[ZWeb] Zope-web syndication

ethan mindlace fremen mindlace@digicool.com
Thu, 15 Jun 2000 20:44:45 -0600

Karl Anderson wrote:
> When I think of syndication, I think of exposing content to someone
> that you don't necessarily trust.  You seem to only be suggesting
> in-house type syndication now, right?

Not particularly, although I am thinking that the syndication extends in house,
that is, zope.org, zope.net, and zope.com are all views on the storage server's

> The MountedDatabases page doesn't mention any security controls -
> something in a mounted storage is just as trusted as in your primary
> storage. Same with zeo,

The Zeo Fact Sheet says:
To support distribution to externally controlled Zope sites, the ZSS can
restrict connections (1) by address, (2) require a security key, and/or (3)
permit read-only access. These features make ZEO a good fit for the classic
"Internet mirror".

> plus you trust all clients completely to be
> what they claim to be (for example, you trust them when they say "this
> user has been id'd with basic http authentication").  Is this correct?

What I would assume is that certain, trusted sites (like the ZDP) would have
read-write access.  I believe that if the ZDP wanted to do clever enough things
to their copy of zope they could contravene security measures in the ZODB, but I
don't know enough about the security mechanisms to say.

> So this isn't a model like, say, exporting a static CVS site read-only
> with the hosts provididing their own standard_dtml_header type
> objects.  Or could it be made into one?  Or is that not your direction
> at all?

I think that is what I am trying to do.  I assumed that if the objects in the
storage server was made availiable read-only, even if a client server connected
to it was mounted in an arbitrary foreign Zope, it would not pose a security
risk to the objects in the storage server.