/srv/irclogs.ubuntu.com/2009/04/22/#launchpad-meeting.txt

=== ursula_ is now known as Ursinha
=== ursula_ is now known as Ursinha
barry#startmeeting15:02
MootBotMeeting started at 09:02. The chair is barry.15:02
MootBotCommands Available: [TOPIC], [IDEA], [ACTION], [AGREED], [LINK], [VOTE]15:02
barryhello everyone and welcome to this week's ameu reviewers meeting.  who's here today?15:02
jtvme15:02
marsme15:02
barryjtv: hai!15:02
jtvbarry: learning dutch, I see!15:03
abentleyme15:03
EdwinGrubbsme15:03
gmbme15:03
barryjtv: D'r ken geen koekje meer bij15:03
jtv:-)15:03
barryi know we have a bunch of folks at the tl sprint15:04
barryallenap, danilo_ ping15:04
gary_posterme15:04
allenapme15:04
barrybac, BjornT, cprov ping15:05
cprovme15:05
marssalgado, gary_poster, ping15:05
bacme.  darn, forgot again.15:05
salgadome15:05
barryintellectronica: ping15:05
marsgary_poster, oops, sorry15:05
gary_poster:-)15:05
barrynoodles: ping15:05
barryrockstar: ping15:05
noodlesme (sorry)15:05
barry[TOPIC] agenda15:06
MootBotNew Topic:  agenda15:06
barry * Roll call15:06
barry * Action items15:06
barry * Mentoring update15:06
barry * Peanut gallery (anything not on the agenda)15:06
barry[TOPIC]  * Action items15:07
MootBotNew Topic:   * Action items15:07
barry * allenap to look into storm/sqlobject result set compatibility15:07
allenapI'm going to try and do that today :(15:08
gary_posterbarry: re agenda, didn't we have that conversation from a review...trying to recall...two points...15:08
gary_posterbarry: what is appropriate to import in a view...15:08
barrygary_poster: yes, it's on the list, sorry didn't move it up15:08
gary_posterbarry: cool15:08
barryallenap: np, thanks.  we'll leave it on the list15:09
barry * flacoste to work on API reviewer cheat sheet15:09
intellectronicame15:09
barryhe's not here today, but does anybody know anything about it?15:09
gary_posterI can guess :-)15:09
barrygary_poster: yeah :)15:10
barrywe'll leave it on the agenda15:10
barry[TOPIC] mentoring update15:10
MootBotNew Topic:  mentoring update15:10
barrynoodles: how are things going?  any questions/concerns?15:10
noodlesbarry: I haven't started yet... not sure who my mentor is?15:10
noodlesShould I find one myself? What's the normal process...?15:11
noodles(I was away last week)15:11
barrynoodles: ah, dang.  i will work on that and get back to you.  i remember now that henninge is also a mentat15:11
noodlesGreat! Thanks :)15:12
bacand is deryck an official mentat now?15:12
barry[ACTION] barry to find a mentor for noodles15:12
MootBotACTION received:  barry to find a mentor for noodles15:12
barrybac: not quite.  he's going to do js reviews (mentored) for now15:12
barryanything else on mentoring?15:13
barry[TOPIC] peanut gallery15:14
MootBotNew Topic:  peanut gallery15:14
barrywe have something gary_poster wants to bring up. let me paste the discussion notes first15:14
barrygary writes:15:14
barry * What is the goal (are the goals?) of our use of security proxies and the import nazi?  My understanding is that they are "belt and suspenders" to try and keep us from revealing private information.15:14
barry * Do we still agree with those goals?15:14
barry * Do we feel that our use of security proxies helps us with these goals?15:14
barry * Do we feel that our use of the import nazi helps us with these goals?15:14
barryAs we know, security is very hard, and trying to answer these questions well should not be done lightly or too quickly.15:14
barryI am hopeful that the small, specific question of whether we should import removeSecurityProxies in view code will fall out obviously, if not easily, from our answers to the discussion above.15:14
barrytake it away gary_poster the orchestra leader15:14
gary_poster:-)15:14
gary_posterOK so, context15:14
gary_posterbarry and I were talking about what is appropriate in a view15:15
gary_posterwe agreed on this:15:15
gary_poster"I think view methods should only return immutable Python basics like strings and ints, or security wrapped objects."15:15
gary_posterWe disagreed on this:15:15
