Python-announce-list January 2004

python-announce-list@python.org

45 participants
62 discussions

Kodos 2.3.0 - Python utility for testing Regular Expressions

by stuff＠mailzilla.net

Kodos 2.3.0 has been released and is available at: http://kodos.sourceforge.net Changes since 2.1: - Added: Support for unicode. Users can now create regular expressions that contain unicode characters. - Added: Support for multiple languages (locales) via translation files. If you're interested in translating Kodos to another language please email me. - Normalized the distribution paths so that Kodos can find help files regardless of distribution. - Fixed some issues with the RPMs. They should now install correctly. - Minor bug fixes - Code cleanup About Kodos: Kodos is a regular expression designer, tester, debugger and validator that allows a developer to create and modify regular expressions against a test string. The intuitive grahpical interface allows the developer the ability to modify the regular expression (regex) and to see the effects against their test string in real-time. Key Features: - Matches can be easily viewed and each match can be seen distinctly - Regex groups and named groups are clearly displayed - Sample source code is shown so even python developers new to regular expressions can quickly add the produced regular expressions to their own projects. - Ability to load and save your test cases - Kodos relies on PyQt for the GUI elements. http://kodos.sourceforge.net

17 years, 8 months

Python XML Marshaller with XSD Typing

by Peter Yared

Python XML Marshaller 0.1 is a new XML Marshaller for Python with some unique features such as transparently accessing XML documents as if they were Python objects (really) and a binding to XSD in order to determine the types of Python objects to create when reading XML (numbers, dates, etc.). The Python XML Marshaller will also create a full XSD for an arbitrary Python object graph so that it can be recomposed with its original types. Python 2.3 license. http://www.yared.com/pybypy. Peter Yared http://www.yared.com

17 years, 8 months

ANNOUNCE: First alpha release of PyGDA now available

by Filip Van Raemdonck

I would like to announce the first release of PyGDA, a python extension module for the GNOME Data Access data abstraction library. PyGDA is released under the GNU Library General Public License. The module is still very much in an early alpha stage, and this release is mainly meant to get feedback from adventureous application developers. The module does not wrap all of libgda yet; none of the reporting features are supported yet and parts of the main functionality haven't been wrapped yet either. However, I have been using it for over a month in a program that is supposed to be taken in production within a few weeks, with no problems. (which could perhaps in part be attributed to the fact that the program only performs SQL SELECT queries on a data provider and does not do any writing; then again, maybe not :) PyGDA needs Python 2.2 or higher, libgda 1.0.2, and PyGTK 2 to build. To run, it doesn't need pygtk but it does need the gobject module from pygtk. PyGDA 0.0.3 is available from http://people.debian.org/~mechanix/pygda-0.0.3.tar.gz and a detached gpg signature from http://people.debian.org/~mechanix/pygda-0.0.3.tar.gz.asc (my key can be retrieved from keyring.debian.org) Regards, Filip -- "Sometimes it pays to stay in bed on Monday, rather than spending the rest of the week debugging Monday's code." -- Dan Salomon

17 years, 8 months

PyCon Reminder: Proposal deadline 1/15 (LAST WARNING)

