[Distutils] [zc.buildout] running in safe mode

Jim Fulton jim at zope.com
Fri Oct 3 14:57:21 CEST 2008 

On Oct 2, 2008, at 6:37 PM, Ian Bicking wrote:

> Jim Fulton wrote:
>> On Oct 2, 2008, at 6:15 PM, Ian Bicking wrote:
>>> Jim Fulton wrote:
>>>>> I know it is a bad practice for a recipe to return some paths that
>>>>> contains important data in the install() method,
>>>>> because zc.buildout might remove them.
>>>>>
>>>>> Nevertheless, it happens from time to time that a developer lose  
>>>>> some
>>>>> content because of a misconfiguration,
>>>>> or a zealous recipe. That is his responsability, and backups are  
>>>>> done for that.
>>>> I don't think backups are the right approach.  It's a mistake to  
>>>> have recipes manage precious data.  If you really really really  
>>>> think that's a good idea, then the recipe should at least manage  
>>>> uninstall and move precious data aside, rather than remove it.
>>>> I don't think it is really the user's problem is a recipe  
>>>> misbehaves by allowing precious data to be removed.
>>>
>>> I'll note fassembler uses a file abstraction layer so that its  
>>> recipes are safe by default: https://svn.openplans.org/svn/fassembler/trunk/fassembler/filemaker.py
>>>
>>> I think buildout would be a lot more humane if it took the same  
>>> approach.
>> I'd be interested to know what you mean by this, but I'm not  
>> willing to read that source to find out.
>> Can you be a little more specific?
>
> Instead of using open(), etc, to write files, there's an instance of  
> Maker which holds some of the settings (--interactive, --simulate, a  
> base directory).  Then you do all your file operations like:
>
>  maker.ensure_file('path/to/file.txt', content)
>
> If that file exists with different content then the user gets asked  
> about what to do.  It also logs all the writing, shows diffs, can  
> make backups, etc.  You can force overwriting, but that's a keyword  
> argument that defaults to False, so only if you actually have good  
> reason to overwrite files (without asking) then that's fine, but you  
> will start developing the easy way, which is to be safe about this  
> stuff.

In a system in which most data is managed automatically, asking the  
user before doing anything that might remove or overwrite data is, in  
my experience, counterproductive.  It's like a security system that  
constantly asks for permission do do things, training users to hit an  
"OK" button very quickly.

In a previous version of buildout, it worked the way you and Tarek  
suggest.  It asked users before performing any action that caused a  
part to be uninstalled.  This was extremely annoying.  I finally just  
started piping the output of the yes command into it.

Again, I can live with people adding an option that causes buildout to  
prompt before removing files or directories (or maybe just  
uninstalling parts that would cause it to remove files or  
directories). I know that I wouldn't use the option myself.

Jim

--
Jim Fulton
Zope Corporation

More information about the Distutils-SIG mailing list