Was: Re: 2.7.3 beta attribute permission problems
Tres, how severe is the problem that you have fixed? According to some rumors the fix seems to break applications. The question for Zope 2.7.3 final is: is the problem severe enough to have it fixed for 2.7.3 with the risk of causing trouble with broken applications or can we defer the fix to Zope 2.8? Andreas
Andreas Jung wrote:
how severe is the problem that you have fixed? According to some rumors the fix seems to break applications. The question for Zope 2.7.3 final is: is the problem severe enough to have it fixed for 2.7.3 with the risk of causing trouble with broken applications or can we defer the fix to Zope 2.8?
-1. I have yet to get a reproducible test case (one which breaks on 2.7-head but works on 2.7.2) from the examples folks have supplied. The bug which I was fixing is a security issue, reported against CMF, but also affecting Zope: http://zope.org/Collectors/CMF/259 Given that the change was required to implement a security fix, and without a reproducible test case for the reported breakage, I don't think we can credit the rumors. We *definitely* don't want to defer the security fix. I will ask Jim to review this with me today. Tres. -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com
--On Freitag, 22. Oktober 2004 8:38 Uhr -0400 Tres Seaver <tseaver@zope.com> wrote:
Andreas Jung wrote:
how severe is the problem that you have fixed? According to some rumors the fix seems to break applications. The question for Zope 2.7.3 final is: is the problem severe enough to have it fixed for 2.7.3 with the risk of causing trouble with broken applications or can we defer the fix to Zope 2.8?
-1.
I have yet to get a reproducible test case (one which breaks on 2.7-head but works on 2.7.2) from the examples folks have supplied. The bug which I was fixing is a security issue, reported against CMF, but also affecting Zope: http://zope.org/Collectors/CMF/259
Given that the change was required to implement a security fix, and without a reproducible test case for the reported breakage, I don't think we can credit the rumors. We *definitely* don't want to defer the security fix.
I will ask Jim to review this with me today.
I am not against the patch...I just need to know what the state of this issue is and what its implications are for the final 2.7.3 release :-) Andreas
Andreas Jung wrote:
--On Freitag, 22. Oktober 2004 8:38 Uhr -0400 Tres Seaver <tseaver@zope.com> wrote:
Andreas Jung wrote:
how severe is the problem that you have fixed? According to some rumors the fix seems to break applications. The question for Zope 2.7.3 final is: is the problem severe enough to have it fixed for 2.7.3 with the risk of causing trouble with broken applications or can we defer the fix to Zope 2.8?
-1.
I have yet to get a reproducible test case (one which breaks on 2.7-head but works on 2.7.2) from the examples folks have supplied. The bug which I was fixing is a security issue, reported against CMF, but also affecting Zope: http://zope.org/Collectors/CMF/259
Given that the change was required to implement a security fix, and without a reproducible test case for the reported breakage, I don't think we can credit the rumors. We *definitely* don't want to defer the security fix.
I am not against the patch...I just need to know what the state of this issue is and what its implications are for the final 2.7.3 release :-)
OK, here is my take, rephrased: the patch is there to support an important security fix (see the link above). Without a reproducible test case (I've tried and failed to make Stefan's reproducible within the AccessControl tests), we should just go forward and release 2.7.3. Applications which use 'setDefaultAccess("deny")' for their content objects may need to quit trying to acquire CMF tools implicitly (using 'getToolByName' instead, which is the preferred API anyway); that is the only case I know of which can be isolated. Richard Jones reported an issue with the patch, but couldn't give us a simple case. Users who *have* such weird applications can reverse the patch, find workarounds, or whatever, until they can help us isolate the bug. Tres. -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 24 Oct 2004 08:03 am, Tres Seaver wrote:
Richard Jones reported an issue with the patch, but couldn't give us a simple case. Users who *have* such weird applications can reverse the patch, find workarounds, or whatever, until they can help us isolate the bug.
I find this to be totally acceptable, BTW. Richard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBew74rGisBEHG6TARApyMAJ0W0dWgYvxcFUV6A9ovkFZb1y3ckACaAmL+ at+laIWFFCbxI+DycJdYQkw= =jdDA -----END PGP SIGNATURE-----
--On Sonntag, 24. Oktober 2004 12:09 Uhr +1000 Richard Jones <richard@commonground.com.au> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sun, 24 Oct 2004 08:03 am, Tres Seaver wrote:
Richard Jones reported an issue with the patch, but couldn't give us a simple case. Users who *have* such weird applications can reverse the patch, find workarounds, or whatever, until they can help us isolate the bug.
