velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paulo Gaspar" <paulo.gas...@krankikom.de>
Subject RE: template encodings
Date Tue, 17 Jul 2001 16:49:48 GMT
Dear Jonathan,


Is JOE NEWBIE supposed to, at least, know some Java?


You got your idea trough, but most people posting on this thread
just do NOT agree with your idea that programmers are not supposed
to read the documentation.

We also do not agree with the idea that a potentially dangerous
option should be ON by default.


You see, it is nothing personal: we just do NOT agree with the
ideas you exposed.


Now, I could not care less about your background or the weather
there. I just care if the ideas you expose make sense or not.

BTW, these are a few things that do not help when you want to
put your ideas trough:
 - Writing complete sentences in uppercase;
 - Being impolite;
 - Assuming too much about how another poster is or about what
   he pretends;
 - Not attacking someone that respected in the list for his
   civility and very hard work.


And in my (repeated) experience, Geir DOES try to understand
what anyone has to say even when initially it does not sound so
interesting to him and he often ends up implementing those
ideas.


> In all likelihood, I will unsubscribe from this list shortly!

Very personal opinion: be my guest, the value you added to this
list up to now does not seem to balance the damage.


Have fun,
Paulo Gaspar


> -----Original Message-----
> From: revusky@jr.revusky.com [mailto:revusky@jr.revusky.com]On Behalf Of
> Jonathan Revusky
>
>
> "Geir Magnusson Jr." wrote:
>
> I AM SICK AND TIRED OF THIS! ALL I AM SAYING IS SOMETHING REALLY REALLY
> SIMPLE!!!!
>
> JOE NEWBIE WILL ALMOST INEVITABLY AT SOME POINT WHEN MUCKING WITH
> VELOCITY FOR THE FIRST TIME, WRITE CODE LIKE THIS:
>
> mytemplate = Velocity.getTemplate("C:\\mypath\\myLittleTemplate");
>
> JOE NEWBIE WILL BE CONFUSED WHEN THIS DOESN'T WORK!
>
> IT WOULD BE BETTER IF THIS DID WORK IN THE DEFAULT OUT-OF-THE-BOX
> CONFIGURATION!
>
> The security issues don't matter if somebody is just trying to get
> Hello, World to work.
> IMHO, the out-of-the-box configuration should be extremely oriented
> towards getting things to work for Joe Newbie.
>
>
> >
> > Jonathan Revusky wrote:
> > >
> > > "Geir Magnusson Jr." wrote:
> > > >
> > > > Jonathan Revusky wrote:
> > > > >
> > > > >
> > > > > I don't care that much really. I do agree that the use of
> absolute paths
> > > > > should be discouraged. I'm not sure that I can take the
> security hole
> > > > > argument that seriously, because I think it's pretty
> tenuous. As long as
> > > > > you don't put the raw templates somewhere that's visible
> to the outside
> > > > > world, I don't for the life of me see the issue. It's
> just that the
> > > > > approved pattern is surely to specify resources relative
> to the insides
> > > > > of a .war file. So these things should be loaded relative to the
> > > > > classloader classpath.
> > > >
> > > > I was really trying to stay out of this hoping you would run out of
> > > > steam on this, but I can't resist here.
> > > >
> > > > The core Velocity resource loaders have *no* notion of the
> concept of
> > > > running in a servlet engine, let alone a WAR file.
> Velocity is general
> > > > purpose, not made for the web.  Therefore, the
> configuration assuptions
> > > > MUST be general.  This is why I say that while '.' isn't
> perfect, "/"
> > > > isn't either, because somone somewhere will not like the
> choice made.
> > >
> > > Well, you do seem argumentative, Geir. You certainly *can*
> make loading
> > > from the classpath the default behavior whether you have a servlet or
> > > not. (Meanwhile, in practice, 99% of your user base is using Velocity
> > > for servlets probably...) But for better or for worse,
> stand-alone java
> > > apps also have a classpath. I mean, it's like there's this
> argumentative
> > > compulsion to imply that I'm just not getting it somehow...
> >
> > I admit I had lustful zeal for argument in my younger days, mostly on