gary_posterAlso, ideally view code would not import removeSecurityProxy.  AIUI, This is exactly the kind of import that import nazi is supposed to prohibit: tools that *allow* a view to return unproxied objects.  While arguing for the import nazi to be eliminated might be appropriate at a reviewers meeting, we should not make it more and more ineffective without recognizing what we are doing.15:15
intellectronicadicts?15:15
barryintellectronica: dicts, lists, tuples, sets are all basic objects, and okay15:16
gary_posterintellectronica: dicts are problematic because they can contain things that need to be proxied.  You typically need them to be proxied so that the viral thing works.15:16
intellectronicaah ok15:16
barrywith gary_poster 's caveat about *what* those containers contain15:16
gary_posterright.  as a practical matter, disagree with barry's assertion.  as a theoretical matter, yeah, kinda sorta15:17
gary_posterso maybe we need to dig into that.  but I was just expecting to dig into the import question15:17
jtvWhat's going to keep us honest w.r.t. interfaces, if not the security proxies?  Or is the idea that we don't need to be?15:18
barrygary_poster: so, i've had to deal with this quite a bit lately, with the change in permissions to private membership teams15:18
gary_posterjtv: security proxies don't necessarily keep us honest irt the interfaces.  You can open up other things in the zcml, and in fact sometimes you need to15:18
barrythere are a lot of places where i've had to unwrap objects to get to their .name attribute.  clearly we can't do that in the model.  istm that the view is the most natural, *best* place to do it15:18
barryand at least it's clearly obvious!  when you see removeSecurityProxy() that's a big red flag that something special is going on15:19
gary_posterbarry: and yet what you are implying is that this could in fact be a utility function elsewhere15:19
bacbarry: in using the removeSecurityProxy to get at a private team's name you must first be sure that your doing so doesn't in fact leak data15:19
jtv...which you ensure in the model, not in the view.15:19
barrybac: yes agreed. but isn't the view the right place to ensure that?15:20
gary_posterbac: right.15:20
gary_posterbarry: I'd like to step back to principles15:20
barryjtv: i think the model is the wrong place in fact15:20
barrygary_poster: sure15:20
jtvWell here's a counter-example:15:20
bacbarry: yes.  but i don't want to see a pattern of "oops i can't get to the name, better remove the security proxy" when the proxy is doing it's job15:20
jtvwe implement private kumquats.  How do we make sure all the pre-existing views respect kumquat privacy?15:21
gary_posterbarry: as I said in the discussion notes, this is a question in my mind about our use of the import nazi, and our goals for our own protection in the view15:21
gary_posterviews, I should say15:21
gary_posterso, the import nazi has been around a looong time.15:21
gary_posterwhy is it there?15:21
gary_posterdo we still want it?15:21
gary_posterI don't think we're going to resolve those here15:21
gary_posterbut I think we need to start the process of resolving them15:21
gary_posterI have guesses as to why they exist15:22
gary_postersorry, why the import nazi exists15:22
gary_posterand I think they are for belt and suspenders of the views15:22
marsgary_poster, that may be a question for Francis15:22
gary_posterto try to prevent data leaking out15:22
gmbThat's belt and braces for the brits in here.15:22
marsgary_poster, or Curtis15:22
barrygary_poster: that's kind of separate from the rSP-in-views issue.  afaik, importnazi doesn't enforce that15:23
henningesorry ... volume turned down ...15:23
gary_posterbarry: disagree.15:23
gary_posterbarry: I think that we have gradually taken the teeth out of the import nazi15:23
barrygary_poster: just saying, i-n doesn't prevent rSP-in-view.  maybe it should, maybe it shouldn't15:23
gary_posterit is a tool that is supposed to help as developers and reviewers conform to code standards, supposed to help us...do something15:24
barryfrancis has the strongest views about what i-n is for, i believe15:24
