On Mon, Jul 29, 2013 at 2:15 PM, Donald Stufft <don...@stufft.io> wrote: > >> On Jul 29, 2013, at 1:18 PM, Paul Moore <p.f.mo...@gmail.com> wrote: >> >> But even I am getting a little frustrated by the constant claims that "what >> we have now is insecure and broken, and must be fixed ASAP". The reality is >> that everything's more or less OK - there's a risk, certainly, and it could >> be severe, but many, many people are routinely using PyPI all the time >> without issues. And telling them that they are wrong to do so, or that they >> are being extremely naive over security, isn't helping.
> This shows a fundamental misunderstanding of how security issues present > themselves. Of course things just work for people because security issues > are not like regular bugs. They don't negatively affect you until someone > attempts to use them to attack you. Keep your front door unlocked on your > house and your valuables will remain inside _until_ someone decides to try > and rob you. If you wait until people are affected by a security > vulnerability then the horse has already fled the pasture and you're just > attempting to close the gate after the fact. > > I'm pushing hard on doing what we can to secure the infrastructure because > this shit matters. Everything is more or less OK, only because no one has > decided that people installing from PyPI are not a valuable enough target to > go after. Prior to this push that was basically the only thing prevent > someone from attacking people, that they had never decided to bother too. We > are better, it's somewhat harder now, but in many areas that's still the > only thing keeping people safe. Well said. Security is a pain, but I'm really glad and appreciate that you and others are paying attention to it. Jim -- Jim Fulton http://www.linkedin.com/in/jimfulton _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
