-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On behalf of Zope developer community I am pleased to announce the
release of Zope 2.10.12 and Zope 2.11.7.

You can download the source version of Zope 2.10.12 from
http://www.zope.org/Products/Zope/2.10.12/

You can download the source version of Zope 2.11.7 from
http://www.zope.org/Products/Zope/2.11.7/

These releases fix a bug which could be exploited to create a
denial-of-service in certain non-default configurations of Zope
(CVE-2010-3198).  All users of earlier 2.10.x and 2.11.x versions of
Zope should upgrade to the corresponding version.

For more information on what is new in this release, see the
changelogs:

- - http://www.zope.org/Products/Zope/2.10.12/CHANGES.txt

- - http://www.zope.org/Products/Zope/2.11.7/CHANGES.txt

Note: Zope 2.10 and 2.11 require Python 2.4.5 or higher (Python 2.4.4 is
still acceptable).  Older Python versions are no longer supported.
Python 2.5 and later are not supported.



Tres.
- --
====================================

On behalf of Zope developer community I am pleased to announce the release of Zope 2.11.7.

On behalf of Zope developer community I am pleased to announce the release of Zope 2.10.12.

SEPTEMBER 1, 2010 — The Plone community has raised the bar in the Content Management System market with today's release of Plone 4, a faster, more user-friendly and more refined version of a product which has set the pace for CMS innovation for nearly a decade.  Plone 4 delivers big improvements in raw speed, scalability and ease of use, and continues to advance its hallmark strengths of unmatched security, superior user interface, ease of installation and a beautiful out-of-the-box experience.

"Plone 4 is based on the most-frequently requested features and improvements from Plone's worldwide user and developer community," says Plone co-founder and Firefox User Experience Lead Alexander Limi. “Our developers and users asked for better performance — Plone 4 is much faster, requires less memory, and performs well even when serving up massive files. They also didn't want us to sacrifice what we do well to get there — and we haven't. Plone 4 is not just more powerful — it continues to improve in areas Plone has always been known for: usability, security, and a CMS that is easy to install, upgrade, and looks great right out of the box.”

Looking back on the nine year evolution of Plone and the community that supports it, Limi is more than pleased. “It's gotten to be a lot bigger than I thought it could be. Sometimes we forget how many people are involved with Plone, and how many people have left behind PHP and Java to create successful businesses based around Plone.”

Geir Bækholt, President of the Plone Foundation, has a similar reaction. "I'm impressed with how professional, mature and focused the Plone community is. It's rare in open source to see so many companies operating to such high standards, treating their customers and employees well and running their businesses in a sustainable manner.  The best thing about Plone is that we have so many mature, stable companies using it who are consummate professionals at what they do."

For all its technical and visual improvements, one of Plone 4's most important roles is to build the under-the-hood foundation even more exciting improvements in Plone 5.  It gives developers and users innovations they can use today, while allowing them to develop products and websites that will be ready to take full advantage of future Plone releases.

The list of notable changes in Plone 4 includes:

• Significant performance improvements
  
• New theme
• Search and indexing improvements
• Group Dashboards for a Customized User Experience
• Massively improved handling of large files & media
• New, faster folder implementation
• More powerful management of users and groups
• Dynamic forms framework based on jQuery Tools
• Improved first-run experience
• Smooth upgrade experience
• Reduced memory footprint
• Upgraded infrastructure
  

You can find out more about these new features than you would ever want to by visiting http://plone.org/4.

Plone 4 is available today at plone.org as a free, open source download, with installers for most major operating systems — including Windows, Mac, Linux and many flavors of UNIX.

About Plone

Plone is among the top 2% of all open source projects worldwide, with 340 core developers and more than 300 solution providers in 57 countries. The project has been actively developed since 2001, is available in more than 40 languages, and has the best security track record of any major content management system.

It is owned by the Plone Foundation, a 501(c)(3) not-for-profit organization.

For more information, visit http://plone.org

Press Contacts

Europe

Geir Bækholt
President, Plone Foundation
Tønsberg, Norway
baekholt@jarn.com

North America

Alexander Limi
Co-founder of Plone
San Francisco, CA (USA)
limi@plone.org

South America

Roberto Allende
Member, Plone Foundation Board of Directors
Cordoba, Argentina
rallende@menttes.com

Requests for interviews, additional images and information:

Mark Corum
Plone Marketing Team Lead
mark@plone.org

Resources

• High-resolution PNG screenshot of Plone 4

Due to many requests we are extending the talk submission deadline for Plone Conference 2010 in Bristol, UK until the 5th September. So don't delay, get you talk submission in by the end of this week. Once the deadline is reached, the talks will be put up for public vote as we only have around 50 speaking slots (which have almost been filled already!).

One of the fantastic things about Plone is the wide ranging community that covers developers, designers, integrators, users, and many more. To this end, we always like to see talk submissions from people who might not yet feel a core part of the Plone community. Plone is used in a wide variety of places, and case studies of how it is used in organisations and how Plone has helped changed your organisation are very valuable.

If you are stuck for ideas on things to talk about, Steve McMahon wrote a great blog post recently on some ideas for talks.

So to submit your talk, head over to the talk submission page and fill in your details. Accepted speakers will be eligible for a reduced conference fee of just £150 (+VAT).

See you all in Bristol!

