Hello, There is a sheet with versions for KGS 3.4.1 http://spreadsheets.google.com/pub?key=tUE5Q72d4Kg1FXaacCA3EKQ&output=html Anyone for/against those versions? The open questions that remain: * What about pytz 2010g? * Which lxml version to take? 1.3.6? * What about zope.app.container 3.6.2? * Would be nice to have zope.testbrowser 3.5.1 Comments are welcome. -- Best regards, Adam GROSZER mailto:agroszer@gmail.com -- Quote of the day: The crash of the whole solar and stellar systems could only kill you once. - Thomas Carlyle
Adam GROSZER a écrit :
Hello,
There is a sheet with versions for KGS 3.4.1 http://spreadsheets.google.com/pub?key=tUE5Q72d4Kg1FXaacCA3EKQ&output=html
Anyone for/against those versions?
The open questions that remain: * What about pytz 2010g? * Which lxml version to take? 1.3.6? * What about zope.app.container 3.6.2? * Would be nice to have zope.testbrowser 3.5.1
Comments are welcome.
z3c.layer has a major security issue, because of trusted traversing adapters that removes the security proxy everywhere. This package has been retired and splitted into its 3 subpackages : z3c.layer.minimal z3c.layer.pagelet z3c.layer.trusted There is no problem upgrading to branch 1.0 of these packages, as they don't have any significant changes, excepted the splitting. However: z3c.layer.pagelet should be in version 1.0.2. Nothing below. z3c.layer.minimal has no corrected 1.0 branch. A new maintenance release 1.0.2 of this package should be released. z3c.layer.trusted is OK, since this is trusted in purpose. (I think) Christophe
Hi
Betreff: Re: [Zope-dev] KGS 3.4.1 versions
Adam GROSZER a écrit :
Hello,
There is a sheet with versions for KGS 3.4.1
http://spreadsheets.google.com/pub?key=tUE5Q72d4Kg1FXaacCA3EKQ&output=
html
Anyone for/against those versions?
The open questions that remain: * What about pytz 2010g? * Which lxml version to take? 1.3.6? * What about zope.app.container 3.6.2? * Would be nice to have zope.testbrowser 3.5.1
Comments are welcome.
z3c.layer has a major security issue, because of trusted traversing adapters that removes the security proxy everywhere.
yes and no, only miss use could end in security issues It's not really a security issue, it's the only concept which allows to use nested sites with more then one IAuthentication utility and allows to authenticate on objects behind the first site. But since this was such a rare use case, we decided to split the package in different packages which also supports a non trusted setup. This makes the packages more general usable without to run into security issues based on trusted confirgurations where non trusted is needed.
This package has been retired and splitted into its 3 subpackages :
z3c.layer.minimal z3c.layer.pagelet
Both package above should not use trusted traverser
z3c.layer.trusted
This package should still use trusted traverser
There is no problem upgrading to branch 1.0 of these packages, as they don't have any significant changes, excepted the splitting. However:
z3c.layer.pagelet should be in version 1.0.2. Nothing below. z3c.layer.minimal has no corrected 1.0 branch. A new maintenance release 1.0.2 of this package should be released. z3c.layer.trusted is OK, since this is trusted in purpose. (I think)
Yes Regards Roger Ineichen
Christophe _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Roger a écrit :
Hi
Betreff: Re: [Zope-dev] KGS 3.4.1 versions
Adam GROSZER a écrit :
Hello,
There is a sheet with versions for KGS 3.4.1
http://spreadsheets.google.com/pub?key=tUE5Q72d4Kg1FXaacCA3EKQ&output=
html
Anyone for/against those versions?
The open questions that remain: * What about pytz 2010g? * Which lxml version to take? 1.3.6? * What about zope.app.container 3.6.2? * Would be nice to have zope.testbrowser 3.5.1
Comments are welcome.
z3c.layer has a major security issue, because of trusted traversing adapters that removes the security proxy everywhere.
yes and no, only miss use could end in security issues It's not really a security issue, it's the only concept which allows to use nested sites with more then one IAuthentication utility and allows to authenticate on objects behind the first site.
But since this was such a rare use case, we decided to split the package in different packages which also supports a non trusted setup. This makes the packages more general usable without to run into security issues based on trusted confirgurations where non trusted is needed.
This package has been retired and splitted into its 3 subpackages :
z3c.layer.minimal z3c.layer.pagelet
Both package above should not use trusted traverser
z3c.layer.trusted
This package should still use trusted traverser
There is no problem upgrading to branch 1.0 of these packages, as they don't have any significant changes, excepted the splitting. However:
z3c.layer.pagelet should be in version 1.0.2. Nothing below. z3c.layer.minimal has no corrected 1.0 branch. A new maintenance release 1.0.2 of this package should be released. z3c.layer.trusted is OK, since this is trusted in purpose. (I think)
Yes
Ok thanks, I'll release z3c.layer.minimal during the WE.
Regards Roger Ineichen
Christophe _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Christophe Combelles a écrit :
Roger a écrit :
Hi
Betreff: Re: [Zope-dev] KGS 3.4.1 versions
Adam GROSZER a écrit :
Hello,
There is a sheet with versions for KGS 3.4.1
http://spreadsheets.google.com/pub?key=tUE5Q72d4Kg1FXaacCA3EKQ&output=
html
Anyone for/against those versions?
The open questions that remain: * What about pytz 2010g? * Which lxml version to take? 1.3.6? * What about zope.app.container 3.6.2? * Would be nice to have zope.testbrowser 3.5.1
Comments are welcome.
z3c.layer has a major security issue, because of trusted traversing adapters that removes the security proxy everywhere. yes and no, only miss use could end in security issues It's not really a security issue, it's the only concept which allows to use nested sites with more then one IAuthentication utility and allows to authenticate on objects behind the first site.
