01/25/2008

Professional Plone Development -- a review

Recently I volunteered to set up a website for a small student association at my university. Nothing fancy: corporate design, community-managed content, private member area for managing the association's internal affairs, etc. "Sure thing," I thought, "I'll just use Plone. It's something I know." But it turned out I didn't really. Anymore.

You see, I rarely do content-management projects, and the last time I customized and deployed Plone was when Archetypes was considered the cutting edge. Luckily, I had been given Martin Aspeli's book Professional Plone Development for review, so to kill two birds with one stone, I did what any Plone noob is supposed to: RTFB.

Professional Plone Development starts out with a gentle introduction to the Plone community and software. It goes on explaining how to set up a development environment. This chapter is very well sorted out, especially insofar as it's currently the only printed material that explains the techniques revolving around eggs and zc.buildout.

Over the next couple of chapters, the book then takes you on a typical walk through the Plone customization jungle: though-the-web customization, policy products and GenericSetup profiles, security and workflow, custom themes. These things changed drastically in the last Plone releases, and even though they're now often based on Zope 3 techniques, I had no idea about the specifics of the system. With the help of just this part of the book, I had my 90% of my website up and running. But then again, it's a small and simple site.

The rest of the book dives into the core of Plone and Zope programming. Here's where I have my only few negative points of criticism. Chapter 9 in which Martin explains a couple of core Zope concepts (Object Publishing, Acquisition, Persistence, Component Architecture, etc.) feels a bit disconnected from the rest and frankly overwhelming (not to me, mind you, but I'm imagining for others it might be). Some of these concepts could have easily explained earlier on and some of them only start to make sense when you're actually using them.

Admittedly, it is hard to talk about browser views or automated forms without some Component Architecture theory. Also, the slightly dry Chapter 9 does make a good reference for later. Lastly, the criticism is completely outweighed by another highlight that awaits the reader at the end of the book: a couple of very thorough chapters on deployment.

Looking at this book, I can't help but wonder: how can he cover it all in just onder 400 pages? This is not only a very good book, it's also good value for money.

P.S.: I wrote up this review a while ago already but forgot to post it, so apologies if it comes a bit late now...

Posted by Philipp von Weitershausen @ 01/25/2008 10:28 AM. - Categories: Plone - 0 comments

11/09/2007

From the PEP8 department...

Since a lot of people trip over this, let me repeat an important and useful passage from PEP8, the Python styleguide:

 - Comparisons to singletons like None should always be done with
  'is' or 'is not', never the equality operators.
  Also, beware of writing "if x" when you really mean "if x is not None"
  -- e.g. when testing whether a variable or argument that defaults to
  None was set to some other value.  The other value might have a type
  (such as a container) that could be false in a boolean context!

In particular, you should avoid code like

 ob = retrieveObjectSomehow(..., default=None)
  if ob:
      # you'll never get here if ob is an IContainer and empty

If you know that None is the fallback, then check for it explicitly:

 ob = retrieveObjectSomehow(..., default=None)
  if ob is not None:

I don't know why people frequently trip over this, I blame tutorials that draw a misleading picture of Python's polymorphism.

Posted by Philipp von Weitershausen @ 11/09/2007 03:29 PM. - Categories: Python - 0 comments

11/08/2007

It's not a bug...

... but at least the engine is where God intended it to be: aft.

Yup, that's her, a 1991 VW Transporter double-cab pickup. Not a beauty and not really fast (the 1.7L diesel develops a staggering 57 bhp), but she's in good shape and has loads of space as you can imagine. I'm already looking forward to some skiing trips.

She's also quite economical since she's taxed like a truck and will happily eat vegetable oil. Saw her for sale online when I was visiting the folks at Jarn in Norway and bought her the day I got back home. I mounted the Mexican number plate in reminiscence of my wonderful time in Mexico where I drove a Toyoto Hilux, a vehicle not unlike this one that changed my views on pickup trucks in general and Toyota in particular.

Meanwhile, I'm moving the bug to the workshop soon where it'll receive a complete make-over of the chassis and body.

