On 11 May 2014 08:24, "Raymond Hettinger" <raymond.hettinger@gmail.com> wrote:
> Before proceeding further with stamping distracting security
> warnings all over the module documentation, we should look
> to other languages to see what others have found necessary.
> This warning does not appear anywhere else I've looked 
> (MS Excel docs, Java docs, Go lang docs, etc.)
> http://docs.oracle.com/javase/6/docs/api/java/util/Random.html
> http://golang.org/pkg/math/rand/
> Those docs are clear, concise, not preachy, and not littered
> with distractions.

The fact that many (most?) programmers treat security considerations as a distraction is a core part of the problem we're trying to address.

As you point out, most language development teams do very little to try to educate their users about security issues. The consequences of that are clearly visible in the world around us: when security is treated as an optional afterthought, you get widespread deployment of insecure software.

At this point, we have two options:

* continue with the same model as everyone else, and treat security as an optional extra users should feel free to ignore (or treat as an advanced topic only specialists need to worry about)

* change our documentation practices to try to encourage the growth of a security aware development community around Python, trusting that our users will recognise that the security issues we're discussing are inherent in the way computers work, rather than being specific to Python.

I'm obviously a strong advocate for the second path. Users aren't stupid, they'll figure out that almost all the security concerns we're warning about are inherent in the problem being solved, rather than being a Python-specific issue.


> Raymond
> _______________________________________________
> Python-Dev mailing list
> Python-Dev@python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/ncoghlan%40gmail.com