[Zope3-dev] Re: Python version for Zope 3.4 ?

[Jim Fulton]

Tres Seaver wrote:
...
> The change from 2.4 to 2.5 is *massively* disruptive for a framework
> like Zope:  much more so than any change since 2.2, I think (maybe even
> 2.0/2.1).  The hardest bit is the change to the way the compiler works:
>  RestrictedPython is completely incompatible with the new AST-based
> strategy.

Yup.  Also, everything I've tried (I haven't tried much) has had test
breakage.  Most of this is probably shallow, but it will take some time to
sort it all out.

As we move toward splitting things up into eggs, people can help out by
getting things working on an egg-by-egg basis.

>>> So unless a volunteer steps up to do lots of hard work between now and
>>> march next year, let's stick with Python 2.4. Otherwise let's plan it in
>>> for Zope 3.5 and Zope 2.12
>> I really really really hope it doesn't take that long to be able to
>> at least run on Python 2.5: even if it has to be with some caveats or
>> mild warnings.
>>
>> If security and restricted python / security proxies are the main
>> issue, what about if one is running Zope sites with absolutely ZERO
>> through the web code - no page templates, nothing - can't there be a
>> lighter weight security implementation that wouldn't take half a year
>> of "lots of hard work"?
> 
> Even if you have no templates defined TTW, Zope3's security machiner
> still needs some support from RestrictedPython for handling
> filesystem-based templates.

File-system-based templates are trusted in Zope 3. (I wonder if file-system-based
templates are still untrusted in Zope 2.) Still official
releases have to be backward compatible and thus have to support TTW
templates.

I very much hope that will switch to egg-based development and distribution
over the coming months.  If we do that, it might be possible and would
be interesting for people to create alternate distributions focused on
on different needs.  It would be interesting to have distributions that
didn't support untrusted Python code.

Jim