On 1/13/26 18:24, Roman Lebedev wrote:
+1, this is a critical security bug.
I wont argue any more here, there's no point. If you feel the default (and this really is the default, which is trivial to toggle if you know your environment) should be changed, please ask the security team or a technical committee. My only argument is that the package should not be broken in a typical user environment. With your proposed default, the package becomes out of the box and needs tweaking to work. In my view this is unacceptable, be it critical security hole or not critical. The defaults can't suit everyone, hence there's a trivial way to flip the default. Thanks, /mjt