Two and a half years ago I left my home country Germany to start a new adventure. I made my Plone hobby into a professional career choice and at the same time left to the Norwegian wilderness to work with all the talented people at Jarn.

Much has happened during that time. Our little company started with three employees and will soon have grown to thirteen and a half in multiple locations. We moved into new custom built office premises in 2008 and are now looking into extending those to meet our growing needs.

I had the pleasure of traveling the world, spending four months in Copenhagen and working on interesting and challenging projects during all that time. Plone itself has come a long way too, culminating in the marvelous Plone 4 release yesterday. I had some concern that spending my time on Plone during the workday would make it less interesting to work on it during my free time. But I'm happy this hasn't come true, I'm as interested in contributing to Plone as I was before - even though I shifted my focus more and more to the infrastructure side and am now spending a good deal of my time in Zope 2 and the Zope Toolkit.

But with all those good things, I still didn't feel happy all the way. I had to realize that I was neither made for dark Norwegian winters nor small town life. Coming from a buzzing multi-million city myself, there was something missing.

Luckily Jarn has established an unofficial presence in Berlin, Germany for some time now, so there was an easy way out for me. As of yesterday I moved to Berlin and will continue to work for Jarn from the new location.

Looking back I wouldn't want to miss those years and it's certainly been the right choice for me. Living abroad for a while is a wonderful experience and teaches you many things about yourself, your home country and many more different perspectives onto the world.

And now I'm looking forward to the next years and Plone 5 at the horizon :)

Hanno

P.S. As a Social 2.0 opt-out I have neither Facebook or Twitter accounts. If you are not interested in my personal notes, you don't have to follow posts labelled "personal" on this blog ;)

I was pleasantly surprised this week to are a new release of Zsyncer come out. This is a Zope 2 product I wrote almost ten years ago whilst at ActiveState. It allows you to sync data from one Zope instance to another over XML-RPC.

The product was taken over by Paul Winkler and now Chris Withers. I'm betting that by now very little of the original code remains and it's vastly improved. But I find it very satisfying to see thata code written ten years ago is still being maintained and used. Especially since the original developer and the original client stopped using it long ago.

Another project is the Definitive Guide to Plone which I published under a creative commons license. The second edition of the book was taken on by Redomino and they did an excellent job.

Of course compared to many this is small change, others have bigger projects that get picked up. But since I have moved completely away from these fields I still find it satisfying. There might be something to this open source thing.

This is also my first post typing in a pile if HTML into my Nexus One - won't be doing that again.

I went for one day to the Living Statues Sprint in Arnhem, The Netherlands, hosted by Four Digits. I saw lots of new things:

• plone.app.collections: much more lightweight way to do Collections in Plone, probably included by default in Plone 4.1.
• plone.app.contentlisting: small package that should make it easier to have a listing of either brains or content items, making the standard Plone templates that do these listings much smaller.
• plone.app.standardtiles: package that implements lots of small bits and pieces of content that are already in Plone, but now in a more general way. They partly are like portlets, partly viewlets. These tiles (for example a content listing tile, which I worked on with Ralph) can be added to the layout of dexterity content types. It is a really flexible way of adding small pieces of html to your page. It is experimental for Plone 4; probably this will be how Plone 5 will work, using the Deco grid system.

Nice to have a look at the future of Plone. But first Plone 4.0, which should be out real soon now.

Plone Cono Sur invites you to attend and show your Plone skills at the second edition of the Plone Symposium South America to be held in Cordoba, Argentina. Plone Symposium South America is a regional event created to gather Plone users from Government, Education, NGO and Private Sector. We also strengthen the Plone Community in South America, socially and technically, through training and sprints. Promote Plone locally through the half-day Success Stories session.

Hi All,

Rolling on with more releases :-)

SimpleUserFolder is a scriptable, subclassable, fully documented and
tested user folder implementation.

This release features:

- Repackaged as a python package with Sphinx docs

- Targets Zope 2.12+

- Sphinx-ified docs

For more information, please see:
http://www.simplistix.co.uk/software/zope/simpleuserfolder

cheers,

Chris

Hi All,

I'm relieved(!) to announce the release of ZSyncer 1.0.0.

This is the first release I've made and I hope no-one is upset about the 
work I've done (Paul Winkler, you still around?).

The big changes:

- now a normal python package

- Zope 2.12+ compatible

- docs have been Sphinx-ified

The results are as follows:

New home for ZSyncer:
http://pypi.python.org/pypi/Products.ZSyncer

Subversion source repository:
https://secure.simplistix.co.uk/svn/ZSyncer/

Documentation:
http://packages.python.org/Products.ZSyncer/

Full change log:
http://packages.python.org/Products.ZSyncer/changes.html

I hope this is of use to people other than me, lemme know if you find 
any problems, particularly if you have patches that fix them and incldue 
unit tests ;-)

cheers,

Chris

Some members of the community may not be aware of the Python Job Board, a free list of open positions using Python and related tools. You'll find career opportunities working with Django, Plone, SqlAlchemy, CSS, HTML, Database Administration, and much more. Although the jobs are in a variety of industries, and located all over the world, the common thread that ties them all together is Python.

Are you hiring?

Listing an open position on the job board is free. If you have a Python-related job opening, email jobs@python.org with your information. Be sure to check out the current listings to get a feel for how you should write yours and follow the provided reStructuredText template.