by Guido van Rossum

This is the *last* reminder that the deadline for sending proposals for presentations at PyCon DC 2004 is January 15, 2004. That's upcoming Thursday! I'm also reminding everybody, speakers and non-speakers, of the upcoming deadline for Early Bird Registration: January 31. Until then, the registration fee is $175 (student rate $125); after that date, the registration price goes up to $250 (student rate $150). Don't forget to register! (Sorry, there's no speakers discount.) If you're coming to the conference, consider coming a few days early and participate in a coding sprint. Sprints are free (courtesy of the PSF!), and are held from Saturday March 20 through Tuesday March 23 (i.e. the four days leading up to the conference). For more info on sprints, see http://pycon.org/dc2004 . Now back to proposal submissions: We are interested in any and all submissions about uses of Python and the development of the language. Since there is expected to be a strong educational community presence for the next PyCon, teaching materials of various kinds are also encouraged. You can submit your proposal at: http://submit.pycon.org/ For more information about proposals, see: http://www.pycon.org/dc2004/cfp/ If you have further questions about the submission web interface or the format of submissions, please write to: pycon-organizers(a)python.org We would like to publish all accepted papers on the web. If your paper is accepted and you prepare an electronic presentation (in PDF, PythonPoint or PowerPoint) we will also happily publish that on the web site once PyCon is over. If you don't want to make a formal presentation, there will be a significant amount of Open Space to allow for informal and spur-of-the-moment presentations for which no formal submission is required. There will also be several Lightning Talk sessions (five minutes or less). About PyCon: PyCon is a community-oriented conference targeting developers (both those using Python and those working on the Python project). It gives you opportunities to learn about significant advances in the Python development community, to participate in a programming sprint with some of the leading minds in the Open Source community, and to meet fellow developers from around the world. The organizers work to make the conference affordable and accessible to all. PyCon DC 2004 will be held March 24-26, 2004 in Washington, D.C. The keynote speaker is Mitch Kapor of the Open Source Applications Foundation (http://www.osafoundation.org/). There will be a four-day development sprint before the conference. We're looking for volunteers to help run PyCon. If you're interested, subscribe to http://mail.python.org/mailman/listinfo/pycon-organizers Don't miss any PyCon announcements! Subscribe to http://mail.python.org/mailman/listinfo/pycon-announce You can discuss PyCon with other interested people by subscribing to http://mail.python.org/mailman/listinfo/pycon-interest The central resource for PyCon DC 2004 is http://www.pycon.org/ Pictures from last year's PyCon: http://www.python.org/cgi-bin/moinmoin/PyConPhotos I'm looking forward to seeing you all in DC in March!!! --Guido van Rossum (home page: http://www.python.org/~guido/) _______________________________________________ Pycon-organizers mailing list Pycon-organizers(a)python.org http://mail.python.org/mailman/listinfo/pycon-organizers

