[Distutils] a plea for backward-compatibility / smooth transitions

Antoine Pitrou solipsis at pitrou.net
Tue Jul 30 09:01:20 CEST 2013

Donald Stufft <donald <at> stufft.io> writes:
> I have zero qualms about releasing a full disclosure along with working
> into the wild for a security vulnerability that people block me on. If I'm
> to rectify the problem I will make sure that everyone *knows* about the

I don't know what I'm supposed to infer from such a statement, except that I
probably don't want to trust you. You might think that "publish[ing] working
exploits into the wild" is some kind of heroic, altruistic act, but I think few
people would agree.

> Even a random occurrence will break for some percentage of people using
> the software some percentage of the time. If it didn't then it's unlikely
> would notice it. Security vulnerabilities typically won't break until
someone actively
> tries to break them.

You're mistaken. Bugs can sometimes be fixed preemptively, even before
they're noticed
in the wild (by means of perusing the code and noticing an issue, for example).
Which also includes, of course, security issues (which often get fixed
before they
ever get exploited).



More information about the Distutils-SIG mailing list