Volunteer Maintainers

The job board is maintained by the Python.org web team, including Martin Thomas who took over as the primary maintainer from Peter Kropf over 4 years ago. According to Martin, new job listings come in at a rate of anywhere between one a week to ten per day!

In the near future, Martin is planning to add a Twitter feed so you can get your job listing fix in real time. We'll have more information about that when the feed is active.

Summary: yep, we (Nelen & Schuurmans) need a new Python/Django programmer! Location: Utrecht, the Netherlands, right in the center of town. The work subject? Geodjango and water management: that's the shortest summary.

Five months ago I wrote about an upcoming job opening. We got, if I remember correctly, nine reactions, eight of which mentioned "yeah, I saw on Reinout's blog/twitter...". The power of twitter and blogs wasn't demonstrated that vividly to my colleages yet :-) The end effect was that when we invited people to come round for a talk, they were introduced internally as "oh, some of Reinout's friends are coming"... That meant I had some explaining to do during lunch :-)

Business is booming and there's yet another big project coming our way. Help! We really need to crank up the output. At the moment we're three people doing the practical day-to-day Django coding with another one coming up in a week. Cooperative, productive, friendly. We could really use another pair of hands (and a brain, of course).

• Django experience? Not needed per se, Django is friendly and modular enough that we can teach you. But on the other hand, we really want to get cracking turning out new websites!
• Bonus points if you're any good in html/css/javascript. If I tell former colleague (and css wizard) Mirella that I'm now the local number one css expert, she'll probably laugh out loud. I'm not bad at all, but a bit of extra knowledge won't hurt. That reminds me: I've got to interrogate our new colleague on his level of css knowledge...
• We want good software. As an illustration, I've set up a Hudson continuous integration server to monitor the tests, code coverage and the pep8/pyflakes score. We really need to get our act together to get our code coverage up to percentages that I dare mention here.
• Packaging, automation, buildout, hudson, deployment: we've got that one right. Lots of automation. Buildout helps a lot. Repeatable. Deployments are boring (as they should be) as they're mostly flawless.
• Windows experience would be helpful as we sometimes need to deploy on windows. In practice all three (and soon four) of us Django programmers are on Ubuntu.

The timeframe? What I heard is a closing date of 23 September. But we might start inviting people over sooner as there really are a couple of projects lining up. So don't wait too long.

The official stuff? The official vacature is on our website. Yep, that's in Dutch. I'm afraid that speaking Dutch is handiest to get settled into the company. We might be open for an experiment, though :-)

You can always mail me if you've got further questions, of course.

Hi All,

After quite a long break, I'm proud to announce a new release of 
MailTemplates.

This new release brings shiny new Sphinx docs, compatibility with Zope 
2.12 and above and a couple of bug fixes.

The docs are here:
http://packages.python.org/Products.MailTemplates/

The full package info is here:
http://www.simplistix.co.uk/software/zope/mailtemplates

This release, and future releases, are installed from PyPI using the 
'Products.MailTemplates' distribution name.

cheers,

Chris

The Plone 4.0 Framework Team and release manager Eric Steele are pleased to announce the first release candidate for Plone 4.0.

Plone 4.0 brings massive performance and scalability improvements, a brand new default theme and a revamped user interface.

Other new features include:

• An improved first-run experience, particularly creating a new Plone site
  
• Streamlined user account creation and extensible member profiles
• Upgraded infrastructure: Plone now runs on Python 2.6 and Zope 2.12 making for easier deployment and a smaller memory footprint
  
• Built-in file-system storage for Image and File content types makes databases with large binaries easier to manage
  
• Pop-up forms for login and many management functions
  
• TinyMCE visual editor improves formatted text editing
  
• Full-text indexing of East Asian languages
• Group dashboards
• The new standard theme utilizes a flexible, grid-based layout that provides a better base for clean, modern theming
  
• Hundreds of bug fixes and tweaks
• A well-tested upgrader that makes upgrading from Plone 3 fast and easy
• Performance increases that nearly double pages per second in typical situations.

How you can help

Release candidates serve as proposed final releases for the project.  While Plone 4.0 has been tested by many members of the Plone developer community, and is already running in production on a number of sites, it needs wider testing to flush out any remaining critical bugs before we can stamp it as a "final release."  And that's where we need you.

Here's what you can do to help:

1. Test our installer packages by downloading and installing Plone 4.0 RC1 from the Plone 4.0 downloads page.
2. Help us test the upgrade scripts by migrating a copy of your site's data.
3. Report any errors to the Plone bug tracker.

From the new-deployments-department: Brainrepublic is a newly launched website based on repoze.bfg and MongoDB. Congratulations to Andreas Jung.

============================================ extract UI-less code from zope.app.generations ============================================

I posted this to the Plone product-developers list a few days ago, but got no reactions yet, so I thought I would give it a wider audience.

Main point of this post is to say: Hey, be aware that even if you think you have everything pinned in your buildout config, you might still be using unpinned eggs. And using unpinned eggs means that your buildout that runs fine today might give problems half a year later.

This is similar to a problem in the plonenext buildout and the plone.recipe.zope2instance 3.8 package discussed on the Plone core developers list this week. (3.9 has been released, solving that problem).