> > alt.fan.bill-gates, but no more.
>
> Gee, now, I'm curious, when you mention your younger days. Well,
> personally, I'm 36. I mean, how old are you? I'm guessing
> mid-twenties... I don't get a sense of great perspective and maturity...
> I sense good will, that you're not a bad guy and all, but I sense a
> large amount of immaturity...
>
> >
> > At this point, you are starting to change what I am apparently being
> > argumentative about.
> >
> > You are right. You *can* make loading from the classpath the default
> > behavior, however files are the most common way people do it 'out of the
> > box' and don't want/need to diddle with the classpath.
> >
> > Read what you wrote above.  You blew off David's argument by making a
> > statement entirely in conflict with your fundamental assertion driving
> > this thread.   I follwed up nothing that Velocity isn't web specific -
> > and I should have added that there is no 'approved pattern' in general.
> > Yes, there is an approved pattern for the web, and yes that's the
> > majority of users, but it is still general purpose.
> >
> > Your fundamental assertion, as I understand it, is that any template
> > request specified from the root of the filesystem should be honored by
> > default.
>
> My fundamental assertion is restated all in caps at the very top of this
> message.
>
> <SIGH>
>
> >
> > However, you then said
> >
> > "As long as you don't put the raw templates somewhere that's visible to
> > the outside world, I don't for the life of me see the issue."
> >
> > If any file on the file system is accessable, then raw templates,
> > password files, mail lists, credit card numbers, database files, are all
> > possibly visible to the outside world.
>
> Only if somebody writes explicitly in the code:
>
> Velocity.getTemplate("/the/path/to/theFileWithCreditCardInfo");
>
> AND if the file is readable by your servlet server process, which means
> that somebody did a brain fart!
>
> In any case, I am not talking about deployment on a server with
> sensitive info. One should be careful about what the various policies
> are when you finally deploy in a production environment.
>
> I am talking about JOE NEWBIE GETTING HELLO, WORLD WORKING!!!
>
> >
> > You then followed it with
> >
> > "It's just that the approved pattern is surely to specify resources
> > relative to the insides of a .war file."
> >
> > in which case your fundamental assertion is again in conflict, because
> > thats not the root of the filesystem either.
> >
> > Further, to load from the root of war, you either need to configure the
> > FileResourceLoader correctly (which servlet_example2) does, or use a
> > loader like the ClasspathResourceLoader within which the 'root of the
> > filesystem' is a meaningless concept.
> >
> > > (You don't know me, I know, but I really am a very strong java
> > > developer, you know... I do understand this stuff! :-))
> >
> > I have never once publicly questioned your competence.  That isn't
> > really germaine to the discussion.
>
> Look, I have said that you're not a bad guy, and I have said that I
> overreacted yesterday. I'm sorry about that. But OTOH, I probably will
> never ever try to *tell* you anything in the future. I will probably
> never make a comment of any sort about any of your work ever again. It's
> too much bother! In all likelihood, I will unsubscribe from this list
> shortly!
>
> >
> > geir
> >
> > --
> > Geir Magnusson Jr.                           geirm@optonline.net
> > System and Software Consulting
> > Developing for the web?  See http://jakarta.apache.org/velocity/
> > You have a genius for suggesting things I've come a cropper with!
>
>
> Jonathan Revusky
> --
> available for Java/Delphi/Internet consulting
> If you want to...
> - make your .class files double-clickable with SmartJ
> - do Delphi/Java mixed programming with easy-to-use JNI wrapper classes
> - build robust web applications with the Niggle Application Framework
> then...
> check out the Revusky Hacks Page: http://www.revusky.com/hacks/
>


Mime
View raw message