[Distutils] a plea for backward-compatibility / smooth transitions

[Donald Stufft]

On Jul 30, 2013, at 1:41 AM, Antoine Pitrou <solipsis at pitrou.net> wrote:

> Paul Moore <p.f.moore <at> gmail.com> writes:
>> 
>> Personally, none of the changes have detrimentally affected me, so my
>> opinion is largely theoretical. But even I am getting a little frustrated
>> by the constant claims that "what we have now is insecure and broken, and
>> must be fixed ASAP".
> 
> FWIW, +1. You may be paranoid, but not everyone has to be (or suffer the
> consequences of it). Security issues should be fixed without breaking things
> in a hassle (which is the policy we followed e.g. for the ssl module, or hash 
> randomization).

People are generally not paranoid until they've been successfully attacked. I
*will* advocate and push for breaking things where security is concerned because
regardless of if you care or not, a lot of people *do* care and the nature of the
beast is that you're only as strong as the weakest link. This particular change
wasn't an immediate vulnerability that I felt was urgent, hence why I've backed
off on it when people were concerned about the backwards compat implications. I
will not back off when it comes to issues that *do* have an immediate or near
term issue, regardless of if some people don't care or not.

> 
> The whole python.org infrastructure is built on an OS kernel written by someone
> who thinks security issues are normal bugs. AFAIK there is no plan to switch to
> OpenBSD.

So classifying bugs as security vs "normal" is supposed to make it easier on people.
The thought is that creating new releases and applying updates is a time consuming
process and often times requires things such as reboots or service restarts so by
dividing issues up into security vs not security the amount of disruption can be
minimized for only "important" updates. There's actually pretty strong evidence that
shows the process of classifying bugs as security bugs is a harmful process and that
all updates should be treated the same because it's often times not immediately
obvious what the security implications are, even to security experts[1].

I'm sure your dig at the OS is supposed to be some sort of masterstroke about how
we're not being as secure as possible anyways however I would contest that
OpenBSD is actually more secure. It's major claim to fame is that they haven't had
a vulnerably in the OpenBSD base system in "a heck of a long time". The problem
is the OpenBSD base system is terribly small and that claim cannot be made
once you include their packages. Further more at the last I checked OpenBSD
does not provide (although this may have changed) and abilities to do MAC
which means you're relying entirely on an attackers ability to *not* get in versus
providing fail safes to contain an attack once it's happened. Infrastructure is not
using MAC currently but I would love to get us to that point as well.


[1] citeseerx.ist.psu.edu/viewdoc/download;jsessionid=7B6E224144709E99B7FAEBFC497621A1?doi=10.1.1.148.9757&rep=rep1&type=pdf

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130730/9f2528de/attachment.pgp>