Posted by Philipp von Weitershausen @ 11/08/2007 12:03 AM. - Categories: Personal - 3 comments

10/08/2007

Can't hardly wait: PloneConf 2007

With all the Zope 3 work I'm getting these days, I can't really contribute much to Plone or do customer work with it anymore. But I still love attending their get-togethers. Doesn't matter whether it's the Snow Sprint high up in the Alps or a conference in Vienna, Seattle or Naples - you always know you're in for endless loads of fun.

This year's conference starts this coming Wednesday. Looking at the agenda, I find an interesting recurring theme (among many others) that we haven't had at a Plone conference before: Looking over the fence and learning from others.

For instance, there's Andy McKay's talk What Plone can learn from Rails on Friday. On Wednesday, we have Lennart Regebro's talk about What Zope did wrong (and what to do instead). And then there's my talk on Thursday called Plone Age, in which I will look at lessons learned from other (Python) web frameworks, as well as recent developments in the Zope 3 scene.

With these and all the other fantastically sounding talks in the agenda, I can't hardly wait to get to Naples!

Posted by Philipp von Weitershausen @ 10/08/2007 10:41 PM. - Categories: Plone - 0 comments

09/25/2007

Little bit of history repeating...

The talk schedule for this year's Plone Conference is out. The amount and variety of talks are stunning. Sadly and funnily at the same time, I'm up against the exact same as last year: Introduction to KSS.

Posted by Philipp von Weitershausen @ 09/25/2007 09:53 AM. - Categories: Plone - 1 comments

09/16/2007

Announcing zopeproject 0.4

zopeproject makes it easy to get started with a web application based on Zope eggs, zc.buildout and WSGI/Paste. If you're not familiar with this world yet, zopeproject is your easy entry to it. If you are, zopeproject will save you lots of typing up the boilerplate.

Why eggs?

Because they are a great way to distribute Python software and declare its dependencies. Zope 3.4 is completely distributed as individual eggs and will from now on be developed as such.

What's zc.buildout?

It's a tool for repeatable deployments that's configuration-file driven. You tell it "install these eggs for me, create this script and let me develop packages in this directory" and it will go ahead and do all that. Over and over again, if necessary, and for everybody who wants the same setup as you (which is great for teams).

What are WSGI and Paste?

WSGI is a Python standard for web applications and web servers. It defines how they communicate so that potentially any WSGI application can run on any WSGI gateway (server). Zope has had support for WSGI for a while now, but it has never really been exposed, even though it offers great possibilities such as middlewares.

Paste is a collection of related to WSGI. One of its tools, PasteDeploy, is of particular interest. It allows you to plug WSGI applications, middlwares and gateways together using a simple configuration file.

zopeproject vs. instances

Apart from all the flashy technology that zopeproject brings us, it also implies a big conceptual change in the way we develop web applications with Zope.

In the world of regular instances, Zope is the server and the application. Your code is just like a plug-in:

 +------------+         +---------+
|    Zope    |  runs   |your code|
|server & app|  ---->  | (plugin)|
+------------+         +---------+

Even though we've been doing it for years ("Products" ring any bells?), I think this is backwards and accounts for much of the irritation people coming to Zope have.

With zopeproject's approach, your code is the application. The web application, to be precise. And it happens to use Zope. As a library:

 +------------+           +-------------+          +---------+
|WSGI gateway|  serves   |  your code  |   uses   |  Zope   |
|  (server)  |  ------>  |(application)|   ---->  |libraries|
+------------+           +-------------+          +---------+

Zope isn't the center of attention anymore, your application is. Even better, you can choose how much of Zope you'd really like to use. You may compare this approach to a GUI application that happens to use some sort of GUI framework to get some widgets on the screen, but otherwise it's just like any other, real application.

So how does it work?

It's pretty easy. All you need to do is install zopeproject first. You don't need to install Zope for this, zopeproject will do that for you later. Note that you will have to have setuptools installed for this to work (it provides the easy_install script):

 $ easy_install zopeproject

Depending on where and how you installed Python, you may have to prefix this command with "sudo" to gain privileges for installing packages globally.

