Le Wednesday 31 December 2008 22:20:54, vous avez écrit :
When it comes to commit privs in general, I am of the school that they should be handed out carefully. I for one do not want to have to babysit other committers to make sure that they did something correctly.
Last time I asked if anyone could help me in Python core if I had an svn account, and I get this answer: everybody will review the changes. Anyway, why do you fear problems? Did I already push buggy commits? I posted many patches on Python bug tracker, most of them required many versions until they get perfect. But it doesn't mean that with an svn account, I will skip the bug tracker to wrote directly in the svn as my personal copy of Python!?
I also want people who have no agenda. It's okay to have an area you care about, but that doesn't mean you should necessarily say "I will only work on math, ever, even if something is staring me right in the face!", etc.
I wrote that I would like to improve Python quality by fuzzing, but I already contributed to many different topics by patches on the bug tracker.
There is also dedication. I don't like giving commit privileges to people who I don't think will definitely stick around. (...)
I don't understand why this is a problem.
To start, your focus on security, for me at least, goes too far sometimes. I have disagreed with some of your decisions in the name of security in the past and I am not quite ready to say that if you committed something I wouldn't feel compelled to double-check it to make sure you didn't go too far.
I'm not sure that I understood correclty: does it mean that some of my issues were not reproductible in the real world (far from the real usage of Python)? It's true that some issues found by fuzzing are hard to reproduce (require a prepared environment), but my goal is to kill all bugs :-) Even if the bug is hard to reproduce, it does exist and that's why I'm thinking that it should be fixed.
Sorry if I misused the name "security" but I don't remember where I wrote that "this issue is very security and related to security". Maybe by the imageop issues?
About fuzzing: I'm still using my fuzzer Fusil on Python trunk and py3k, and I find fewer and fewer bugs ;-) Most of the time I rediscover bugs already reported to the tracker, but not fixed yet. So the fuzzing job is mostly done ;-)
-- Victor Stinner aka haypo http://www.haypocalc.com/blog/