17 years, 8 months

Call for Papers: Middleware 2004

by Cristiana Amza

Call for Papers: Middleware 2004 ACM/IFIP/USENIX International Middleware Conference (society sponsorship pending) Toronto, Ontario, Canada October 18th - 22nd, 2004 http://www.eecg.utoronto.ca/middleware2004/ Overview Requirements for faster development cycles, decreased development efforts, greater software reuse, and better end-to-end control over system resources are motivating the creation and use of middleware systems and middleware-based architectures. Middleware is systems software that resides between the applications and the underlying operating systems, network protocol stacks, and hardware. Its primary role is to functionally bridge the gap between application programs and the lower-level hardware and software infrastructure in order to coordinate how application components are connected and how they interoperate. Furthermore, middleware enables and simplifies the integration of components developed by multiple technology suppliers. In this sense middleware systems are sets of services and abstractions that facilitate the development and deployment of distributed applications in heterogeneous, distributed, computing environments. Next-generation distributed applications and systems will increasingly be developed using middleware. This dependency poses hard challenges, including latency hiding, masking partial failures, information assurance and security, legacy integration, dynamic service partitioning and load balancing, and end-to-end quality of service specification and enforcement. To address these challenges, researchers and practitioners need to discover and validate techniques, patterns, and optimizations for middleware frameworks, multi-level distributed resource management, and adaptive and reflective middleware architectures. Following the success of past conferences in this series, the 5th International Middleware Conference will be the premier event for middleware research and technology in 2004. The scope of the conference is the design, implementation, deployment, and evaluation of distributed system platforms and architectures for future computing and communication environments. Highlights of the conference will include a high quality technical program, tutorials, invited speakers, poster presentations, and workshops. The proceedings of Middleware 2004 will be published as a Springer-Verlag volume in the Lecture Notes in Computer Science Series. For paper formatting instructions see the Springer-Verlag guidelines for authors. All papers should be no more than 20 pages in length. For more detailed submission instructions, please visit the Middleware 2004 web site. Topics of Interest The topics of this conference include, but are not limited to: Distributed real-time and embedded middleware platforms Reliable and fault-tolerant middleware platforms Support for multimedia in middleware platforms Middleware for Grid computing Novel quality of service architectures and evaluation techniques Event-based, publish/subscribe and messaging-oriented middleware platforms Open architectures for reconfigurable middleware Adaptive and reflective middleware Aspect-oriented middleware Generative programming techniques for middleware development Middleware protocols and services for information assurance and security Formal methods and tools for reasoning about middleware systems and services Management and use of component-based systems in distributed environments Applications of middleware technologies, including telematics, command and control, avionics, and e-commerce Novel paradigms, APIs, and languages for distributed systems Integration of middleware with model-integrated computing architectures, such as the OMG's Model Driven Architecture (MDA) Extensions and refinements to RM-ODP, CORBA, J2EE, .NET, etc. Impact of emerging Internet technologies and standards on middleware platforms Integration of middleware platforms with Web services and Java technologies Distributed systems management and interactive configuration and development tools Issues of scalability in existing and new distributed systems platforms Engineering distributed systems in heterogeneous and mobile networks Middleware for ubiquitous and mobile computing Organization General Chair: Steve Vinoski (IONA Technologies, Inc.) Program Chair: Hans-Arno Jacobsen (University of Toronto, Canada) WiP Papers Chair: Jean Bacon (Cambridge University, UK) Tutorials Chair: Stefan Tai (IBM T.J. Watson, USA) Advanced Workshops Chair: Fabio Kon (USP, Brazil) Posters Chair: Eyal de Lara (University of Toronto, Canada) Local Arrangements Chair: Baochun Li (University of Toronto, Canada) Publicity Chair: Cristiana Amza (University of Toronto, Canada) Program Committee Gul Agha (U. of Illinois, Urbana Champaign, USA) Gustavo Alonso (ETH Z�rich, Switzerland) Jean Bacon (Cambridge U., UK) Mark Baker (Canada) Guruduth Banavar (IBM T.J. Watson, USA) Alejandro Buchmann (Darmstadt U. of Technology, Germany) Andrew Campbell (Columbia U., USA) Roy Campbell (U. of Illinois, Urbana Champaign, USA) Harold Carr (Sun, USA) Geoff Coulson (Lancaster U., UK) Prem Devanbu (UC Davis, USA) Jan DeMeer (IHP-Microelectronics, Germany) Naranker Dulay (Imperial College, UK) Markus Endler (PUC-Rio, Brazil) Mike Feeley (U. of British Columbia, Canada) Chris Gill (Washington U., St. Louis, USA) Aniruddha Gokhale (Vanderbilt U., USA) Peter Honeyman (CITI, U. of Michigan, USA) Bettina Kemme (McGill U., Canada) Fabio Kon (U. of S�o Paulo, Brazil) Doug Lea (SUNY Oswego, USA)Joe Loyall (BBN Technologies, USA) Edmundo Madeira (U. of Campinas, Brazil) Keith Moore (HP Laboratories, USA) Hausi Muller (U. of Victoria, Canada) Klara Nahrstedt (U. of Illinois, Urbana Champaign, USA) Dennis Noll (Boeing, USA) Kerry Raymond (DSTC, Australia) Luis Rodrigues (U. of Lisboa, Portugal) Isabelle Rouvellou (IBM T.J. Watson, USA) Michael Stal (Siemens, Germany) Rick Schantz (BBN Technologies, USA) Douglas Schmidt (Vanderbilt U., USA) Jean-Bernard Stefani (INRIA, Grenoble, France) Joe Sventek (University of Glasgow, UK) Janos Sztipanovits (Vanderbilt U., USA) Stefan Tai (IBM T.J. Watson, USA) Peter Triantafillou (U. of Patras, Greece) Nalini Venkatasubramanian (U. of California, Irvine, USA) Werner Vogels (Cornell U., USA) Martina Zitterbart (U. of Karlsruhe, Germany) Submission Deadlines Abstract submission: Tuesday, March 30th, 2004 Research Papers: Tuesday, April 6th, 2004 Work in Progress Papers: Tuesday, April 6th, 2004 Posters: TBA Workshop Proposals: Tuesday, March 30th, 2004 Tutorial Proposals: Tuesday, May 11th, 2004 **All deadlines are 11:59pm PST.** Notification of acceptance (papers): Monday June 14th, 2004 Camera-ready papers due (papers): Monday July 12th, 2004 More Information For further information and submission instructions, please visit http://www.eecg.utoronto.ca/middleware2004/ . We appologize if you receive multiple copies of this message. =================================================================== Cristiana Amza Assistant Professor The Edward Rogers Sr. Department of Electrical and Computer Engineering University of Toronto Middleware Publicity Chair

