-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martijn Faassen wrote:
Malthe Borch wrote:
Martijn Pieters wrote:
I object as well, and have asked for Malthe to provide his reasoning here at the Plone Performance Sprint in Bristol, but so far his only motivation is that he wants to see if he can get this to work without a C-extension. I am sceptical he'll be able to, and am not convinced it'll be worth introducing risks. The obvious motivation for this is to:
* Reduce code complexity * Allow operation in a pure-Python environment
As for cons, any change is a risk and I believe the concensus seen in this thread is that it outweighs the above mentioned motivation.
Allowing operation in a pure-Python environment is a worthwhile goal, which I support.
Unless it can be clearly demonstrated that the new method is equivalent in both performance and security, talk of dropping the C extension seems somewhat premature. A pure Python fallback for this module would however be interesting to everybody, I think.
My suspicion from observing the discussions in this thread so far indicate that a drop in code complexity doesn't seem to be a necessary consequence of rewriting to Python either.
I question the *actual* security benefits of making the message IDs truly read-only: I think the real intent is to avoid a common class of programming error, rather than to keep Black Hats out. For that side of the problem, we could use read-only properties for the data, and used something like the '__' prefix for the real backing-store attributes, then only folks who were being silly would ever change them. This is Python, after all: "we're all grownups" should apply. I'm willing to be shown wrong, of course, but I want to see a non-hypothetical attack vector which doesn't involve running trusted code from the filesystem. ;) (smiley because what other kind of code do we have in Z3 applications, anyway?) Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJQtrc+gerLs4ltQ4RAh6zAKC11lXsLS4aiLEmi97Bst5TXjemOQCeMx3R J4N59zGMJ4+hGY+bq4i8nEY= =Rplt -----END PGP SIGNATURE-----