Observe the following small buildout.cfg. It does not do anything useful, except that it showcases a possible problem:

[buildout]
extensions = buildout-versions
parts = zope2 test
versions = versions
# Next line is important!
allow-picked-versions = false

[zope2]
recipe = plone.recipe.zope2install
url = http://www.zope.org/Products/Zope/2.10.11/Zope-2.10.11-final.tgz
fake-zope-eggs = true

[test]
recipe = zc.recipe.testrunner
# Random egg as example
eggs = pep8

[versions]
buildout-versions = 1.2
distribute = 0.6.14
plone.recipe.zope2install = 3.2
zc.buildout = 1.4.3
pep8 = 0.5.0
zc.recipe.egg = 1.2.2
zc.recipe.testrunner = 1.3.0
zope.testrunner = 4.0.0b5

Put that in a directory with a bootstrap.py and start the buildout process:

$ python2.4 bootstrap.py
....
$ bin/buildout
Upgraded:
   zc.buildout version 1.4.3,
   distribute version 0.6.14;
restarting.
Generated script '/Users/mauritsvanrees/tmp/pin/bin/buildout'.
While:
   Installing.
   Getting section test.
   Initializing section test.
   Installing recipe zc.recipe.testrunner.
   Getting distribution for 'zope.interface'.
Error: Picked: zope.interface = 3.6.1

zc.recipe.testrunner depends on zope.testrunner, which depends on zope.interface and zope.exceptions. Since these packages have no version pin in the buildout and we have specified allow-picked-versions = false, buildout quits with an error.

But, those two dependencies are in the Zope2 tarball and will be available as fake eggs. Can't buildout use those fake eggs?

Yes, it can, if we set allow-picked-versions = true (or comment that line out). Rerun buildout and it works:

$ bin/buildout
Installing zope2.
Creating fake eggs
Installing test.
Generated script '/Users/mauritsvanrees/tmp/pin/bin/test'.
Versions had to be automatically picked.
The following part definition lists the versions picked:
[versions]

# Required by:
# zope.testrunner==4.0.0b5
zope.exceptions = 3.6.1

# Required by:
# zope.testrunner==4.0.0b5
zope.interface = 3.6.1

Those last lines are output by buildout-versions (variant of buildout.dumppickedversions). It correctly reports that the two mentioned eggs have been picked.

But... they are not used in the generated bin-script:

$ grep zope.interface bin/*
bin/test:  '/Users/mauritsvanrees/tmp/pin/fake-eggs/zope.interface',
$ grep zope.exceptions bin/*
bin/test:  '/Users/mauritsvanrees/tmp/pin/fake-eggs/zope.exceptions',

Now we could add the suggested versions to the [versions] section, set allow-picked-eggs = false again, and rerun the buildout. Result:

$ grep zope.interface bin/*
bin/test:  '.../zope.interface-3.6.1-py2.4-macosx-10.6-i386.egg',
$ grep zope.exceptions bin/*
bin/test:  '.../zope.exceptions-3.6.1-py2.4.egg',

OR: do not add those versions, but do set allow-picked-versions = false so you have the exact same buildout.cfg as in the beginning and this time bin/buildout 'magically' succeeds. It uses the fake eggs in the script and buildout-versions correctly does not report missing pins.

So: the same buildout.cfg crashes at first, and later succeeds. This is because the second time around the fake eggs are already there and the buildout process makes use of them.

What is the potential problem here? If you want to use the same buildout.cfg on a machine without an intermediate edit, you have some options:

1. Set allow-picked-versions = true. During the initialization phase of buildout you do use the latest zope.interface and zope.exceptions from pypi (which might have a bug, or for example might only work with python2.6) but at least they do not actually get used in any of the generated scripts. So you get the zope.interface and zope.exceptions from the Zope2 tarball, which is good.

2. Keep allow-picked-versions = false. Add the two version pins. Now you know exactly which eggs you use without being surprised by sudden incompatible releases. But in the resulting scripts you are not using the zope.interface and zope.exceptions form the original Zope2 tarball. So subtle things might go wrong. BTW, it might be better to use some older eggs instead.

3. Avoid using any recipes that have dependencies on fake Zope 2 eggs.

Neither of the solutions is ideal I would say. With Plone 4 we use Zope 2.12 which is fully 'eggified', so no fake eggs are needed anymore, so this problem goes away then.

For Plone 3 (or earlier) I think we have to live with this problem and everyone will have to choose one of the partial solutions and be smart enough to be able to handle possible future problems.

Or does someone see a better, real solution?

Reactions are welcome as always via the contact form or via email or in this case via the Plone product-developers list.

Update: Note that the order in which the buildout parts get installed does not matter here. Buildout first gets all the recipes for all the parts, and if one of those recipes depends on zope.interface, it already goes wrong at that point. So that is even before the __init__ method of the recipes is called, let alone the install method.

Update 2: If I first explicitly do 'bin/buildout install zope2' and then 'bin/buildout' then it actually works. I thought I had tried that already. Still not ideal I would say, but it's a good extra option to have. A buildout run with the original buildout.cfg from above could then succeed in two steps:

$ rm -rf develop-eggs/ fake-eggs/ .installed.cfg parts/
$ bin/buildout
While:
  Installing.
  Getting section test.
  Initializing section test.
  Installing recipe zc.recipe.testrunner.
  Getting distribution for 'zope.interface'.
Error: Picked: zope.interface = 3.6.1
$ bin/buildout install zope2
Installing zope2.
Creating fake eggs
$ bin/buildout
Updating zope2.
Updating fake eggs
Installing test.
Generated script '/Users/mauritsvanrees/tmp/pin/bin/test'.