But since this was such a rare use case, we decided to split the package in different packages which also supports a non trusted setup. This makes the packages more general usable without to run into security issues based on trusted confirgurations where non trusted is needed.
This package has been retired and splitted into its 3 subpackages :
z3c.layer.minimal z3c.layer.pagelet Both package above should not use trusted traverser
z3c.layer.trusted This package should still use trusted traverser
There is no problem upgrading to branch 1.0 of these packages, as they don't have any significant changes, excepted the splitting. However:
z3c.layer.pagelet should be in version 1.0.2. Nothing below. z3c.layer.minimal has no corrected 1.0 branch. A new maintenance release 1.0.2 of this package should be released. z3c.layer.trusted is OK, since this is trusted in purpose. (I think) Yes
Ok thanks, I'll release z3c.layer.minimal during the WE.
I've released z3c.layer.minimal 1.0.2 with the fix, and z3c.layer 0.2.4 with the same fix. For the KGS 3.4.1, we just have to upgrade z3c.layer to 0.2.4. No need to add z3c.layer.[pagelet|minimal|trusted] Christophe
Regards Roger Ineichen
Christophe _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
On Thu, Apr 15, 2010 at 12:29, Adam GROSZER <agroszer@gmail.com> wrote:
The open questions that remain: * What about pytz 2010g?
I'm not sure it makes sense fixing it to a particular version at all, as you might want timezone updates separately. Just sayin'. :) -- Lennart Regebro: Python, Zope, Plone, Grok http://regebro.wordpress.com/ +33 661 58 14 64
Hello, I think it's about having a known set of versions for the tests. Not that test run picks up some newer versions and the tests suddenly fail. On Fri, Apr 16, 2010 at 2:21 PM, Lennart Regebro <regebro@gmail.com> wrote:
On Thu, Apr 15, 2010 at 12:29, Adam GROSZER <agroszer@gmail.com> wrote:
The open questions that remain: * What about pytz 2010g?
I'm not sure it makes sense fixing it to a particular version at all, as you might want timezone updates separately. Just sayin'. :)
-- Lennart Regebro: Python, Zope, Plone, Grok http://regebro.wordpress.com/ +33 661 58 14 64
-- Best regards, Adam
Adam GROSZER a écrit :
Hello,
There is a sheet with versions for KGS 3.4.1 http://spreadsheets.google.com/pub?key=tUE5Q72d4Kg1FXaacCA3EKQ&output=html
Anyone for/against those versions?
The open questions that remain: * What about pytz 2010g? * Which lxml version to take? 1.3.6? * What about zope.app.container 3.6.2? * Would be nice to have zope.testbrowser 3.5.1
Comments are welcome.
For the KGS 3.4.1, I think we should upgrade zc.buildout to at least 1.3.1. while releasing z3c.layer, I've run into a bug of zc.buildout 1.1 that prevented from adding "extras" dependencies for tests. Christophe
Hello Christophe, Sunday, April 18, 2010, 2:54:08 AM, you wrote: CC> Adam GROSZER a écrit :
Hello,
There is a sheet with versions for KGS 3.4.1 http://spreadsheets.google.com/pub?key=tUE5Q72d4Kg1FXaacCA3EKQ&output=html
Anyone for/against those versions?
The open questions that remain: * What about pytz 2010g? * Which lxml version to take? 1.3.6? * What about zope.app.container 3.6.2? * Would be nice to have zope.testbrowser 3.5.1
Comments are welcome.
CC> For the KGS 3.4.1, I think we should upgrade zc.buildout to at least 1.3.1. CC> while releasing z3c.layer, I've run into a bug of zc.buildout 1.1 that prevented CC> from adding "extras" dependencies for tests. Versions updated. -- Best regards, Adam GROSZER mailto:agroszer@gmail.com -- Quote of the day: God hides things by putting them all around us. - Anonymous
On Thu, Apr 15, 2010 at 12:29 PM, Adam GROSZER <agroszer@gmail.com> wrote:
Hello,
There is a sheet with versions for KGS 3.4.1 http://spreadsheets.google.com/pub?key=tUE5Q72d4Kg1FXaacCA3EKQ&output=html
Anyone for/against those versions?
Tres Seaver just released zope.securitypolicy 3.4.4 (3.4.3 was buggy). There was a subtle bug, which was triggered if you used zope.securitypolicy's security policy without having zope.dublincore package already loaded. See https://bugs.launchpad.net/bugs/564525 for more informations. Could I suggest you to include this version (3.4.4) in Zope KGS 3.4.1 ? Thanks, Jonathan
Hello Jonathan, done Monday, April 19, 2010, 6:56:34 PM, you wrote: JB> On Thu, Apr 15, 2010 at 12:29 PM, Adam GROSZER <agroszer@gmail.com> wrote:
Hello,
There is a sheet with versions for KGS 3.4.1 http://spreadsheets.google.com/pub?key=tUE5Q72d4Kg1FXaacCA3EKQ&output=html
Anyone for/against those versions?
JB> Tres Seaver just released zope.securitypolicy 3.4.4 (3.4.3 was buggy). JB> There was a subtle bug, which was triggered if you used JB> zope.securitypolicy's security policy without having zope.dublincore JB> package already loaded. JB> See https://bugs.launchpad.net/bugs/564525 for more informations. JB> Could I suggest you to include this version (3.4.4) in Zope KGS 3.4.1 ? JB> Thanks, JB> Jonathan -- Best regards, Adam GROSZER mailto:agroszer@gmail.com -- Quote of the day: 'Tis mad idolatry to make the service greater than the god. - William Shakespeare
participants (5)
-
Adam GROSZER -
Christophe Combelles -
Jonathan Ballet -
Lennart Regebro -
Roger