On 30 July 2013 07:08, Donald Stufft <don...@stufft.io> wrote: > On Jul 30, 2013, at 1:41 AM, Antoine Pitrou <solip...@pitrou.net> wrote: > > > Paul Moore <p.f.moore <at> gmail.com> writes: > >> > >> Personally, none of the changes have detrimentally affected me, so my > >> opinion is largely theoretical. But even I am getting a little > frustrated > >> by the constant claims that "what we have now is insecure and broken, > and > >> must be fixed ASAP". > > > > FWIW, +1. You may be paranoid, but not everyone has to be (or suffer the > > consequences of it). Security issues should be fixed without breaking > things > > in a hassle (which is the policy we followed e.g. for the ssl module, or > hash > > randomization). > > People are generally not paranoid until they've been successfully > attacked. I > *will* advocate and push for breaking things where security is concerned > because > regardless of if you care or not, a lot of people *do* care and the nature > of the > beast is that you're only as strong as the weakest link. This particular > change > wasn't an immediate vulnerability that I felt was urgent, hence why I've > backed > off on it when people were concerned about the backwards compat > implications. I > will not back off when it comes to issues that *do* have an immediate or > near > term issue, regardless of if some people don't care or not.
And in case it's not obvious, I think this is important. We need to have this sort of debate, certainly, but it won't happen without someone advocating (and implementing!) the changes, so many thanks for being that person and putting up with the flak. Paul
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
