and results in too little of an integrity gain to make it the default.
That statement gave me something to think about. Indeed, as I had described it there is little to be gained. In practice, I share administrative users between instances. The security gain is that different instances can use the same product source code, without the risk of a compomise spreading between instances.
Indeed, I dont think that works in your proposal. Zope need to write inituser while it is running, if that file is ever to be of use. I also think its unlikely we would want to lock the 'access' file so tightly.
Yes, I'd forgotten about that. inituser is just deleted after it's merged into the ZODB, right? Then it should probably go somewhere in the VARDIR/zope/INSTANCE hierarchy.
It sounds like almost everything is going into VARDIR now, except the source which is elsewhere. If the data.fs is stored in a directory VARDIR/zope/INSTANCE/var then the whole setup looks very much like the traditional INSTANCE_HOME system ;-)
I am thinking of making a wiki re all this... good idea?
mmmmm.