17 years, 8 months

python-dev Summary for 2003-12-01 through 2003-12-31

by Brett

python-dev Summary for 2003-12-01 through 2003-12-31 ++++++++++++++++++++++++++++++++++++++++++++++++++++ This is a summary of traffic on the `python-dev mailing list`_ from December 1, 2003 through December 31, 2003. It is intended to inform the wider Python community of on-going developments on the list. To comment on anything mentioned here, just post to `comp.lang.python`_ (or email python-list(a)python.org which is a gateway to the newsgroup) with a subject line mentioning what you are discussing. All python-dev members are interested in seeing ideas discussed by the community, so don't hesitate to take a stance on something. And if all of this really interests you then get involved and join `python-dev`_! This is the thirty-first and -second summaries written by Brett Cannon (a friend of a friend actually reads this thing! Hi, Elle). To contact me, please send email to brett at python.org ; I do not have the time to keep up on comp.lang.python and thus do not always catch follow-ups posted there. All summaries are archived at http://www.python.org/dev/summary/ . Please note that this summary is written using reStructuredText_ which can be found at http://docutils.sf.net/rst.html . Any unfamiliar punctuation is probably markup for reST_ (otherwise it is probably regular expression syntax or a typo =); you can safely ignore it, although I suggest learning reST; it's simple and is accepted for `PEP markup`_ and gives some perks for the HTML output. Also, because of the wonders of programs that like to reformat text, I cannot guarantee you will be able to run the text version of this summary through Docutils_ as-is unless it is from the original text file. .. _PEP Markup: http://www.python.org/peps/pep-0012.html The in-development version of the documentation for Python can be found at http://www.python.org/dev/doc/devel/ and should be used when looking up any documentation on something mentioned here. PEPs (Python Enhancement Proposals) are located at http://www.python.org/peps/ . To view files in the Python CVS online, go to http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/python/ . Reported bugs and suggested patches can be found at the SourceForge_ project page. The `Python Software Foundation`_ is the non-profit organization that holds the intellectual property for Python. It also tries to forward the development and use of Python. But the PSF cannot do this without donations. You can make a donation at http://python.org/psf/donations.html . Every penny helps so even a small donation (you can donate through PayPal or by check) helps. .. _python-dev: http://www.python.org/dev/ .. _SourceForge: http://sourceforge.net/tracker/?group_id=5470 .. _python-dev mailing list: http://mail.python.org/mailman/listinfo/python-dev .. _comp.lang.python: http://groups.google.com/groups?q=comp.lang.python .. _Docutils: http://docutils.sf.net/ .. _reST: .. _reStructuredText: http://docutils.sf.net/rst.html .. _Python Software Foundation: http://python.org/psf/ .. contents:: .. _last summary: http://www.python.org/dev/summary/2003-10-16_2003-11-15.html ===================== Summary Announcements ===================== Sorry if this summary comes off as light, but I caught the flu the week of Christmas and it developed into walking pneumonia which I still have. On a more positive note, PyCon is hitting its stride. Online registration is available at http://pycon.org/dc2004 and early bird registration ends January 31. Online talk proposal submission is online at http://submit.pycon.org/ and the deadline is January 15. ========= Summaries ========= ---------------------------- 2.3.3 released to the masses ---------------------------- `Python 2.3.3`_ has gone out the door. Thanks to Anthony Baxter for being release manager (again!) and to all of python-dev and anyone who contributed code for this release. With this being a bugfix release this supercedes 2.3.2 and thus people should upgrade if possible. .. _Python 2.3.3: http://python.org/2.3.3/ Contributing threads: - `2.3.3 cycle <http://mail.python.org/pipermail/python-dev/2003-December/040550.html>`__ - `release23-maint branch CLOSED for release <http://mail.python.org/pipermail/python-dev/2003-December/040852.html>`__ - `Berkeley support in release23-maint <http://mail.python.org/pipermail/python-dev/2003-December/041004.html>`__ - `RELEASED Python 2.3.3 (release candidate 1) <http://mail.python.org/pipermail/python-dev/2003-December/040740.html>`__ - `2.3.3 portability audit <http://mail.python.org/pipermail/python-dev/2003-December/041167.html>`__ - `2.3.3 and beyond <http://mail.python.org/pipermail/python-dev/2003-December/041183.html>`__ - `RELEASED Python 2.3.3 (final) <http://mail.python.org/pipermail/python-dev/2003-December/041286.html>`__ - `status of 2.3 branch for maintenance checkins <http://mail.python.org/pipermail/python-dev/2003-December/041424.html>`__ ---------------------------------- Pie-thon competition work ramps up ---------------------------------- `Dan Sugalski`_, project leader of the Parrot_ VM that will be used for `Perl 6`_, reminded the list that the benchmark to be used for the `Pie-thon`_ needed to be written since the bytecode for the benchmark needed to be frozen. So Guido wrote some benchmarks. They are in CVS under nondist/sandbox/parrotbench . .. _Dan Sugalski: http://www.sidhe.org/~dan/blog/ .. _Parrot: http://www.parrotcode.org/ .. _Perl 6: http://dev.perl.org/perl6/ .. _Pie-thon: http://www.sidhe.org/~dan/blog/archives/000219.html