Now you can create a new web application:

 $ zopeproject WebApp

Much like with mkzopeinstance, you'll be asked a couple of questions. The last question concerns the central download location for eggs (which will include the Zope eggs). After the questions, zopeproject will create a 'WebApp' directory with some initial directory structure, as well as download and install the Zope eggs.

To start the application, go to the newly created directory and invoke the server:

 $ cd WebApp
$ bin/paster serve deploy.ini

You may also use the webapp-ctl script which works much like zopectl:

 $ bin/webapp-ctl fg

You will then be able to go to http://localhost:8080 and see the default Zope screen. (The standard boilerplate simply uses the Zope 3 default, after all. It is now up to you to change that.)

More information and feedback

For more information, please refer to zopeproject's homepage on PyPI: http://pypi.python.org/pypi/zopeproject

I'm very much interested in getting your feedback. Please direct questions that are of public interest to the zope3-users@zope.org list. Bugs may be reported in Launchpad: https://launchpad.net/zopeproject.

Posted by Philipp von Weitershausen @ 09/16/2007 05:15 PM. - Categories: Zope 3 - 0 comments

08/30/2007

The Online Search Warrant

And now for something completely different... (in other words, unreleated to Python or Zope)

When it comes to national security in Germany, there's currently one topic dominating the press: online search warrants. Or rather the lack thereof. You see, German politicians and authorities involved in national security have demanded for many months now that online searches of computers on behalf of the police should be allowed without a search warrant issued by a court.

At first sight, it seems to make total sense. Surely there are terrorist who want to erect theocracies all over the world and bomb the rest of us heathens back to the middle ages. To reach that goal they don't seem to shy away from using modern means of communication, combat and sabotage, though. So this is a war of technology and we need to fight back with everything we got now, right? Considering the success the police had investigating the bombing of the London Underground in 2005 and the attempted bombing of trains in Dortmund and Kassel in 2006 was thanks to video surveillance, it seems that betting on technology pays off.

So why not go a step further and put the bad guys under surveilance before they bomb us to pieces? Let's catch them making plans, not executing them. What better tool could online searches be for this? Well, to be honest, I see a whole range of problems with them.

It's unconstitutional

From my point of view, this is by far the strongest argument. "Naturally we have to change the constitution to allow them," the supporters of online searches say. The problem with this is that this touches essential civil rights (Americans will know this as the Bill of Rights) that every Western democracy holds up so high. Once we start giving these up, we might just as well get out of the U.N. and stop telling the world that we're so better at treating people. I can already hear China saying "Told you so, Germany".

Lack of proportionality

Authorities claim that they can only conduct (and afford) 5 to 10 online searches a year. Is it really too much trouble getting a judge to sign a search warrant for such few incidents? Is it worth changing our constitution for this? It's not like the police isn't going to collect some evidence on the guy they're going to put under surveillance in the first place. After all, hacking into another guy's computer takes time and money, you better make sure it's worth it. So you might just as well get a judge involved.

Have they actually thought this through?

The means by which the authorities want to conduct these online searches aren't well known. The press obviously likes to speculate wildly (and usually gets it all wrong due to their lack of understanding the details).

The most obvious choice seems to be to buy a zero-day exploit for whichever operating system the person in question is using. I've heard these sell for a couple hundred thousand dollars. So the whole thing sure is pricey. Then you install a trojan (dubbed "Federal Trojan"). According to the press, this has been done already in an investigation (unconstitutionally, I might add).

The problem with the trojan is that if the police can get in that way, so can anybody else, especially if the system isn't well maintained (security updates, virus scanner, etc.). So in the end, an online search is like catching two cars on a speed camera. You know at least one of them has been speeding but you can't tell which one. That's why I doubt they'll hold up in court.

Politicians realized that too, of course, and backpedaled. Now they wouldn't use a trojan but rather fall back to more conventional methods of gaining access to the computer: breaking into the suspect's house and install the software or hardware (e.g. a keylogger) locally. Well, I sure hope that those terrorist have no laptops, otherwise them cops are goin' be real mad when they find out the terrorists always take that computer with them when they leave the house...

