Oliver Bleutgen wrote:
Tue Wennerberg wrote:
Well, now we're getting somewhere. I believe that "guarding against stupidity" is a much more valid point. However, still not valid enough that regular expressions should be banned, since regular expressions would be such a great feature for Zope.
It's not as you couldn't use regexps in zope, it's just not as easy as you like it to be.
In my eyes, a script developer should be trusted to create well-written code. In other words, badly developed scripts cause a badly developed site, which shouldn't surprise anyone. I don't think Zope should (or can) protect against stupidity. In my experience, when non-expert developers create regular expressions, they are always trivial expressions, which don't cause such problems.
Of course a programming error shouldn't be able to shutdown an entire system, but that should be solved in another way (e.g. resource control for individual processes/threads).
Well, now you are contradicting yourself, IMO. First you assert that zope shouldn't protect against stupidity, then you want to have resource control. Resource control can give a lot of support headaches, and everywhere it is used it causes a lot of mailing list traffic (linux OOM killer is a prominent example). For various reasons the problem to implement something like that in zope would be even more of a headache, I assume, and it's much less needed. Somewhere the line has to be drawn, and I think what is done in zope is quite reasonable, albeit arguable. Anyway, I have no strong feelings one way or the other, just wanted to pass on what I have learned from the same discussion.
I appreciate your input, too! I didn't mean to contradict myself :-) What I meant to say was that when choosing between (a) regular expressions working by default, or (b) protecting against rare cases of stupidity, I think (a) should be chosen and I'm surprised it hasn't been. I also think it's bad for Zope that regular expressions have gotten a reputation of being insecure, when they really aren't. On the contrary, the conscientious developer will use them for validating input parameters, thereby increasing security. -- Mvh. Tue Wennerberg Civilingeniør og Freelance Udvikler http://tuewennerberg.dk/ - tue@wennerberg.dk - (+45) 4043 6735