On Mon, Jan 4, 2010 at 5:00 PM, Alex Gaynor <[email protected]> wrote: > So, thinking out loud here, I know the DSF has a policy of hands of in > the development of Django, but I was thinking (out loud) that perhaps > it would be sensible for the DSF to hire someone to do a security > audit of some of this stuff. I have 0 clue about the particulars of > how anything like that works, but it was just a thought that occurred > to me.
The policy isn't exactly "hands off;" it's just that the DSF has no interest in driving the development of Django. But the DSF certain can (and in my opinion should) pay for services like this *if* the development team and community thinks it's necessary. That said, I think the idea's probably a non-starter. First, like Tobias (see below) I tend to highly believe in the mantra of many eyeballs, so I'd argue that an expert review in no way absolves of the need for open peer review. However, it would tend to discourage community review -- paid work almost always discourages volunteers -- and would thus be a net loss. Second, from a more pragmatic point of view, my impression is that anyone who's actually worth paying would cost well beyond what the DSF could actually afford. Don't mean to shoot you down, though, and I *really* like the precedent you're setting by bringing this up. The main reason I wanted to have a DSF in the first place was so that we could have options like this. Even if we don't use the option this time (and I think we shouldn't) it's good for the community to know that it's available. Jacob -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
