[ZODB-Dev] ZEO and Security

[Bill Anderson]

So here I am working up a neat little Gtk/GNOME app, and thinking that
ZODB/ZEO is the way to go (and get a break from all the PostgreSQL stuff
to boot), ofr all the main reasons one chooses ZEO/ZODB. :)

Then as I am getting into it something hits me. I recognize it; this
isn't the first time.

The server will be vulnerable. All the trust is put into the clients. 

I can't do that this time. 

I understand that a security mechanism is not on the plate until late
fall unless people start clamoring.

Clamor. Clamor. Clamor.

In the meantime, as I don't have the bandwidth to work on implementing
such a beast, does anyone have any ideas on how to get some sort of at
least basic security?

So far, the only thoughts (well, those that didn't die upon birth
anyway) I have involve doing someting like putting much of the code into
the ZODB, as in "Script (Python)"- type objects, and have the clients
call them, almost like an rpc-ish server. But that just feels
restricting, too restricting.

I know some of you have been doing ZODB-using apps; has anyone found a
way to solve this particular ZEO-related issue? It doesn't have to be
Zope-compatible (since this particular app may never see that need), but
that would be a plus :)


It seems to me that this is severely holding back broad use of ZEO
outside of the Zope world. Not to mention it would certainly help those
of us developing non-html guis for various Zope things. :)


Bill