Contributing threads: - `Merry December <http://mail.python.org/pipermail/python-dev/2003-December/040613.html>`__ - `Pie-thon benchmarks <http://mail.python.org/pipermail/python-dev/2003-December/040963.html>`__ - `Pie-thon benchmark code ready <http://mail.python.org/pipermail/python-dev/2003-December/041527.html>`__ -------------- PyCon is a go! -------------- http://www.pycon.org/ has gone live! Registration_ is live (early-bird ends January 31)! Online talk proposal submission is live (deadline is January 15)! .. _Registration: http://www.pycon.org/dc2004 Contributing threads: - `PyCon DC 2004 - Registration about to open! <http://mail.python.org/pipermail/python-dev/2003-December/040553.html>`__ - `PyCon DC 2004 - Submissions Now Open <http://mail.python.org/pipermail/python-dev/2003-December/041012.html>`__ ---------------------------------------- operator gains attrgetter and itemgetter ---------------------------------------- The operator module has now gained two new functions: attrgetter and itemgetter "which are useful for creating fast data extractor functions for map(), list.sort(), itertools.groupby(), and other functions that expect a function argument" according to Misc/NEWS . Contributing threads: - `Re: "groupby" iterator <http://mail.python.org/pipermail/python-dev/2003-December/040590.html>`__ ------------------- CObjects and safety ------------------- Michael Hudson pointed out how CObjects could be misused in Python code. Various ideas of how to make them safer by checking that the proper CObject was passed were proposed. The thread seemed to end without a resolution, though. Contributing threads: - `are CObjects inherently unsafe? <http://mail.python.org/pipermail/python-dev/2003-December/040702.html>`__ ----------------- Unicode is a pain ----------------- Want proof? How about the fact that you can store a character like "√§" either as two characters ("a" followed by "previous character has an umlaut") or as one ("a with an umlaut"). The former is called "decomposed normal form" and is used in OS X. Windows, of course, uses the latter version. Contributing threads: - `test_unicode_file failing on Mac OS X <http://mail.python.org/pipermail/python-dev/2003-December/040778.html>`__ ------------------ Two new developers ------------------ Hye-Shik Chang has become a developer. You probably know him from his work on the CJK codecs. He is now an official developer. Vinay Sajip, implementor of the logging package has also been granted CVS checkin rights. Contributing threads: - `New developer <http://mail.python.org/pipermail/python-dev/2003-December/040808.html>`__ ------------------------ Compiling 2.4 under .NET ------------------------ Martin v. Löwis has started sandbox work on an MSI installer and moving Python 2.4 over to VC 7. Contributing threads: - `Py2.4 pre-alpha snapshot <http://mail.python.org/pipermail/python-dev/2003-December/040784.html>`__ - `First version of Python MSI available <http://mail.python.org/pipermail/python-dev/2003-December/041451.html>`__ - `Switching to VC.NET 2003 <http://mail.python.org/pipermail/python-dev/2003-December/041452.html>`__ ----------------------------- New method flag: METH_COEXIST ----------------------------- Raymond Hettinger, in his continual pursuit of speed, came up with a new method flag, METH_COEXIST, which causes a method to be used in place of a slot wrapper. The example that actually led to this is __contains__: a PyCFunction defining __contains__ tends to be faster than one in the sq_contains slot thanks to METH_O and other tricks. Contributing threads: - `FW: METH_COEXIST <http://mail.python.org/pipermail/python-dev/2003-December/040940.html>`__ ------------------------------ Better relative import support ------------------------------ There was a huge discussion on a better way to handle relative imports (think of the situation where you have your module ``import sys`` and you happen to have a module named sys in the same directory; should that local module be imported or the sys module from the stdlib?). Luckily Aahz volunteered to write a PEP on the whole thread so I am being spared from having to summarize the thing. =) Thanks, Aahz. Contributing threads: - `Re: Christmas Wishlist <http://mail.python.org/pipermail/python-dev/2003-December/040973.html>`__ - `Re: Python-Dev Digest, Vol 5, Issue 57 <http://mail.python.org/pipermail/python-dev/2003-December/041078.html>`__ - `Relative import <http://mail.python.org/pipermail/python-dev/2003-December/041065.html>`__ - `Another Strategy for Relative Import <http://mail.python.org/pipermail/python-dev/2003-December/041418.html>`__ ------------------------------ list.sorted becomes a built-in ------------------------------ Just as the title says, list.sorted has now been moved out of the list type and has been made a built-in. Contributing threads: - `python/dist/src/Python bltinmodule.c,2.304,2.305 <http://mail.python.org/pipermail/python-dev/2003-December/041129.html>`__ -------------------------------- What to do with old Python code? -------------------------------- Someone rewrote the bisect module in C. This brought up the question of what to do with the old Python version. Some suggest moving it to the Demo directory. Others suggest keeping the code but importing the C version in the Python module. The idea of keeping both was quickly shot down, though, like in the pickle/cPickle situation. This discussion is still going at this time. Contributing threads: - `SF patch 864863: Bisect C implementation <http://mail.python.org/pipermail/python-dev/2003-December/041511.html>`__

