[Zope-dev] C-extension in zope.i18nmessageid

Tres Seaver tseaver at palladion.com
Fri Dec 12 16:42:52 EST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martijn Faassen wrote:
> Malthe Borch wrote:
>> Martijn Pieters wrote:
>>> I object as well, and have asked for Malthe to provide his reasoning
>>> here at the Plone Performance Sprint in Bristol, but so far his only
>>> motivation is that he wants to see if he can get this to work without
>>> a C-extension. I am sceptical he'll be able to, and am not convinced
>>> it'll be worth introducing risks.
>> The obvious motivation for this is to:
>>
>> * Reduce code complexity
>> * Allow operation in a pure-Python environment
>>
>> As for cons, any change is a risk and I believe the concensus seen in 
>> this thread is that it outweighs the above mentioned motivation.
> 
> Allowing operation in a pure-Python environment is a worthwhile goal, 
> which I support.
> 
> Unless it can be clearly demonstrated that the new method is equivalent 
> in both performance and security, talk of dropping the C extension seems 
> somewhat premature. A pure Python fallback for this module would however 
> be interesting to everybody, I think.
> 
> My suspicion from observing the discussions in this thread so far 
> indicate that a drop in code complexity doesn't seem to be a necessary 
> consequence of rewriting to Python either.

I question the *actual* security benefits of making the message IDs
truly read-only:  I think the real intent is to avoid a common class of
programming error, rather than to keep Black Hats out.

For that side of the problem, we could use read-only properties for the
data, and used something like the '__' prefix for the real backing-store
attributes, then only folks who were being silly would ever change them.

This is Python, after all:  "we're all grownups" should apply.  I'm
willing to be shown wrong, of course, but I want to see a
non-hypothetical attack vector which doesn't involve running trusted
code from the filesystem. ;)  (smiley because what other kind of code do
we have in Z3 applications, anyway?)


Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJQtrc+gerLs4ltQ4RAh6zAKC11lXsLS4aiLEmi97Bst5TXjemOQCeMx3R
J4N59zGMJ4+hGY+bq4i8nEY=
=Rplt
-----END PGP SIGNATURE-----

More information about the Zope-Dev mailing list