[Zope3-dev] Re: FW: Zope security policy

[Philipp von Weitershausen]

Garrett Smith wrote:
> This change:
> 
> 
>>- Move site-specific security policy decisions into
>>securitypolicy.zcml -- I'll update both the file in the root as well
>>as the file in z/a/securitypolicy.  
> 
> 
> will break existing zope instances because it depends on them updating
> their instance securitypolicy.zcml. This would not make for a very
> seamless upgrade.
> 
> Do we have any mechanism for updating instance-specific conf files?

I don't think we have one, but it I really like the Debian way of 
dealing with the upgrade of configuration files:

a. If the file that is to be upgraded hasn't been modified since it was 
installed, just do the upgrade silently.

b. If it has been modified, allow the administrator to decide whether he 
wants the file overridden or wants to apply the upgrade manually. In the 
first case the upgrade mechanism keeps a backup of the old modified file 
(FILE.debian-old or something), in the second case it leaves the file 
alone but puts the new version right next to it (FILE.whatever).

While such a mechanism isn't particularly difficult to implement, it 
would mean that the installation script would have to know when a config 
file has been modified since its installation (or the last upgrade). 
This could be done by comparing md5sums, possibly, instead of whole files.

> This would be as straight forward as replacing their securitypolicy.zcml
> in etc if all it contains is the default include.

This case would be equivalent to scenario a) described above.

Philipp