On Jul 30, 2013, at 2:02 AM, Noah Kantrowitz <n...@coderanger.net> wrote:
> > On Jul 29, 2013, at 10:41 PM, Antoine Pitrou <solip...@pitrou.net> wrote: > >> Paul Moore <p.f.moore <at> gmail.com> writes: >>> >>> Personally, none of the changes have detrimentally affected me, so my >>> opinion is largely theoretical. But even I am getting a little frustrated >>> by the constant claims that "what we have now is insecure and broken, and >>> must be fixed ASAP". >> >> FWIW, +1. You may be paranoid, but not everyone has to be (or suffer the >> consequences of it). Security issues should be fixed without breaking things >> in a hassle (which is the policy we followed e.g. for the ssl module, or >> hash >> randomization). > > You missed a key word "… when possible". If there is a problem we will fix > it, when we can do that in a way that minimizes breakages we will do that. > Its all just about cost-benefit, and when you are talking about "executing > code downloaded from the internet" it becomes quite easy to see benefits > outweighing costs even with pretty major UX changes. Not something we do > lightly, but status quo does not win here, sorry. Basically said it better than I could :) ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