barrygary_poster: yes, do something :)15:24
gary_posterif I understand its goal correctly (if!) then it is specifically designed to keep thigs *like* rSP from happening15:24
barry(btw, it's importfascist, strictly speaking :)15:25
jtvbarry: right, might be Italian instead of German15:25
gary_posterah, thank you, that is less potentially offensive.15:25
abentleygary_poster: That presupposes that rSP-in-view is against policy.15:25
bacgary_poster: we don't yet have agreement on the policy regarding rSP in views.  if we agree it is forbidden then import socialist can be made to flag it15:25
gary_posterso, I think we, as reviewers, or as a team, or as francis :-) need to decide why the import nazi is there15:25
gary_posterabentley: absolutely.  that's the question I'm asking.  let me try to sum:15:26
salgadothe import nazi is there to make sure browser code can't have access to unsecurity-proxied objects15:26
salgadowithout explicitly calling rSP15:26
gary_postersalgado: so rSP is in fact the blessed way around this?15:27
salgadoyes15:27
gary_postermy concern is that this is not known, written clearly, etc.15:27
gary_postersalgado: ok cool15:27
barryaside: it does other things too, like enforce __all__'s15:27
gary_posterbarry: but I think that is still part of the same goal15:28
salgadogary_poster, yeah, it's very likely this is not written clearly anywhere15:28
barrygary_poster: right, in that it's intended to enforce certain coding standards15:28
barrysalgado, gary_poster so yes, we definitely need to make it clear in our standards the official way of doing things15:29
gary_posterbarry: so, I move that we add a rationale for our use of import fascist, and our use of security proxies, and what the proper way of "breaking glass" is, to our reviewing guidelines15:29
abentleygary_poster: That sounds more like general-purpose documentation to me.15:30
gary_posterthe import fascist is just a tool for us to enforce our policies, and I'd rather we understand/follow/lead from the intent of our policies than the letter of our policies15:30
gary_posterabentley: not sure how we are disagreeing?15:30
abentleyreviewing guidelines are for reviewers, not necessarily for developers.15:31
gary_posterabentley: oh I see.  yes, agree15:31
barrygary_poster: agreed.  i'd like to give francis a chance to weigh in too.  gary_poster this sounds like a discussion for the ml.  would you like to start that there?  i will take an action to document any decisions in the wiki15:31
gary_posterbarry: yes, I'll take that.15:32
barrygary_poster: thanks15:32
barry[ACTION] gary_poster to take importfascist discussion to the ml15:32
MootBotACTION received:  gary_poster to take importfascist discussion to the ml15:32
barry[ACTION] barry to document all importfascist decisions in the appropriate wiki page15:32
MootBotACTION received:  barry to document all importfascist decisions in the appropriate wiki page15:32
gary_posterare we cool on the security-proxy-around container bit that we skimmed over?15:32
gary_posteror should we add that to an agenda for a later meeting?15:33
barrygary_poster: do you mean the entire container (dict, set, list) should be security proxied, or just the items it contains?15:33
adeuringme -- sorry for being late...15:34
gary_postertypically you proxy the container for simplicity.  If you *really* want to proxy the items only, you could, I guess, but that's not lazy for the programmer or the computer, typically15:34
barrygary_poster: wouldn't in most cases the items in the container already be proxied?15:34
barrygary_poster: talking about how the view sees them, not necessarily what it returns15:34
gary_posterbarry: ahhhh...that's too general for me.  not sure.  when you get a container from a storm result, I would expect the result set to be proxied, so that the items are proxied just by the "viral" story15:36
barrygary_poster: that would be my expectation too15:36
gary_posterbarry: but...yeah...maybe :-)  as a simple-to-follow rule (for which perhaps there are exceptions) I'd suggest that containers should be proxied15:37
