On 16 September 2015 at 19:42, Paul Moore
Nobody in the open source or security good practices communities even has an avenue to communicate with the groups involved in this sort of thing.
Fortunately, that's no longer the case. Open source based development models are going mainstream, and while there's still a lot of work to do, cases like the US Federal government requiring the creation of open source prototypes as part of a bidding process are incredibly heartening (https://18f.gsa.gov/2015/08/28/announcing-the-agile-BPA-awards/). On the security side, folks are realising that the "You can't do that, it's a security risk" model is a bad one, and hence favoring switching to a model more like "We can help you to minimise your risk exposure while still enabling you to do what you want to do". So while it's going to take time for practices like those described in https://playbook.cio.gov/ to become a description of "the way the IT industry typically works", the benefits are so remarkable that it's a question of "when" rather than "if".
Of course, nobody in this environment uses Python to build internet-facing web applications, either. So I'm not trying to argue that this should drive the question of the RNG used in Python. But at the same time, I am trying to sell Python as a good tool for automating business processes, writing administrative scripts and internal applications, etc. So there is a certain link...
Right, helping Red Hat's Python maintenance team to maintain that kind of balance is one aspect of my day job, hence my interest in https://www.python.org/dev/peps/pep-0493/ as a nicer migration path when backporting the change to verify HTTPS certificates by default. Cheers, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia