[Zope-dev] 2.9.4? reStructuredText support?

Jim Fulton jim at zope.com
Sun Jul 9 08:56:30 EDT 2006 

On Jul 8, 2006, at 3:27 PM, Andreas Jung wrote:

>
>
> --On 8. Juli 2006 15:05:21 -0400 Jim Fulton <jim at zope.com> wrote:
>
>>> I think this applies here as well.
>>
>> 1. ZClasses are not a security threat. reST is. That's a huge   
>> difference.
>
> Being a security thread or not ...how will you prove that a module  
> X is a thread or not? Without source code review every module has  
> the potential
> to be a thread. I would never claim that the modules I've written  
> or maintain in some way are totally safe...

One difference is that between our code and 3rd-party code.  I wrote  
the ZClasses
code and paid a lot of attention to security.

Whoever integrated reST didn't even read the documentation, much less  
the code.



>>
>> 2. This event illustrates that I was wrong.
>>
>
> Possibly, but a lot of modules were written by ppl that are no  
> longer active in the community and a lot of these modules are a  
> real cruft that nobody want to touch (and that little ppl  
> understand). For the time being we have to live with this situation  
> in the Zope 2 world. The only way out is to replace more and more  
> code with Zope 3 modules which is actually happening.
>
> So what does it mean to be a maintainer of a package?

This is something that the Zope Foundation needs to work out.  I'd  
like to start
a discussion of this when Martijn gets back from vacation. Or perhaps we
should put off the discussion till September when most people are  
back from vacation.

> A maintainer has to keep the code in shape and should of course  
> care about security issues. But a maintainer might have a different  
> view on security than you...so how to get out of this dilemma? Code  
> audits? They would help but you know how much time they take  
> (impractical for most code if you ask me).  The current  
> "unofficial" code auditing by watching the checkin lists seems to  
> work to a certain degree (perhaps not directly related to security  
> issues but to wrong code in general). Getting maintainers for Zope  
> core packages is even more harder than some yrs ago when the Zope  
> community wasn't split up as it is today (CPS, Zope3,Zope2, Plone,  
> CMF). The common view on the Zope 2 core seems to be "it works,  
> it's a cruft, don't touch it"..and ppl prefer to put their hands on  
> other stuff outside the Zope 2 core. I am realistic enough to see  
> that this won't change in the near future.

My view is that both Zope 2 and Zope 3 are too big.  IMO, they need  
to be split into smaller projects packaged more or less separately.   
reST and ZClasses should be add-ons, not a part of the code. It  
should be possible for each project/package to tell if the project is  
active. Then it's up to users to decide whether to take the risk of  
using an unsupported package.

Jim

--
Jim Fulton			mailto:jim at zope.com		Python Powered!
CTO 				(540) 361-1714			http://www.python.org
Zope Corporation	http://www.zope.com		http://www.zope.org

More information about the Zope-Dev mailing list