17 years, 8 months

RELEASED: Shtoom 0.1

by Anthony Baxter

I'm happy to announce the first release of Shtoom. Shtoom is a Python implementation of a voice over IP software phone, using the standard SIP protocol. The first release features: - basic calling functionality (can make and receive calls), - Qt, Gtk, Tkinter and text user interfaces (of varying degrees of functionality), - audio support for Linux/FreeBSD (using ossaudiodev) and Windows/MacOS X (using PortAudio), - audio codecs G711 (64kbit/s) and GSM 06.10 audio (3kbit/s) with an optional extension, - firewall traversal via STUN. It's been tested against Cisco IOS 12.3, Asterisk, kphone and linphone. It's available from the website: http://shtoom.sf.net/ Future plans include: - error handling <wink> - SIP registration support - A number of other applications, including shtam (answering machine) and shtoomcu (conferencing server). Anthony -- Anthony Baxter <anthony(a)interlink.com.au> It's never too late to have a happy childhood.

17 years, 8 months

Zope 2.7.0 beta 4 Release and Security Update

by Brian Lloyd

Zope 2.7.0 beta 4 Release and Security Update Zope 2.7.0 beta 4 contains a number of security related fixes for issues resolved during a comprehensive security audit conducted in Q4 2003. You may download Zope 2.7.0b4 from Zope.org: http://www.zope.org/Products/Zope/2.7.0b4/ **Users of the VerboseSecurity add-on product for Zope please note:** some of the security-related changes in Zope 2.7.0b4 are incompatible with the VerboseSecurity product. Please uninstall the VerboseSecurity product before upgrading to 2.7.0b4 to avoid problems. It is expected that VerboseSecurity will be updated to be compatible with Zope 2.7.0b4 in the near future. Also note that there are binary code changes in the 2.7.0b4 release, making it impossible to issue an external "hotfix" to resolve these issues. CVS users should be sure to update their sites **and rebuild the C Python extensions** to ensure that all fixes are deployed. In the fourth quarter of 2003, a comprehensive evaluation of the changes to Python from version 2.1 to 2.3.3 was undertaken. This evaluation was designed to assess each change to the Python environment in terms of its potential impact on the Zope application server and Zope applications, with the goal of making Python 2.3.3 the required Python platform for Zope beginning with Zope 2.7. The evaluation was focused on assessing changes to Python in the following contexts: - Changes that would have compatibility or other effects on existing or new Zope applications - Changes that could potentially affect the Zope security architecture or change the behavior of the restricted execution environment used by Zope to run untrusted code In the course of the evaluation, very few of the Python changes in 2.3.3 directly affected the Zope security architecture or had impacts on the restricted execution model. However, a number of pre-existing potential issues were discovered and resolved in the course of the comprehensive security audit that was performed as a part of the Python upgrade evaluation: - For loops, list comprehensions, and other iterations in untrusted code Issue Description Iteration over sequences could in some cases fail to check access to an object obtained from the sequence. Subsequent checks (such as for attributes access) of such an object would still be performed, but it should not have been possible to obtain the object in the first place. Who Is Affected? Sites that allow untrusted users to write Python Scripts, Page Templates, and DTML. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. - List and dictionary instance methods in untrusted code Issue Description List and dictionary instance methods such as the get method of dictionary objects were not security aware and could return an object without checking access to that object. Subsequent checks (such as for attributes access) of such an object would still be performed, but it should not have been possible to obtain the object in the first place. Who Is Affected? Sites that allow untrusted users to write Python Scripts, Page Templates, and DTML. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. - Use of import as in untrusted code Issue Description Use of "import as" in Python scripts could potentially rebind names in ways that could be used to avoid appropriate security checks. Who Is Affected? Sites that allow untrusted users to write Python Scripts, Page Templates, and DTML. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. - Use of min, max, enumerate, iter, and sum in untrusted code Issue Description A number of newer built-ins were either unavailable in untrusted code or did not perform adequate security checking. Who Is Affected? Sites that allow untrusted users to write Python Scripts, Page Templates, and DTML. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. - Broken binding validation in untrusted code Issue Description The variables bound to page templates and Python scripts such as "context" and "container" were not checked adequately, allowing a script to potentially access those objects without ensuring the necessary permissions on the part of the executing user. Who Is Affected? Sites that allow untrusted users to write Python Scripts, Page Templates, and DTML. