[Zope] Re: major problems placing authentication on an extranet site-security flaw?

michael nt milne michael.milne at gmail.com
Fri Feb 10 12:29:43 EST 2006


Yes I've apologised for the initial tone which was the wrong way to begin
and yes I agree I should have routed out more documentation. I've read Andy
Mackay, Plone Live, printed out screeds of how tos, chapters of the Zope
book, installed Zope on my Unix server etc so I do have a reasonable, if
still not mature, take on the environment.

I feel that 'leech' and 'cretinous' are perhaps slightly over the top to be
honest though :-)

Anyway, yes I feel we should over and out on this thread as it's not too
entertaining now, even if it was before :-)

Apologies to Zope if he's been offended.


On 2/10/06, Floyd May <fmay at okcareertech.org> wrote:
>
> On 2/10/06, michael nt milne <michael.milne at gmail.com> wrote:
> > I agree. I didn't start it and I find it un-professional. I came here
> with a
> > genuine issue, have received some help which I thank people for and have
> > made some legitimate points. I find the Zope and Plone lists are
> generally
> > very good and an not interested in slanging matches.
> >
> > Thanks
> >
> > Michael
> >
> >
> >
> > On 2/10/06, Paul Winkler < pw_lists at slinkp.com> wrote:
> > > Can we all stop with the public name-calling and personal insults?
> > > It's embarassing.
> > >
> > > --
> > >
> > > Paul Winkler
> > > http://www.slinkp.com
> > > _______________________________________________
> > > Zope maillist  -  Zope at zope.org
> > > http://mail.zope.org/mailman/listinfo/zope
> > > **   No cross posts or HTML encoding!  **
> > > (Related lists -
> > > http://mail.zope.org/mailman/listinfo/zope-announce
> > > http://mail.zope.org/mailman/listinfo/zope-dev )
> > >
> >
> >
> >
> > --
> >  Michael
> > _______________________________________________
> > Zope maillist  -  Zope at zope.org
> > http://mail.zope.org/mailman/listinfo/zope
> > **   No cross posts or HTML encoding!  **
> > (Related lists -
> >  http://mail.zope.org/mailman/listinfo/zope-announce
> >  http://mail.zope.org/mailman/listinfo/zope-dev )
> >
> >
> >
>
> I've resisted the urge to weigh in on this conversation for far too long.
>
> Mr. Milne,
> Your original email to this list was presented in such a way that you
> guaranteed yourself a difficult time acquiring assistance for the
> following reasons:
> 1. It contained a tone indicating something along the lines of "this
> is broken and you need to fix it because I'm complaining".
> 2. You made no indication that you had attempted to understand the
> existing framework.  Most people cite or quote existing documentation,
> e.g. "The zope book says X, but I am experiencing Y" when attempting
> to sort out a problem.
> 3. You assume that because you are technically-capable in other
> realms, your experience with Zope and Plone must be the fault of Zope
> and Plone, and not the fault of your inexperience with the paradigm
> differences between the common Apache+RDBMS architectures and the
> object-oriented Zope/Plone architecture.
>
> Zope and Plone are both built by volunteers.  Thousands of people
> worldwide pour their free-time efforts into making these products the
> best that they can be.  Regardless of what you may think, the security
> framework in Zope and Plone was built in the way that it is FOR A
> REASON, and that reason is to make the Zope Application Server as
> powerful as possible in terms of security.  If you would have read the
> Zope book, the Definitive Guide to Plone, or the Zope Developer's
> Guide, you would have found the following phrase:
> "Security is hard."
>
> Despite the fact that your original email that started this confounded
> thread was an ignorant insult to the years of time and effort spent
> making Zope and Plone what they are, faithful patrons of the Zope
> mailing list attempted to help you.  In response, you continued to
> insult Zope with cretinous comments like:
>
> >I find the Zope security, permissions set-up hideously
> >complex and unusable to be honest and it doesn't even seem to work.
>
> ...and...
>
> >But ultimately my  comments on usabiltity should be taken
> >on board because Zope security is overly complex.
>
> ...and indicating your complete unwillingness to conform to simple
> requests from the people who are attempting to help you for free, in
> spite of your near-intolerable insults interspersed with vague
> information detailing what everyone has told you is what Zope *should*
> do with comments like the following:
> >Sorry but this is not my experience and I have experimented.
> >Am using gmail basic setting which I like.
>
> It is obvious to the people who have taken the time to understand how
> Zope's security works that the trouble you are experiencing has one
> source and one source alone - you don't know what you're doing.  Read
> the documentation, go through the tutorials, and prove that you are
> able to understand what's happening, then attempt again to set up the
> security model that you are attempting.  Furthermore (and I want you
> to read this carefully), you would do well to understand that Zope is
> built by volunteers.  Insulting the work of such volunteers, and
> failing to respect the expertise of those people who caused Zope to be
> what it is by considering unexpected behaviors bugs that should be
> fixed just because you say so is a certain way to get hostile
> reactions.
>
> You are a dinner guest in the world of Zope, and you have come into
> our living room and told us that we should repaint the walls and
> remodel our kitchen because "it doesn't work for you."  The Zope
> community has made a robust product (regardless of your opinions to
> the contrary), and your behavior would have been much better-received
> if you would have kept your opinions about Zope's security (opinions
> founded in inexperience, I might add) to yourself and considered your
> own capability for making mistakes before pointing fingers at a
> worldwide community of software developers.  The trouble that you are
> having with Zope's security is YOUR fault.  The complexity of Zope's
> security features is INTENTIONAL, and will not change, especially not
> to suit the needs of a disrespectful leech like yourself (and I use
> the word 'leech' to indicate that you expect it is perfectly fine to
> take from the Zope community without giving back).
>
> Consider these words long and hard before posting again.
>
> --
> Floyd May
> Senior Systems Analyst
> CTLN - CareerTech Learning Network
> fmay at okcareertech.org
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
>



--
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope/attachments/20060210/17400409/attachment.htm


More information about the Zope mailing list