[Distutils] a plea for backward-compatibility / smooth transitions
Antoine Pitrou
solipsis at pitrou.net
Tue Jul 30 09:01:20 CEST 2013
Donald Stufft <donald <at> stufft.io> writes:
>
> I have zero qualms about releasing a full disclosure along with working
exploits
> into the wild for a security vulnerability that people block me on. If I'm
unable
> to rectify the problem I will make sure that everyone *knows* about the
problem.
I don't know what I'm supposed to infer from such a statement, except that I
probably don't want to trust you. You might think that "publish[ing] working
exploits into the wild" is some kind of heroic, altruistic act, but I think few
people would agree.
> Even a random occurrence will break for some percentage of people using
> the software some percentage of the time. If it didn't then it's unlikely
anyone
> would notice it. Security vulnerabilities typically won't break until
someone actively
> tries to break them.
You're mistaken. Bugs can sometimes be fixed preemptively, even before
they're noticed
in the wild (by means of perusing the code and noticing an issue, for example).
Which also includes, of course, security issues (which often get fixed
before they
ever get exploited).
Regards
Antoine.
More information about the Distutils-SIG
mailing list