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. - Unpacking in untrusted code Issue Description Unpacking via function calls, variable assignment, exception variables and other contexts did not perform adequate security checks, potentially allowing access to objects that should have been protected. Who Is Affected? Sites that allow untrusted users to write Python Scripts, Page Templates, and DTML. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. - Unicode passed to RESPONSE.write() could shutdown process Issue Description Inadequate type checking could allow unicode values passed to RESPONSE.write() to be passed into deeper layers of asyncore, where an exception would eventually be generated at a level that would cause the Zserver main loop to terminate. Who Is Affected? Sites that allow untrusted users to write Python Scripts, Page Templates, and DTML. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. - PythonScript class security not initialized properly Issue Description Class security was not properly intialized for PythonScripts, potentially allowing access to variables that should be protected. It turned out that most of the security assertions were in fact activated as a side effect of other code, but this fix is still appropriate to ensure that all security declarations are properly applied. Who Is Affected? Sites that use Python Scripts. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. - XML-RPC instance marshaling may disclose protected values Issue Description XML-RPC marshalling of class instances used the instance __dict__ to marshal the object, and could include attributes prefixed with an underscore name. These attributes are considered private in Zope and should generally not be disclosed. Who Is Affected? All Zope sites. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. - DTML tag dtml-tree may allow DoS attack Issue Description The dtml-tree tag used an "eval" of user-supplied data; its efforts to prevent abuse were ineffective. Who Is Affected? All Zope sites. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. - Potential cross-site scripting problem in default ZSearch interface Issue Description Browsers that do not escape html in query strings such as Internet Explorer 5.5 could potentially send a script tag in a query string to the ZSearch interface for cross-site scripting. Who Is Affected? Sites that use the default ZSearch interface. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. - Proxy rights on DTMLMethods transferred via acquisition Issue Description DTMLMethods with proxy rights could incorrectly transfer those rights via acquisition when traversing to a parent object. Who Is Affected? Sites that allow users who have increased permissions in subfolders to write DTMLMethods. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. - Improper security assertions on DTMLDocument objects Issue Description Some improper security assertions on DTMLDocument objects could potentially allow access to members that should be protected. Who Is Affected? Sites that use DTMLDocuments for secure content. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. - PropertyManager 'lines' and 'tokens' properties stored as list Issue Description Some property types were stored in a mutable data type (list) which could potentially allow untrusted code to effect changes on those properties without going through appropriate security checks in particular scenarios. Who Is Affected? Sites that allow untrusted users to write Python Scripts, Page Templates, and DTML. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. - Inadequate security assertions on admin "find" functions Issue Description Inadequate security assertions on administrative "find" methods could potentially be abused. Who Is Affected? All Zope sites. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. - ZTUtils.SimpleTree state handling Issue Description The ZTUtils SimpleTree decompressed tree state data from the request without checking for final size, which could allow for certain types of DoS attacks. Who Is Affected? Sites that rely on the ZTUtils.SimpleTree. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. - Configuration file did not override security policy selection Issue Description This is not really a security issue, just a usability issue. It has always been possible to alternate between C and Python implemenations of the Zope security policy using certain environment variables. As of Zope 2.7, use of environment variables is deprecated in favor of the new 2.7 configuration files. The new configuration machinery was not implementing the directive used to override the default security policy. Who Is Affected? Zope 2.7 beta users. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. For more information on what is new in this release, see the CHANGES.txt and HISTORY.txt files for the release: - http://www.zope.org/Products/Zope/2.7.0b4/CHANGES.txt - http://www.zope.org/Products/Zope/2.7.0b4/HISTORY.txt For more information on the available Zope releases, guidance for selecting the right distribution and installation instructions, please see: http://www.zope.org/Documentation/Misc/InstallingZope.html Brian Lloyd brian(a)zope.com V.P. Engineering 540.361.1716 Zope Corporation http://www.zope.com