To me, all of this doesn't look like this has been thought through properly. Those who want it seem to think it's a silver bullit. Those who actually know a little bit about this stuff can't seem to see that it would be. I sure hope that parliament will be wise enough not to let this one slide by.

Posted by Philipp von Weitershausen @ 08/30/2007 01:18 AM. - Categories: Miscellania - 0 comments

08/21/2007

zc.buildout: new feature and speed up

Jim Fulton released zc.buildout 1.0.0b30 last night. This release is worth mentioning for two reasons:

buildout can now be told to prefer final versions over alpha/beta/dev releases. In normal mode, buildout will simply try to get the newest version of a package that matches the package requirements (just like easy_install). This means, however, that development releases may be installed instead of stable final releases, which usually is undesired in production environments. To get buidout to prefer final releases, put the following statement in your buildout.cfg:
```
 [buildout]
prefer-final = true 
```
buildout now uses PyPI's simple package index by default. To setuptools (and zc.buildout), this index looks like the regular PyPI, except that it's much speedier (because it doesn't have to render fancy HTML) and it lists all releases of a certain package, even the hidden ones. A while back, Jim had already played with a simple index like that, dubbed ppix, which uses PyPI's XML-RPC API to mirror the information.

I've done a little test and timed updating the grok buildout with buildout -n using the various indexes (standard PyPI, simple PyPI, ppix). Buildout had to go to whichever index I configured and check for newer versions of roughly 100 eggs (times are in minutes and seconds):

standard PyPI	3:09
simple PyPI	2:05
ppix	1:54

So, ppix is only marginally faster than simple PyPI (depending on how "close" you are to either one), but they're both quite a lot faster than the standard PyPI.

Posted by Philipp von Weitershausen @ 08/21/2007 10:51 AM. - Categories: Python - 0 comments

07/30/2007

pdb'ing to eggs installed with zc.buildout

If you use zc.buildout to install eggs, it sometimes happens that you can't pdb into their code.

The reason for this is that the egg is built in a temporary directory and then moved to its destination. During the build, setuptools creates .pyc files which contain an absolute path reference to the original .py file. Since it's done a temp directory, this reference will be outdated.

A quick fix is to simply remove all the .pyc files from the egg and have them rebuilt automatically next time you use the package.

Posted by Philipp von Weitershausen @ 07/30/2007 06:40 PM. - Categories: Python - 1 comments

07/26/2007

Cheap binary Windows eggs

Thanks to Hanno Schlichting's howto, I've figured out how to create Windows eggs of those packages that have C extensions. This approach doesn't need Microsoft Visual Studio, nor does it require you to wade through a bunch of free Microsoft downloads that don't really work in the end anyway.

Here's what I did:

Installed the standard Python 2.4 distribution from the MSI package.
Installed the MingW compiler (into the standard location C:\MingW)
Created C:\Documents and Settings\Philipp\pydistutils.cfg and put the following text in it:
```
 [build]
compiler=mingw32 
```
This tells distutils to always use the MingW compiler whenever it has to compile something from C.
Went to the Control Panel -> System -> Advanced tab and clicked on the Environment Variables button. There I appended the following text to the the Path environment variable, adding the Python interpreter as well as MingW's programs to the search path:
```
 ;C:\Python24;C:\MingW\bin 
```
Then I added another environment variabled called HOME with the following value:
```
 C:\Documents and Settings\Philipp 
```
This points distutils at the pydistutils.cfg file that I created earlier (you can put the pydistutils.cfg file anywhere you want, you just need to make sure that the HOME environment variable points to the directory).
With that in place, I am able to take any tarball (e.g. zope.interface-3.4.0.tgz), unzip it and create a Windows egg from it like so:
```
 python setup.py bdist_egg 
```

What's more, with a setup like this, it is easily possible to install Zope 3 completely from eggs (e.g. using zc.buildout) even if there are no pre-built Windows eggs on the Cheeseshop. More specifically, with this setup, zopeproject (which is really just a convenience tool over zc.buildout) works like a charm on Windows now.

Posted by Philipp von Weitershausen @ 07/26/2007 09:49 PM. - Categories: Python, Zope 3 - 0 comments

[1] 2 Next 10 items »