On Jul 29, 2013, at 10:41 PM, Antoine Pitrou <solip...@pitrou.net> wrote:
> Paul Moore <p.f.moore <at> gmail.com> writes: >> >> Personally, none of the changes have detrimentally affected me, so my >> opinion is largely theoretical. But even I am getting a little frustrated >> by the constant claims that "what we have now is insecure and broken, and >> must be fixed ASAP". > > FWIW, +1. You may be paranoid, but not everyone has to be (or suffer the > consequences of it). Security issues should be fixed without breaking things > in a hassle (which is the policy we followed e.g. for the ssl module, or hash > randomization). You missed a key word "… when possible". If there is a problem we will fix it, when we can do that in a way that minimizes breakages we will do that. Its all just about cost-benefit, and when you are talking about "executing code downloaded from the internet" it becomes quite easy to see benefits outweighing costs even with pretty major UX changes. Not something we do lightly, but status quo does not win here, sorry. > > The whole python.org infrastructure is built on an OS kernel written by > someone > who thinks security issues are normal bugs. AFAIK there is no plan to switch > to > OpenBSD. This is news to me, we specifically run Ubuntu LTS because Canonical's security response team has a proven track record of handling issues. If you mean that Linus doesn't handle security issues well, then it is fortunate indeed that we don't actually use his software. --Noah
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