I find this to be totally acceptable, BTW.
Amen. 2.7.3 final will be released with Tres changes. Andreas
En/na Tres Seaver ha escrit:
Andreas Jung wrote:
--On Freitag, 22. Oktober 2004 8:38 Uhr -0400 Tres Seaver <tseaver@zope.com> wrote:
Andreas Jung wrote:
how severe is the problem that you have fixed? According to some rumors the fix seems to break applications. The question for Zope 2.7.3 final is: is the problem severe enough to have it fixed for 2.7.3 with the risk of causing trouble with broken applications or can we defer the fix to Zope 2.8?
-1.
I have yet to get a reproducible test case (one which breaks on 2.7-head but works on 2.7.2) from the examples folks have supplied. The bug which I was fixing is a security issue, reported against CMF, but also affecting Zope: http://zope.org/Collectors/CMF/259
Given that the change was required to implement a security fix, and without a reproducible test case for the reported breakage, I don't think we can credit the rumors. We *definitely* don't want to defer the security fix.
I am not against the patch...I just need to know what the state of this issue is and what its implications are for the final 2.7.3 release :-)
OK, here is my take, rephrased: the patch is there to support an important security fix (see the link above). Without a reproducible test case (I've tried and failed to make Stefan's reproducible within the AccessControl tests), we should just go forward and release 2.7.3.
Applications which use 'setDefaultAccess("deny")' for their content objects may need to quit trying to acquire CMF tools implicitly (using 'getToolByName' instead, which is the preferred API anyway); that is the only case I know of which can be isolated.
Richard Jones reported an issue with the patch, but couldn't give us a simple case. Users who *have* such weird applications can reverse the patch, find workarounds, or whatever, until they can help us isolate the bug.
I think that the Product I send to the list last week was a reproducible simple test case, wasn't it ? If I can help in any other way I will try to do it. Regards Santi Camps http://www.earcon.com
Hi Tres! On 22.10.2004, at 14:38, Tres Seaver wrote:
Given that the change was required to implement a security fix, and without a reproducible test case for the reported breakage, I don't think we can credit the rumors. We *definitely* don't want to defer the security fix.
I still don't know what the security fix actually fixes, but that may well be my ignorance ;-). Your checkin message just mentions the removal of DWIMy code... There is a test in CMFDefault of CMF-1_4-branch that works in 2.7.2 but breaks in 2_7-branch, btw. I had no luck reproducing anything like it with plain Zope yet, unfortunately. Let me reiterate that many a Plone site will likely break with 2.7.3, something I am not exactly looking forward to. A clear description of the issue would certainly help, so people can at least scan their sources for the "things that worked fine but no longer do". E.g. consistently using getToolByName instead of relying on acquisition appears to go a long way. There are pathological cases though, like when restrictedTraverse fails due to the new access control. Thanks, Stefan -- The time has come to start talking about whether the emperor is as well dressed as we are supposed to think he is. /Pete McBreen/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 23 Oct 2004 10:29 pm, Stefan H. Holek wrote:
On 22.10.2004, at 14:38, Tres Seaver wrote:
Given that the change was required to implement a security fix, and without a reproducible test case for the reported breakage, I don't think we can credit the rumors. We *definitely* don't want to defer the security fix.
I still don't know what the security fix actually fixes, but that may well be my ignorance ;-). Your checkin message just mentions the removal of DWIMy code...
Actually, this is a point I wanted to make a long time ago. I believe there would have been less confusion all around (and some still lingers) if there had have been more information in the checkin message than "DWIMy code". DWIM only really has meaning to certain sets of "I". Richard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD4DBQFBfCFgrGisBEHG6TARAkyNAJ43FD5zX6JLNfCsrEJ48jn3eKfyTwCY+HVT FzEaLBC9VAJHUDrC+Se/yw== =Oehq -----END PGP SIGNATURE-----
participants (5)
-
Andreas Jung -
Richard Jones -
Santi Camps -
Stefan H. Holek -
Tres Seaver