[Zope] Re: major problems placing authentication on an extranet site-security flaw?

Floyd May fmay at okcareertech.org
Fri Feb 10 12:08:28 EST 2006

On 2/10/06, michael nt milne <michael.milne at gmail.com> wrote:
> I agree. I didn't start it and I find it un-professional. I came here with a
> genuine issue, have received some help which I thank people for and have
> made some legitimate points. I find the Zope and Plone lists are generally
> very good and an not interested in slanging matches.
> Thanks
> Michael
> On 2/10/06, Paul Winkler < pw_lists at slinkp.com> wrote:
> > Can we all stop with the public name-calling and personal insults?
> > It's embarassing.
> >
> > --
> >
> > Paul Winkler
> > http://www.slinkp.com
> > _______________________________________________
> > Zope maillist  -  Zope at zope.org
> > http://mail.zope.org/mailman/listinfo/zope
> > **   No cross posts or HTML encoding!  **
> > (Related lists -
> > http://mail.zope.org/mailman/listinfo/zope-announce
> > http://mail.zope.org/mailman/listinfo/zope-dev )
> >
> --
>  Michael
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )

I've resisted the urge to weigh in on this conversation for far too long.

Mr. Milne,
Your original email to this list was presented in such a way that you
guaranteed yourself a difficult time acquiring assistance for the
following reasons:
1. It contained a tone indicating something along the lines of "this
is broken and you need to fix it because I'm complaining".
2. You made no indication that you had attempted to understand the
existing framework.  Most people cite or quote existing documentation,
e.g. "The zope book says X, but I am experiencing Y" when attempting
to sort out a problem.
3. You assume that because you are technically-capable in other
realms, your experience with Zope and Plone must be the fault of Zope
and Plone, and not the fault of your inexperience with the paradigm
differences between the common Apache+RDBMS architectures and the
object-oriented Zope/Plone architecture.

Zope and Plone are both built by volunteers.  Thousands of people
worldwide pour their free-time efforts into making these products the
best that they can be.  Regardless of what you may think, the security
framework in Zope and Plone was built in the way that it is FOR A
REASON, and that reason is to make the Zope Application Server as
powerful as possible in terms of security.  If you would have read the
Zope book, the Definitive Guide to Plone, or the Zope Developer's
Guide, you would have found the following phrase:
"Security is hard."

Despite the fact that your original email that started this confounded
thread was an ignorant insult to the years of time and effort spent
making Zope and Plone what they are, faithful patrons of the Zope
mailing list attempted to help you.  In response, you continued to
insult Zope with cretinous comments like:

>I find the Zope security, permissions set-up hideously
>complex and unusable to be honest and it doesn't even seem to work.


>But ultimately my  comments on usabiltity should be taken
>on board because Zope security is overly complex.

...and indicating your complete unwillingness to conform to simple
requests from the people who are attempting to help you for free, in
spite of your near-intolerable insults interspersed with vague
information detailing what everyone has told you is what Zope *should*
do with comments like the following:
>Sorry but this is not my experience and I have experimented.
>Am using gmail basic setting which I like.

It is obvious to the people who have taken the time to understand how
Zope's security works that the trouble you are experiencing has one
source and one source alone - you don't know what you're doing.  Read
the documentation, go through the tutorials, and prove that you are
able to understand what's happening, then attempt again to set up the
security model that you are attempting.  Furthermore (and I want you
to read this carefully), you would do well to understand that Zope is
built by volunteers.  Insulting the work of such volunteers, and
failing to respect the expertise of those people who caused Zope to be
what it is by considering unexpected behaviors bugs that should be
fixed just because you say so is a certain way to get hostile

You are a dinner guest in the world of Zope, and you have come into
our living room and told us that we should repaint the walls and
remodel our kitchen because "it doesn't work for you."  The Zope
community has made a robust product (regardless of your opinions to
the contrary), and your behavior would have been much better-received
if you would have kept your opinions about Zope's security (opinions
founded in inexperience, I might add) to yourself and considered your
own capability for making mistakes before pointing fingers at a
worldwide community of software developers.  The trouble that you are
having with Zope's security is YOUR fault.  The complexity of Zope's
security features is INTENTIONAL, and will not change, especially not
to suit the needs of a disrespectful leech like yourself (and I use
the word 'leech' to indicate that you expect it is perfectly fine to
take from the Zope community without giving back).

Consider these words long and hard before posting again.

Floyd May
Senior Systems Analyst
CTLN - CareerTech Learning Network
fmay at okcareertech.org

More information about the Zope mailing list