17 years, 8 months

ANN: mechanize 0.0.7a released

by jjl＠pobox.com

http://wwwsearch.sourceforge.net/mechanize/ This is an alpha release. Changes since 0.0.2a: * Fixed lots of bugs. * Link instances may now be passed to .click_link() and .follow_link(). * Added a new example program, pypi.py. * ClientCookie 0.4.17 and pullparser 0.0.4b are now required (in fact, they always were, even though they didn't exist ;-). Requires Python 2.2, ClientCookie >= 0.4.17 (note version!), ClientForm 0.1.x and pullparser >= 0.0.4b. Stateful programmatic web browsing, after Andy Lester's Perl module WWW::Mechanize. Example: import re from mechanize import Browser b = Browser() b.open("http://www.example.com/") # follow second link with element text matching regular expression response = b.follow_link(text_regex=re.compile(r"cheese\s*shop"), nr=1) b.select_form(name="order") # Browser passes through unknown attributes (including methods) # to the selected HTMLForm (from ClientForm). b["cheeses"] = ["mozzarella", "caerphilly"] # (the method here is __setitem__) response2 = b.submit() # submit current form response3 = b.back() # back to cheese shop response4 = b.reload() for link in b.forms(): print form # .links() optionally accepts the keyword args of .follow_/.find_link() for link in b.links(url_regex=re.compile("python.org")): print link b.follow_link(link) # takes EITHER Link instance OR keyword args b.back() John

17 years, 8 months

ANN: ClientForm 0.1.15 released (and 0.0.15, some time ago)

by jjl＠pobox.com

http://wwwsearch.sourceforge.net/ClientForm/ Changes from 0.1.10 to 0.1.15: The following bugs were fixed in both 0.1.x and 0.0.x: * TEXTAREA contents are no longer .strip()ped on form parsing. * Fixed bugs where TEXTAREA or OPTION containing entity reference would result in truncated element contents. * A few doc fixes in HTMLForm.__doc__. * Fixed ImageControl.pairs(): return value contained integer coordinates instead of strings. * Empty OPTION no longer causes KeyError. * ClientForm.urlencode() works with Unicode. * Minor code clean-up. The following bugs were fixed only in 0.1.x : * All form attributes are now available in HTMLForm.attrs (previously, name, action, method and enctype were not present). * ignore_errors is now ignored: not working, and a bad idea in the first place. * Take note of BASE element. Requires Python >= 1.5.2. ClientForm is a Python module for handling HTML forms on the client side, useful for parsing HTML forms, filling them in and returning the completed forms to the server. It has developed from a port of Gisle Aas' Perl module HTML::Form, from the libwww-perl library, but the interface is not the same. Simple example: from urllib2 import urlopen from ClientForm import ParseResponse forms = ParseResponse(urlopen("http://www.example.com/form.html")) form = forms[0] print form form["author"] = "Gisle Aas" # form.click returns a urllib2.Request object # (see HTMLForm.click_request_data.__doc__ if you're not using urllib2) response = urlopen(form.click("Thanks")) John

17 years, 8 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

Python-announce-list January 2004