[Distutils] a plea for backward-compatibility / smooth transitions

[Donald Stufft]

On Jul 30, 2013, at 2:02 AM, Noah Kantrowitz <noah at coderanger.net> wrote:

> 
> On Jul 29, 2013, at 10:41 PM, Antoine Pitrou <solipsis at pitrou.net> wrote:
> 
>> Paul Moore <p.f.moore <at> gmail.com> writes:
>>> 
>>> Personally, none of the changes have detrimentally affected me, so my
>>> opinion is largely theoretical. But even I am getting a little frustrated
>>> by the constant claims that "what we have now is insecure and broken, and
>>> must be fixed ASAP".
>> 
>> FWIW, +1. You may be paranoid, but not everyone has to be (or suffer the
>> consequences of it). Security issues should be fixed without breaking things
>> in a hassle (which is the policy we followed e.g. for the ssl module, or hash 
>> randomization).
> 
> You missed a key word "… when possible". If there is a problem we will fix it, when we can do that in a way that minimizes breakages we will do that. Its all just about cost-benefit, and when you are talking about "executing code downloaded from the internet" it becomes quite easy to see benefits outweighing costs even with pretty major UX changes. Not something we do lightly, but status quo does not win here, sorry.

Basically said it better than I could :)

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130730/d0b61d2d/attachment.pgp>