On 28 July 2016 at 15:24, Andrew Dinn <ad...@redhat.com> wrote: > On 28/07/16 14:09, Stephen Colebourne wrote: >> No more packages would be exposed than with the current proposal. No >> more headache inducing problems would be created. > > The need for analgesic relief stems from this default being risky in a > way that the opposing default is not. Forgetting to export a new package > cannot compromise the security of the deployment (even though it might > indeed compromise its functionality). Forgetting to restrict access can > pass unnoticed whilst granting access to clients wiht larcenous intent.
Sure, I understand the point. I just can't see it being particularly relevant when most modules need to export everything. Whereas I can see that forgetting to export a package would be fairly common and really annoying, as it would require a new release to solve (given that it would only be when someone tries to use the package that you get told about the stupid mistake of not exporting it.) Stephen
