[Zope-dev] Re: Debian and Zope

[Tres Seaver]

Thaddeus H. Black wrote:
> This question regards the code in Zope's
> zpasswd.py.  If you know zpasswd.py or are
> involved in Debian, please reply.
> 
> Debian GNU/Linux 3.1 releases soon.  The Debian
> Zope package (actually the Debian `zopectl'
> package) has what Debian calls a Release
> Critical Bug open against it
> [http://bugs.debian.org/251038].  Normally,
> Debian's Zope maintainer would handle such a
> bug, but the maintainer seems to be inactive
> this year, so it falls to me to fix it.  This is
> okay.  The maintainer's work in earlier years is
> appreciated.  The trouble is, I do not use Zope
> myself, so I am fixing the bug with limited
> understanding of the potential consequences of
> the fix.
> 
> The part of the Debian fix which affects your
> Zope source is in zpasswd.py.  At present, a
> user can invoke zpasswd in either of two ways:
> 
>   (1) without command-line options, in which
>   case zpasswd prompts the user on tty for
>   username and password; or
> 
>   (2) with username and password supplied on the
>   command line.
> 
> How the user cannot presently invoke zpasswd is
> 
>   (3) with username supplied on the command
>   line, so that zpasswd prompts the user on tty
>   for a password only.
> 
> The Zope installation procedure on Debian
> requires option (3).  With (3), I can cleanly
> eliminate the Release Critical Bug now and
> prevent Zope from being dropped from Debian 3.1.
> Thus I am adding (3) to Debian Zope.
> 
> Question, please.  Does my addition create some
> subtle problem I should know about?  If Zope
> were coded perfectly cleanly, then the addition
> of option (3) should create no problem; but you
> and I have both done enough coding to realize
> that old code can sometimes depend in strange
> ways on the odd behavior of even older code.
> With my small addition, zpasswd now correctly
> handles (3).  Is this okay, or can you think of
> something specific it might break, something I
> might not have noticed?  I have checked
> everything I know how to check, but I do not
> know Zope; you guys do.
> 
> Regrettably, Zope's public SVN seems to be down
> as I write these words, so in the unlikely event
> that someone had already added option (3) to
> zpasswd.py, I would not know about it.  I do
> understand and respect that, like any good
> free-software developers, you will probably all
> want me to update Debian Zope now to Zope's
> latest version!  To this, I must plead that such
> an update far exceeds the limits of my Zope
> ignorance (also, it would violate Debian Project
> policy, which permits me minimally to fix a
> Release Critical Bug for an inactive maintainer
> but forbids me from unilaterally hijacking his
> Debian package).  The matter at hand now is not
> how to include the latest Zope (it is not
> Debian's usual practice to include the very
> latest software in any event) but rather how to
> keep Zope in Debian at all.  This is a good
> cause and I am pleased to help.
> 
> I do not regularly subscribe to zope-dev, so
> please copy your reply to me and to
> 251038 at bugs.debian.org (the latter automatically
> attaches your reply to the relevant official
> Debian bug report, #251038).  If there were no
> reply, this would be okay; I would just assume
> that my fix were as good as it seems to be, and
> would proceed accordingly.  Please reply by 23
> August.
> 
> If any active Zope developer on this list also
> happens to be a registered Debian Developer, he
> is asked to step in and take charge of Debian
> bug #251038 from here: one can find my full
> zopectl/zope Debian patch attached to the Debian
> bug report.  Otherwise, thank you for your
> attention in this matter.  If you want my patch
> to zpasswd.py, here it is.  You probably want to
> apply it to your own SVN Zope source.
> 
> diff -u zope-2.6.4/zpasswd.py zope-2.6.4.new/zpasswd.py
> --- zope-2.6.4/zpasswd.py	2004-08-03 20:34:53.000000000 +0000
> +++ zope-2.6.4.new/zpasswd.py	2004-08-03 18:49:11.000000000 +0000
> @@ -87,6 +87,16 @@
>  
>          import do; do.ch(ac_path, user, group)
>  
> +def get_password():
> +    while 1:
> +        password = getpass.getpass("Password: ")
> +        verify = getpass.getpass("Verify password: ")
> +        if verify == password:
> +            return password
> +        else:
> +            password = verify = ''
> +            print "Password mismatch, please try again..."
> +
>  
>  def main(argv):
>      short_options = ':u:p:e:d:'
> @@ -150,7 +160,10 @@
>  
>              # Verify that we got what we need
>              if not username or not password:
> -                raise "CommandLineError"
> +                if username:
> +                    password = get_password()
> +                else:
> +                    raise "CommandLineError"
>  
>              access_file.write(username + ':' +
>                                generate_passwd(password, encoding) +
> @@ -163,14 +176,7 @@
>                  if username != '':
>                      break
>  
> -            while 1:
> -                password = getpass.getpass("Password: ")
> -                verify = getpass.getpass("Verify password: ")
> -                if verify == password:
> -                    break
> -                else:
> -                    password = verify = ''
> -                    print "Password mismatch, please try again..."
> +            password = get_password()
>  
>              while 1:
>                  print """

FWIW, I think the idea of the patch is fine, although I might clean up 
the code a bit (the 'if not username or not password' bit).  I am 
presuming that the package builder for Debian allows you to include this 
as a patch when packaging, and thus that you can move forward with 
packaging Zope 2.7.2?

Tres.
-- 
===============================================================
Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com