abentleygary_poster: A result set is an object, though, not one of the items Barry mentioned.15:37
barrygary_poster: maybe we should rename removeSecurityProxy() to yesReallyLeakPrivateData()15:37
gary_posterabentley: agreed15:37
gary_posterbarry: :-)15:37
* bac must duck out early. sorry.15:37
abentleygary_poster: How would you define the security policy for a dict?15:38
gary_posterabentley: I was just trying to come up with a general case I could think of.  I'm not sure what our general cases of returning basic python containers in views really are.  I'm just suggesting that proxying them is a nice simple rule.  security policy for a dict: I Think this is predefined.  It's public for the standard dict API.15:38
gary_postermapping API I should say15:38
abentleygary_poster: So for dicts, we would have them wrapped with a security proxy that did nothing?15:39
barrygary_poster: but that's just to ensure that any objects returned are themselves proxied right?15:39
gary_posterabentley, barry: right on both counts15:39
gary_posteras barry said, having a dict with the individual items wrapped would probably be fine, especially for our use cases15:40
barryi /think/ that's an unnecessary in our case, as we're guaranteed to have only wrapped objects in result sets, but it's a good thing to bring up in the ml thread15:40
gary_posterMy primary interest in this is "easy to remember, easy to follow"15:40
gary_postermaybe you are right that we are automatically protected15:41
gary_posterin which case that is easy to remember and easy to follow15:41
abentleygary_poster: I would want to profile before and after making such a change.15:41
barrygary_poster: ideally, "just happens" and you only have to think about it when you need to violate the rules15:41
barryand even then, it's made plainly obvious that you've thought about it and deliberately broken the rule15:42
barrybut of course, it will eventually happen that something will leak anyway ;)15:42
gary_posterabentley: sure.  It's all in C.  It's very fast.  If we get utilities or adapters or other objects and*they* return dicts, then this is already happening.  That's probably sufficient, as barry is saying.15:42
barrygary_poster: i'm certain francis could immediately confirm or deny15:43
gary_posterbarry: cool.15:44
barryso, we have about 2 minutes left.  anything more to say on this topic here?15:44
gary_posternot me.15:44
gary_posterI'll put it in the ml post15:44
barrycool, thanks!  this is an important discussion to have.15:44
barryanybody else have anything for today?15:44
marsbarry, intellectronica and I had a small debate about JS, but it can wait I guess15:45
intellectronica?15:45
barrymars: can we put it on the agenda for next week?15:45
marsbarry, should we use: if (!some_js_var)15:45
marsbarry, we can15:45
intellectronicaah, whether explicit is better than implicit in JS too15:45
marsyep15:45
barrycool, thanks.  we're outta time, so let's break here for today15:45
barry#endmeeting15:45
MootBotMeeting finished at 09:45.15:45
abentleybarry: Also, ampersands-in-urls.15:45
barrythanks everyone!15:46
barryabentley: agenda for next week, or ml?15:46
noodlesthanks barry15:46
abentleybarry: for next week15:46
barrythanks.15:46
jtvbarry: dankjewel en tot volgende keer :)15:46
henningebarry: Sorry for missing out, thanks for calling me!15:46
gary_posterabentley: if you are curious, this is one of the default checkers in zope/security/checkers.py:15:46
gary_poster    dict: NamesChecker(['__getitem__', '__len__', '__iter__',15:46
gary_poster                        'get', 'has_key', 'copy', '__str__', 'keys',15:46
gary_poster                        'values', 'items', 'iterkeys', 'iteritems',15:46
gary_poster                        'itervalues', '__contains__'])15:46
barryjtv: :)15:47
gary_poster_default_checkers has a bunch of them15:47
gary_posterso that lets you get, but not set the dict15:48
=== salgado is now known as salgado-lunch
=== salgado-lunch is now known as salgado
=== salgado is now known as salgado-afk

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!