Update 3: With these rather old version pins (from 2007) there are no dependencies on zope.interface and zope.exceptions anymore. It might be fine to use those, or you might miss some newer features and bug fixes:

zc.recipe.testrunner = 1.0.0
zope.testing = 3.5.1 

Thanks to Florian Schulze for some questions and remarks that got me thinking a bit further.

Last Friday (13th August) I conducted a Python training at Rajalakshmi Engineering College, Chennai (REC). I got the invitation few weeks back from Jayakumari, a faculty member of computer applications department. Initially we planned for 2 day workshop with hands on sessions. But later it changed to 1 day training program.

I started my journey from Bangalore on Thursday afternoon in a KSRTC bus. I reached in Poonamallee, Chennai around 9 pm. Two students - Gurubaran & his friend Rajaram was waiting for me. They got me into a bus going to Thandalam where the college is located. The campus looked very nice and it was very calm and quiet. They had arranged my stay in their hostel guest room. It was a very nice stay and the Tamil style dinner was very good. This was the second time I going to Chennai. Previously I came for US Visa interview at US consulate.

The training session started around 9.30 am. There was around 60 participants including some faculty members. The computer applications department head of department (HOD) Prof. T. Srinivasan also attended entire session. He told me afterwards that he will be coming to PyCON India which is going to happen in Bangalore next month. I also invited all the participants to PyCON India. I hope some of them will come to Bangalore for PyCON India. The program ended afternoon at 3 pm. The students asked many questions mainly comparing with C++. "How to do polymorphism ?", "Is there any virtual function?", "Does Python support multiple-inheritance?", "Is there any access specifiers like private,protected etc. ?" When they saw the simplicity of Python they were really surprised. I mentioned where and all Python is being used, different implementation of Python, how to continue studying Python. I tried to make comparison with C++ or Java whenever possible. I got many good feedback during and after the program.

After the training around 3.45 pm I went to Koyembedu to catch my bus. The bus was at 8.15 pm, so I had enough time. Another student, Arun accompanied me to help to get into bus. I told them that I can manage, but their hospitality nature didn't allowed to go alone. I did small shopping for my wife, son & his cousin at Skywalk mall near Koyembedu. It was a mistake that I started at 8.15, I reached in Bangalore very early morning around 3 am. I should have started around 11 pm so that I can reach comfortably in morning 6 or 7.

I was waiting for photos to write this blog, today I got it. I am adding few photos here:

At the German Python and Zope conference in Dresden in September Simon Pamies will be giving a tutorial on BFG (in German) on Tuesday 14th. He will also be giving an introductory talk on BFG at the conference. For more information see the conference website.

From the book writing procrastination dep't

I've recently had to step away from a great project at Lotterywest – it was difficult to continue after having to leave the country. :-) The project goes live in a few months, but (hopefully) we managed to finished most of the development work.

I can't talk too much about the project itself, except to say that when it launches, it will probably be one of the highest-traffic Plone 4 sites in existence. Moreover, it's a site with long lulls followed by huge spikes in traffic, that needs to cater for both logged-in members of the public and anonymous users, with different load profiles.

I do want to talk a bit about the tools and technologies we used, in the hopes that others will find it interesting. This is easily the most sophisticated stack I've ever used in a real-world project. And on the whole, it's worked extremely well so far.

The team

Beyond myself, the team consisted of two very capable developers with experience of Plone 2.5 and through-the-web development, but limited Plone "filesystem" experience, on a full-time basis. In addition, we had the help of a network engineer and a tester, as well as a peripheral team of testers, trainers and others.

A side-goal of the project was to leave behind tools and working practices that could be applied to future development projects. As such, a lot of thought went into how the development environment was set up and how it could be reused.

Development environment

We used an agile development process centered around Scrum. To support this, we used Pivotal Tracker to manage stories and defects. This is my third attempt at using Pivotal in anger, and I'm pretty happy with it. Whilst certainly not perfect, it's simple and user friendly enough to fit into my preferred workflow, and it helps the release planning and story estimation process. That, and the price is right.

For source control, we used an internal Subversion server. This was a step up from CVS. I'm pretty confident that Subversion was the right choice: a DVCS would have been far too complicated and confusion-prone for this project.

We installed Trac on our development server as well. We didn't actually use its issue tracking capabilities (since we kept all features and defects in Pivotal), but made use of its wiki and the Subversion browser. I find a project wiki useful for keeping track of "tips and tricks", build instructions, third party contact details and other transient information. I'm not sure Trac was the only (or even the best) choice here, but it did the job. My biggest gripe with it is probably that the wiki syntax is a bit awkward.

Naturally, our development process insisted on having tests for everything. We used Hudson to run the tests regularly and alert us of any regressions. Continuous Integration is hugely important. If you don't have it in your project, get it now. Hudson is easy to set up and flexible enough for all your CI needs.

The last thing to go on our development server was an Apache instance serving a static directory to which selected users had write access over scp. We used this as the release target for jarn.mkrelease when making internal releases of our own packages: The rule was that no production release could contain Subversion checkouts of packages. Instead, we made internal releases to this directory, which was listed in the find-links option in our buildout.

