[Distutils] a plea for backward-compatibility / smooth transitions

Noah Kantrowitz noah at coderanger.net
Tue Jul 30 08:02:28 CEST 2013

On Jul 29, 2013, at 10:41 PM, Antoine Pitrou <solipsis at pitrou.net> wrote:

> Paul Moore <p.f.moore <at> gmail.com> writes:
>> Personally, none of the changes have detrimentally affected me, so my
>> opinion is largely theoretical. But even I am getting a little frustrated
>> by the constant claims that "what we have now is insecure and broken, and
>> must be fixed ASAP".
> FWIW, +1. You may be paranoid, but not everyone has to be (or suffer the
> consequences of it). Security issues should be fixed without breaking things
> in a hassle (which is the policy we followed e.g. for the ssl module, or hash 
> randomization).

You missed a key word "… when possible". If there is a problem we will fix it, when we can do that in a way that minimizes breakages we will do that. Its all just about cost-benefit, and when you are talking about "executing code downloaded from the internet" it becomes quite easy to see benefits outweighing costs even with pretty major UX changes. Not something we do lightly, but status quo does not win here, sorry.

> The whole python.org infrastructure is built on an OS kernel written by someone
> who thinks security issues are normal bugs. AFAIK there is no plan to switch to
> OpenBSD.

This is news to me, we specifically run Ubuntu LTS because Canonical's security response team has a proven track record of handling issues. If you mean that Linus doesn't handle security issues well, then it is fortunate indeed that we don't actually use his software.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130729/1bd7de0e/attachment-0001.pgp>

More information about the Distutils-SIG mailing list