On 24 November 2015 at 14:27, Laura Creighton firstname.lastname@example.org wrote:
In a message of Tue, 24 Nov 2015 14:05:53 +0000, Paul Moore writes:
Simply adding "people who have no control over their broken infrastructure" with a note that this PEP helps them, would be sufficient here (and actually helps the case for the PEP, so why not? ;-))
But does it help them? Or does it increase the power of those who hand out certificates and who are intensely security conscious over those who would like to get some work done this afternoon?
My reading is that if fully implemented (and Nick has already confirmed that Red Hat didn't do this) it would add an environment variable that would allow the user to (in effect) say "I can't fix my security infrastructure, so just leave me alone and let me take the risk".
So in theory this PEP would give back some of the ability to ignore the problem that previous PEPs took away. (And by "ignore the problem", here I mean "just try to get some work done in spite of a security and infrastructure group that don't understand how to implement security and infrastructure, dammit!")
Like it or not, in many organisations, security and development are a huge "us and them" battle. For me, it's important that Python doesn't take sides in that battle, while still offering education to anyone willing to listen. (All I've learned about security is as a result of working with Python - sadly, that knowledge has not made my job one iota easier, it's just increased my stress levels :-()