All of our environments were managed with Buildout, of course. To make the buildouts more re-usable and robust, we kept a number of buildout files in a directory called buildout.d. Each file was responsible for building or configuring one aspect of the system. For example, prod-nginx.cfg would configure nginx for the production server, and dev-beaker.cfg would configure Beaker (which we used for session management via collective.beaker) for the development environment. In addition, buildout.d/templates contained templates for configuration files, which were set up using collective.recipe.template.

At the top level, we had the following files:

• packages.cfg, listing known good sets for packages we used, specifying checkout locations and packages for checkout by mr.developer (an indispensable development package management tool), and defining egg working sets for deployment and testing. The buildout.dumppickedversions extension was used to notify of unpinned dependencies.
• versions.cfg, containing our own known good set for our own released packages, as well as third party dependencies not covered by other known good set. This file was included from packages.cfg.
• One top level file for each environment. The default buildout.cfg was used for the development environment. The other files had names corresponding to servers, e.g. prod-app-master.cfg for the main application server and prod-web-1.cfg for the first of two web servers.

The top level "environment" files were only allowed to include extends lines to bring in the required components, and settings for host names, ports, users, etc. For example:

[buildout]
extends = 
    buildout.d/base.cfg
    buildout.d/prod-base.cfg

    packages.cfg

    buildout.d/prod-lxml.cfg

    buildout.d/postgres.cfg
    buildout.d/postgres-relstorage.cfg

    buildout.d/prod-beaker.cfg
    buildout.d/prod-instance.cfg

# Hostnames to use for various services
[hosts]
public     = www.example.org
master     = server-1
slave      = server-2
postgres   = server-1

# Ports to use for various services
[ports]
instance1  = 8801
instance2  = 8802
instance3  = 8803
instance4  = 8804
postgres   = 5432

# Users to run as
[users]
zope             = nobody
postgres         = nobody

Each file in buildout.d used the the same pattern. Here is an example to build HAProxy:

##############################################################################
# Production HAProxy - load balancer
##############################################################################

[buildout]
parts += haproxy-build haproxy-config

# Configuration
# *************

[hosts]
haproxy = localhost

[ports]
haproxy = 8200

[users]
haproxy = nobody

[downloads]
haproxy = http://haproxy.1wt.eu/download/1.4/src/haproxy-1.4.8.tar.gz

[haproxy-build]
target = generic
cpu = generic

# Recipes
# *******

[haproxy-build]
recipe = plone.recipe.haproxy
url = ${downloads:haproxy}


[haproxy-config]
recipe = collective.recipe.template
input = ${buildout:directory}/buildout.d/templates/haproxy.conf.in
output = ${buildout:directory}/etc/haproxy.conf

The settings under [hosts] and [ports] are expected to be overridden in the top-level buildout file.

In the development buildout, we installed a number of tools:

• An "omelette" of all installed eggs for easier debugging, using collective.recipe.omelette.
• A test runner and coverage reporting tool.
• A script to help check for new versions of pinned packages.
• ZopeSkel, for making new packages.
• jarn.mkrelease, for making internal releases easily.

We also installed the following eggs into the main development Zope instance:

• BPython, for a nice interactive shell
• plone.reload - absolutely indispensable
• Products.PDBDebugMode, for instant debugging
• Products.PrintingMailHost, to help debug code that sends mail

Finally, we installed Sphinx, which we used to build documentation from reStructuredText files under source control in the docs directory in the build. This is probably the thing I'm most pleased about. We had a rule that no story could be completed without documentation being added to Sphinx. We then set up Hudson to automatically build and deploy the documentation after a successful build. The result is the best-documented project I've ever worked on. Design decisions, maintenance tasks, critical go-live activities and "how the hell did that work again" type documentation all found its way into the Sphinx documentation. Instead of leaving all the docs to the end, we had a continually expanding body of knowledge, and a process to ensure that it was not neglected during busy times of the project.

Each developer's machine ran Mac OS X with TextMate, Terminal and Firefox as the main "IDE". Firebug was of course installed. We used the Zope bundle for TextMate, which includes "pyflakes-on-save" functionally - a big time saver and code quality improver. We also used David Glick's mr.igor to help remember Python imports.

During deployment, we used FunkLoad for extensive load testing. At one point, we had two 8-way/32Gb machines generating load. To facilitate that, we wrote some scripts since released as BenchMaster. If you have never worked with FunkLoad or done proper load testing of your solutions, you're missing out. It's hugely important, and helped us identify a number of bottlenecks and optimisations that would almost certainly have brought the site to its knees in its first week after launch.

