velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jonathan Revusky <jrevu...@terra.es>
Subject Re: Sick of pointless arguments on this list WAS: template encodings
Date Tue, 17 Jul 2001 14:52:31 GMT
"Geir Magnusson Jr." wrote:
> 
> Does this mean I can't respond to the last message from Jonathan?  :)

You don't need to, Geir. I've slept on it and I've decided that you guys
are right.

template = Velocity.getTemplate("C:\\mytemplates\\mysillytemplate");

should not work out-of-the-box. People should have to read the
documentation and figure out how to change the configuration. After all,
if people could get it working without reading docs at all, then all the
hard work you put into the documentation would be wasted!

But more importantly, things should not work too easily for people. You
see, though some people may not realize it, the goal of software
development is not really to develop software. That is merely a side
effect. The goal is really to build character. If things work too
easily, then people get lazy. On the other hand, when things are more
difficult and they have to figure out configuration files and things to
get a simple example working, they suffer a little bit, and that's
character-building.

Also, letting people read a template file from an absolute path is a
security hole. I am still not sure why, but you've said it enough times,
and you're really smart guys, so I'm convinced that it must be true. You
may not see much of me for a while. I will probably be on various
discussion lists for libraries with API's that can take an absolute
filename as an argument. I will be spreading the word that this is a
huge security risk in and of itself and that these libraries should have
the same defaults as Velocity.

> 
> geir
> 
> --
> Geir Magnusson Jr.                           geirm@optonline.net
> System and Software Consulting
> Developing for the web?  See http://jakarta.apache.org/velocity/
> You have a genius for suggesting things I've come a cropper with!

-- 
Jonathan Revusky
--
available for Java/Delphi/Internet consulting
If you want to...
- make your .class files double-clickable with SmartJ
- do Delphi/Java mixed programming with easy-to-use JNI wrapper classes
- build robust web applications with the Niggle Application Framework
then...
check out the Revusky Hacks Page: http://www.revusky.com/hacks/

Mime
View raw message