velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Kinnvall" <>
Subject Re: template encodings
Date Mon, 16 Jul 2001 19:44:12 GMT
From: "Jonathan Revusky" <>
> David Kinnvall wrote:
> > /etc/passwd is absolute and exists. Or am I missing something?
> Yes, I think you are definitely missing something. That's why there are
> security mechanisms in the OS and in the JVM. Modern computing is built
> on many levels and it is not really the role of template engine code to
> set security policies. Developers of code at that level of the equation
> should concentrate on making their product usable.

It was an example. I agree with the rest you say, however.

> Similarly, if I gave an XML parser an absolute path to a file to parse,
> it should not refuse to parse it in my better interests etcetera. I
> would consider that equally inappropriate.

Indeed. To allow using templates with absolute paths in
any directory you wish _is_ a configuration option, though.

> The use of '.' as a default is clearly broken, since it will basically
> never do anything useful. IMO, the default should probably be reading
> relative to the classloader and then system classpaths. I also think
> that if somebody says getTemplate("/full/path/to/file") it should fish
> out the template. At least in the default, out-of-the-box configuration,
> because you will definitely create scenarios where people bang their
> heads against the wall not understanding what is wrong.

You are of course entitled to your opinion. To make what
you suggest the default in Velocity should be discussed
a bit more however, to find out whether it is indeed the
wish of the majority.

> Your example is silly, contrived really, because a naive template coder
> is not going to code #include "/etc/passwd" in a template anyway. Those
> people develop on Windows or Mac and don't even know that /etc/passwd
> exists.

It was an example, contrived or not, of the fact that
there may very well be files accessible, with no OS
protection, that I do not wish template developers to
have access to, intentionally or not. If you are so
obviously determined to understand otherwise, I give
up this part of the discussion. It serves no purpose.

> > Serious developers definitely read the documentation.
> > To suggest otherwise makes your case substantially weaker.
> This is utter bullshit. "Serious" developers do not *definitely* read
> the documentation. You (and Geir) will be well served to realize this. 


> Serious developers typically start with the "Hello, World" example and
> start hacking around and trying to figure out how to do what they need
> to do from there.

You have a different definition of serious developer than I do.
That is ok, but don't try to enforce your definition upon the
rest of the world, please.

> If you claimed to me that you always fully read the documentation when
> trying to use something, I wouldn't even believe you. I would suspect
> insincerity.

Did I claim that? No. I do claim, however, that I _do_
read enough docs to know what I am supposed to do to get
started, and to get a feel for what the developers intends
with their creation. How silly of me.

> Look, I don't want to argue with you. You suffer from the same disease
> and, judging by what you're saying, you're a far worse gone case.

Why, thank you. How nice of you. And constructive.

> I did overreact to Geir. I was not in a good mood. I had a good night's
> sleep and feel more conciliatory. Look, overall, Geir is basically a
> good guy and he's right to keep trying to improve the documentation. But
> to think that everybody always reads the docs thorougly is outright
> silly. I don't think such nonsense should be encouraged.

You did indeed overreact.

Not in a good mood? You mean you are in a better
mood now? I would say that your accusation of me
suffering from some disease and being a "worse
gone case" is not a sign of being in a good mood.

Geir is indeed a nice guy, as far as I have seen.

I did not, nor did anyone else, suggest thet everybody
should, or does, read the docs _thoroughly_. I did however
suggest that I, and those I defined as serious developers,
read the docs to find out how things are supposed to be
setup for proper usage. Is that too much to ask?


David Kinnvall

View raw message