Production deployment

We used a number of technologies in the production deployment. Each deserves a blog post in its own right, but here is a quick run-down:

• We had two identical, redundant servers running nginx and Varnish.
• nginx was used to accept SSL traffic, perform Zope virtual host monster URL rewriting, and force the user into and out of SSL as necessary. We also used nginx to add certain request headers used to optimise caching and load balancing, and to serve a "panic page" - a static HTML file to which HAProxy would redirect if no Zope backends were available.
• Varnish did what Varnish does: Make the site fast. We used the Varnish configuration bundled with plone.app.caching as a starting point, and tweaked it for our fairly unique load profile.
• Behind these servers, we had two application servers: One running HAProxy, Zope, Memcached and PostgreSQL, and one running additional Zope instances.
• HAProxy was configured to distribute load across the back-end Zope instances. It used headers set by nginx to route content authors, other logged-in users and anonymous users to appropriate back end Zope instances. We kept a pool of "shared" instances, with some instances ring-fenced for certain types of traffic. If no instances could be found, HAProxy would redirect the user to a "panic page" served directly by nginx.
• Zope was used to run Plone, obviously. In total, we had 16 Zope instances on each of the two 8-way back-end machines. These were configured to use RelStorage against a Postgres database. Additional relational database access was provided via SQLAlchemy. Session management and shared caching used Beaker (via collective.beaker), which was configured to store its data in Memached, allowing sessions to be non-sticky. Theming was provided by XDV, via collective.xdv (in our tests, we got better performance out of this than deploying the theme to a separate nginx instance). Cache control was provided by plone.app.caching. All custom content types were built using Dexterity. We used collective.tinymcetemplates for content templating, and collective.transmogrifier for migration from the previous site.
• Memcached was used by RelStorage and Beaker.
• Additionally, each build contained a specific Supervisord configuration to start and stop all relevant services with a single command.
• We configured a central Syslog server using rsyslog, collecting logs from all relevant services on all production servers. This was configured to insert log entries into a separate Postgres database. We created views for common log queries (e.g. "all errors in the last 24 hours"), and exposed these via phpPgAdmin, a simple, but effective solution for centralised log analysis.
• The logging server also acted as a Munin server, with each production server acting as nodes.

Overall, this project started to "feel right" pretty soon. The development environment and infrastructure held up very well, and was able to accommodate changes both in the requirements and our understanding of the problem domain. Some highlights for me were:

• We managed to build documentation with the code, by incorporating Sphinx into our workflow.
• We avoided deploying code from Subversion by using internal releases. jarn.mkrelease was a big help here.
• Varnish is just such an awesome piece of software.
• And nginx is not much worse. :-)
• HAProxy could handle everything we threw at it, and then some. I will definitely use it again. For very simple scenarios, the built-in nginx or Varnish load balancers may suffice, but for complex setups like this, HAProxy is awesome.
• FunkLoad was a revelation. Not only did we find bottlenecks we wouldn't have found otherwise: thinking through the load test scenarios and the load test results helped us understand how our site would need to be built to perform acceptably under load.
• Plone 4 is a fantastic release. We started around beta 2, and it's been virtually flawless since, save for a few minor hiccups.
• XDV is clearly the future of theming - perhaps not just Plone theming, but theming in general. We ended up espousing several improvements that Laurence kindly put in for us. With the 0.4 release, I think it's reaching maturity. It quickly became an integral part of our workflow, and a favourite of one of our team members who's got considerable experience theming Plone and other CMS's.
• Having taught people Archetypes development in the past, I have no doubt that I prefer teaching Dexterity (and Grok-like views). It's quicker to learn, more intuitive and more consistent with "modern" Zope and Plone.

For me personally, this project was a very positive experience. If nothing else, it has taught me a lot of things I intend to put in the book I should be writing an update for right now...

To get it out of the way, this is not about virtualenv or z3c.form. I have nothing but praise for virtualenv, I just use it very rarely. I have much to criticize about z3c.form, but that's another topic and may be a problem endemic to all forms libraries. I'd like to keep this and any ensuing discussion to the more abstract issue of incidental familiarity and how it affects our perspectives on the value of a given tool.

I use Ubuntu Linux for my development platform (and everything else). As such, I've had the luxury of a pretty good OS installed python development environment. I really don't know much about virtualenv. I do know its one of those tools that many people swear by with a bit of zeal. Some won't assist with a problem unless you first setup a virtualenv to eliminate variables. The thing is, it's never actually solved a problem of mine that I can think of by eliminating a variable. I have on a very few occasions found it useful to smash my way out of a horrible environment when I'm not under one of my trusty Ubuntu environments, but even then just to get up and running. So for me, it's a tool I don't know well that I will use only when I need to to meet someone else's requirements or to solve a problem quickly when finding the root cause isn't worth my time.

Plone 3, unfortunately (go Plone 4, GO!), still requires Python 2.4 and Ubuntu has, quite appropriately, recently dropped 2.4. While struggling to keep my Plone 3 buildouts running and with some RHEL deployments, I found myself reaching for virtualenv. The problems were a mess of path issues (PATH, PYTHONPATH, LD_LIBRARY_PATH, etc.). I don't know much about these issues and I don't want to. I prefer to delegate to my trusty OS and to buildout. In the end, though virtualenv helped somewhat, I still had to come to understand far more about that path issues than I feel I should.

It occurred to me, however, that if I'd been working on something other than Ubuntu all these years, I would have run into many more path and similar problems and I probably would have fallen in love with virtualenv. It also occurred to me, that in the process of learning to use virtualenv to help resolve these issues, I would probably have learned a lot more about all the path issues and would probably be fairly competent at comprehending such issues. I would probably also not be aware that I had gained such further familiarity and might attribute my new-found greater ease with my Python environments disproportionately to virtualenv.

