On Jul 30, 2013, at 1:41 AM, Antoine Pitrou <solipsis@pitrou.net> wrote:People are generally not paranoid until they've been successfully attacked. I
> Paul Moore <p.f.moore <at> gmail.com> writes:
>>
>> Personally, none of the changes have detrimentally affected me, so my
>> opinion is largely theoretical. But even I am getting a little frustrated
>> by the constant claims that "what we have now is insecure and broken, and
>> must be fixed ASAP".
>
> FWIW, +1. You may be paranoid, but not everyone has to be (or suffer the
> consequences of it). Security issues should be fixed without breaking things
> in a hassle (which is the policy we followed e.g. for the ssl module, or hash
> randomization).
*will* advocate and push for breaking things where security is concerned because
regardless of if you care or not, a lot of people *do* care and the nature of the
beast is that you're only as strong as the weakest link. This particular change
wasn't an immediate vulnerability that I felt was urgent, hence why I've backed
off on it when people were concerned about the backwards compat implications. I
will not back off when it comes to issues that *do* have an immediate or near
term issue, regardless of if some people don't care or not.