[Distutils] a plea for backward-compatibility / smooth transitions

Donald Stufft donald at stufft.io
Tue Jul 30 08:43:32 CEST 2013

On Jul 30, 2013, at 2:28 AM, Antoine Pitrou <solipsis at pitrou.net> wrote:

> Donald Stufft <donald <at> stufft.io> writes:
>> I *will* advocate and push for breaking things where security is concerned
> because
>> regardless of if you care or not, a lot of people *do* care and the nature
> of the
>> beast is that you're only as strong as the weakest link.
> That's nice, but you're not alone here, so whatever you want to "push for"
> needn't
> always happen.

I have zero qualms about releasing a full disclosure along with working exploits
into the wild for a security vulnerability that people block me on. If I'm unable
to rectify the problem I will make sure that everyone *knows* about the problem.

>> There's actually pretty strong evidence that
>> shows the process of classifying bugs as security bugs is a harmful
> process and that
>> all updates should be treated the same because it's often times not
> immediately
>> obvious what the security implications are, even to security experts[1].
> Doesn't it contradict your own stance on the subject?
> ("This shows a fundamental misunderstanding of how security issues present
> themselves. Of course things just work for people because security issues
> are not
> like regular bugs" - which is a flawed argument btw. Many bugs have random or
> rare occurrences - not just security issues)

No? How you treat a bug and how they present themselves are not the same thing?

Even a random occurrence will break for some percentage of people using
the software some percentage of the time. If it didn't then it's unlikely anyone
would notice it. Security vulnerabilities typically won't break until someone actively
tries to break them.

>> I'm sure your dig at the OS is supposed to be some sort of masterstroke
> about how
>> we're not being as secure as possible anyways however I would contest that
>> OpenBSD is actually more secure.
> WTF are you talking about? No it's not. I'm simply pointing out that, for
> some strange reason, you decided to trust an OS whose author has very
> different views on how to fix 
> security issues than you have.

Well the Kernel isn't the OS, it's part of the OS and we run an OS whose
authors actually care a whole lot about security.

> Regards
> Antoine.
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> http://mail.python.org/mailman/listinfo/distutils-sig

Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130730/e6bc8196/attachment.pgp>

More information about the Distutils-SIG mailing list