This reminded me of my experience with zope.formlib and z3c.form. A while back I'd built a number of forms with zope.formlib/zope.app.form. I found it initially much more productive than Archetypes, mostly due to much more appropriate decoupling, but as time went on it seemed likely I would have to put at least as much time into understanding things I don't want to as I have had to do with Archetypes. Given I already have the requisite familiarity with Archetypes and can be quite productive in it, I limited my investment in zope.formlib. When z3c.form came around, I was very excited at the prospect that I might get much of the benefit of zope.fomrlib forms without having to know as many things I don't want to know. I'm now considerably more invested in z3c.form than I ever was in zope.formlib and I can safely say I need to know just about as much I don't feel I should have to as I did with zope.formlib.

I have noted that the advocates of z3c.form often seem to find the appropriate approach to a given problem to be very clear to them and take a lot of pride in being able to point to the right place in the docs. For my experience, however, I find that even after reading the right place in the docs and reviewing several other docs, I still have to do way too much UTSL to solve my problem. I also have the strong sense that after putting this much time into learning z3c.form, the obviousness of "The Right Way" will only come to me once I've had to learn nearly as much I shouldn't have to as I've had to do with Archetypes. I take from this that it may be another case of somewhat erroneously attributing the value of comprehension, understanding, and experience to the tool whose use lead to this familiarity largely incidentally.

(To be very clear, I don't want to discuss z3c.form here. I think investing in some successor to AT is very necessary at this point and we may not be able to afford waiting for something else. The documentation is also absolutely worth being proud of. I think most of the value of z3c.form will be in putting our collective weight behind something. I use z3c.form and will continue to do so.)

Now for the disturbing part, I know I've done this very thing many times but I can't yet list them. It's much easier to come to see a pattern like this when looking critically at or feeling frustrated with tools I'm just using but not heavily invested in than it is to do so with tools I'm building. I hope to temper my strategic decisions for adopting and suggesting tools with this critical awareness. I also hope to temper my own perspective of the value of tools I'm developing or becoming deeply invested in. I also hope our development community can learn to better ask whether the perceived value of a given tool is being unduly influenced by the incidental familiarity we've developed in building or using that tool.

Check that your content implements plone.portlets.interfaces.ILocalPortletAssignable

In the sixth and final screencast in the Groundhog series, we allow our microframework's users to subscribe to and receive events, which are objects broadcast by BFG at various well-known points during its processing cycle. We also allow our users to define and send their own custom event types. Once we've built up some event machinery, we use it to implement "importable locals" (aka "stacked object proxies" or "context locals").

This how-to describes the basics of connecting to and mapping relational data to python classes via the Object Relational Mapper(ORM) SQLAlchemy using megrok.rdb. It will discuss the process of mapping existing views and tables as well as dynamic creation of new tables.nisse

Dozer is mostly known for its memory profiling capabilities, but the as-yet unreleased version has more. I've talked about log capturing, now it's time for

Profiling

This WSGI middleware profiles every request with the cProfile module. To see the profiles, visit a hidden URL /_profiler/showall:

What you see here is heavily tweaked in my fork of Dozer; upstream version had no Cost column and didn't vary the background of Time by age (that last bit helps me see clumps of requests).

Here's what an individual profile looks like:

The call tree nodes can be expanded and collapsed by clicking on the function name. There's a hardcoded limit of 20 nesting levels (upstream had a limit of 15), sadly that appears not to be enough for practical purposes, especially if you start profiling Zope 3 applications...

You can also take a look at the WSGI environment:

Sadly, nothing about the response is captured by Dozer. I'd've liked to show the Content-Type and perhaps Content-Length in the profile list.

The incantation in development.ini is

[filter-app:profile]
use = egg:Dozer#profile
profile_path = /tmp/profiles
next = main

Create an empty directory /tmp/profiles and make sure other users cannot write to it. Dozer stores captured profiles as Python pickles, which are insecure and allow arbitrary command execution.

To enable the profiler, run paster like this:

$ paster serve development.ini -n profile

Bonus feature: call graphs

Dozer also writes a call graph in Graphviz "dot" format in the profile directory. Here's the graph corresponding to the profile you saw earlier, as displayed by the excellent XDot:

See the fork where the "hot" red path splits into two?

On the left we have Routes deciding to spend 120 ms (70% total time) recompiling its route maps. On the right we have the actual request dispatch. The actual controller action is called a bit further down:

Here it is, highlighted. 42 ms (24% total time), almost all of which is spent in SQLAlchemy, loading the model object (a 2515 byte image stored as a blob) from SQLite.

A mystery: pickle errors

When I first tried to play with the Dozer profiler, I was attacked by innumerable exceptions. Some of those were due to a lack of configuration (profile_path) or invalid configuration (directory not existing), or now knowing the right URL (going to /_profiler raised TypeError). I tried to make Dozer's profiler more forgiving or at least produce clearer error messages in my fork, e.g. going to /_profiler now displays the profile list.

However some errors were very mysterious: some pickles, written by Dozer itself, could not be unpickled. I added a try/except that put those at the end of the list, so you can see and delete them.

Does anybody have any clues as to why profile.py might be writing out broken pickles?

5 august 2010 ??? After a sneak preview at Europython, Infrae is pleased to announce the beta1 release of Silva 2.3. This release adds a slew of new features for users, developers, and system administrators. The most important point is that it uses Python 2.6 and Zope 2.12 (it won???t work with Python 2.4 or any previous version of Zope).