[Distutils] a plea for backward-compatibility / smooth transitions

Noah Kantrowitz noah at coderanger.net
Tue Jul 30 09:05:43 CEST 2013

On Jul 30, 2013, at 12:01 AM, Antoine Pitrou <solipsis at pitrou.net> wrote:

> Donald Stufft <donald <at> stufft.io> writes:
>> I have zero qualms about releasing a full disclosure along with working
> exploits
>> into the wild for a security vulnerability that people block me on. If I'm
> unable
>> to rectify the problem I will make sure that everyone *knows* about the
> problem.
> I don't know what I'm supposed to infer from such a statement, except that I
> probably don't want to trust you. You might think that "publish[ing] working
> exploits into the wild" is some kind of heroic, altruistic act, but I think few
> people would agree.

No, this is the standard for security researchers. If the vendor ignores the reported exploit for long enough, they go public and try to make sure users understand the risks and how to mitigate them in the time it takes the vendor to fix it.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130730/b4067542/attachment.pgp>

More information about the Distutils-SIG mailing list