[Distutils] a plea for backward-compatibility / smooth transitions

Jim Fulton jim at zope.com
Mon Jul 29 20:21:03 CEST 2013

On Mon, Jul 29, 2013 at 2:15 PM, Donald Stufft <donald at stufft.io> wrote:
>> On Jul 29, 2013, at 1:18 PM, Paul Moore <p.f.moore at gmail.com> wrote:
>>  But even I am getting a little frustrated by the constant claims that "what
>> we have now is insecure and broken, and must be fixed ASAP". The reality is
>> that everything's more or less OK - there's a risk, certainly, and it could
>> be severe, but many, many people are routinely using PyPI all the time
>> without issues. And telling them that they are wrong to do so, or that they
>> are being extremely naive over security, isn't helping.

> This shows a fundamental misunderstanding of how security issues present
> themselves. Of course things just work for people because security issues
> are not like regular bugs. They don't negatively affect you until someone
> attempts to use them to attack you. Keep your front door unlocked on your
> house and your valuables will remain inside _until_ someone decides to try
> and rob you. If you wait until people are affected by a security
> vulnerability then the horse has already fled the pasture and you're just
> attempting to close the gate after the fact.
> I'm pushing hard on doing what we can to secure the infrastructure because
> this shit matters. Everything is more or less OK, only because no one has
> decided that people installing from PyPI are not a valuable enough target to
> go after. Prior to this push that was basically the only thing prevent
> someone from attacking people, that they had never decided to bother too. We
> are better, it's somewhat harder now, but in many areas that's still the
> only thing keeping people safe.

Well said.

Security is a pain, but I'm really glad and appreciate that you and others are
paying attention to it.


Jim Fulton

More information about the Distutils-SIG mailing list