On Nov 17, 2015, at 11:44 PM, Nick Coghlan wrote:
For Debian, Ubuntu and SUSE, their original determinations for the relevant CVE were "too intrusive to backport", so folks currently need to upgrade to newer versions of those distros to get the improved default behaviour:
This is an example of my problem with the tone of PEP 493 (sorry Nick, nothing personal!). "Improved default behavior"... for whom? It's not improved for the folks whose applications are broken by changing the default.