On March 18, 2010, Guilherme Salgado wrote:
> On Thu, 2010-03-18 at 19:48 +0000, Francis J. Lacoste wrote:
> > Review: Needs Information
> > * Don't we need to add meliae to the buildout?
>
> We could, but since we already have it packaged in Lucid (I just
> backported the package to Karmic and Hardy) and the release tarball is
> not eggified, I thought I'd go with the easiest option. After all, if
> we need a newer version we can easily switch to using an egg
Well, it does slow down the deployment of this, since they SA will have to
review/rebuild the package for Hardy (they don't deploy from our PPA) and
install it on edge/staging before you can land this.
By not eggified, you mean it doesn't have a setup.py?
> .
>
> > * Can we use a configurable file instead of an hardcoded one?
>
> I considered that, but I couldn't come up with any use cases that would
> require changing the file path. I also try to use config values only
> for things that change between environments -- which doesn't seem to be
> the case here.
Well, a hardcoded path under /tmp is vulnerable to symlink attacks
(overwriting of arbitrary files owned by the user).
On March 18, 2010, Guilherme Salgado wrote:
> On Thu, 2010-03-18 at 19:48 +0000, Francis J. Lacoste wrote:
> > Review: Needs Information
> > * Don't we need to add meliae to the buildout?
>
> We could, but since we already have it packaged in Lucid (I just
> backported the package to Karmic and Hardy) and the release tarball is
> not eggified, I thought I'd go with the easiest option. After all, if
> we need a newer version we can easily switch to using an egg
Well, it does slow down the deployment of this, since they SA will have to
review/rebuild the package for Hardy (they don't deploy from our PPA) and
install it on edge/staging before you can land this.
By not eggified, you mean it doesn't have a setup.py?
> .
>
> > * Can we use a configurable file instead of an hardcoded one?
>
> I considered that, but I couldn't come up with any use cases that would
> require changing the file path. I also try to use config values only
> for things that change between environments -- which doesn't seem to be
> the case here.
Well, a hardcoded path under /tmp is vulnerable to symlink attacks
(overwriting of arbitrary files owned by the user).
--
Francis J. Lacoste
<email address hidden>