-October/001798.html
because the "distribution tab" products for Wizard and DemoPortal
depend on a stock ZClass (Products.OFSP._ZClass_for_DTMLMethod)
which
is not created at import time, but at product initialization time.
Tres has "submitted a patch",
http://classic.zope.org:8080/Collector/Collector/1687/view
for this problem to the Zope Collector, but in the meanwhile, the
distribution tab versions are not useful.
* Bjorn Stabell <bjorn(a)exoweb.net> posted an "insightful summary":
http://lists.zope.org/pipermail/zope-ptk/2000-October/001801.html
of the issues involved in distributing part of the PTK as
"through-the-web" software (i.e., DemoPortal).
* Phillip Eby (pje(a)telecommunity.com) "announced new ZPatterns
documentation",
http://lists.zope.org/pipermail/zope-ptk/2000-October/001806.html
including explanations of triggers and rules and a completed
SkinScript
reference.
PTK Tracker Vitals, 2000/10/17 (since 2000/09/25)
Here is is the current state of the tracker::
Type / Status New Closed Current
Bug Reports 4 20 11
Feature/Doc
Requests 0 5 9
---
Zope Web
-- by Ethan Fremen
Find The Docs
The ZDP folks are really taking off. They've categorized
all the how-tos and tips, and we're getting set to roll
out with a new Documentation guide. Itamar Shull-Turing
has already written a "Guide to Documentation for Developers",
http://www.zope.org/Members/itamar/LearningZope
which will be used in the creation of the documentation
guide.
-EOT-
This hotfix addresses an important security issue that affects Zope
versions up to and including Zope 2.2.2.
The issue involves the fact that the 'subscript notation' that can be
used to access items of ObjectManagers (Folders) did not correctly
restrict return values to only actual sub items. This made it possible
to access names that should be private from DTML (objects with names
beginning with the underscore '_' character). This could allow DTML
authors to see private implementation data structures and in certain
cases possibly call methods that they shouldn't have access to from
DTML.
While we know of no instances of this issue being used to exploit a
site, we recommend that any Zope 2.2.x site that allows DTML to be
edited by untrusted users apply this Hotfix.
http://www.zope.org/Products/Zope/Hotfix_2000-10-11/Hotfix_2000-10-11.tgz
The hotfix will work for all versions of Zope 2.2.0 and higher. A future
version of Zope will contain the fix for this issue, and you will be
able to uninstall the hot fix after upgrading.
Hello,
I updated the compilations of Zope Howtos and Tips in PDF format.
The new PDF files contain 227 Howtos and 75 Tips.
You can download them from here:
<http://www.zope.org/Members/AlexR/ZopeDocs/>
Secondary download site (where uncompressed PDFs are also available):
<http://alexandre.ratti.free.fr/ZopeDocs/>
Cheers.
Alexandre
http://www.zope.org/Products/Zope/Hotfix_2000-10-02/Hotfix_2000-10-02.tar.gz
This hotfix addresses an important security issue that affects
Zope versions 2.2.0, 2.2.1, and 2.2.2.
It is sometimes possible to access, through a URL only, objects
protected by a role which the user has in some context, but not
in the context of the accessed object.
Currently, the validate() method of all known user folder
implementations validates against the users' roles in the context
of PARENTS[0]. PARENTS[0] refers to the acquisition context of the
object being published. All security checks, however, should check
an object's containment, not its acquisition context.
validate(), therefore, needs to verify the user's roles in the
context of the object being published. This hotfix forces that to
occur by temporarily leaving the object at PARENTS[0] then
removing it after validation has been performed.
Unfortunately, this is not an ideal correction. In the near future
all user folder validate() implementations need to perform security
checks using the new Zope security policy subsystem. Until that is
completed, this
hotfix should close the security problem.
While we know of no instances of this issue being used to exploit a
site, we recommend that any Zope 2.2.x site that is accessible by
untrusted clients have this hotfix product installed to mitigate the
issue.
The hotfix will work for all versions of Zope 2.2.0 and higher. A
future version of Zope will contain the fix for this
issue, and you will be able to uninstall the hot fix after upgrading.
Hi Zopers !
It would be great if many people would vote for Zope at the
Linux New Media Award on the Linux Community site:
http://www.linux-community.de/News/story?storyid=349
(It's a german Linux site, and you'll have to first create an account
to be able to vote.)
Thanks for your support.
Best regards,
Maik Röder
--
Uzopia - Digging la vida Zopa - http://uzopia.editthispage.com