[Distutils] a plea for backward-compatibility / smooth transitions
p.f.moore at gmail.com
Tue Jul 30 09:33:38 CEST 2013
On 30 July 2013 07:08, Donald Stufft <donald at stufft.io> wrote:
> On Jul 30, 2013, at 1:41 AM, Antoine Pitrou <solipsis at pitrou.net> wrote:
> > Paul Moore <p.f.moore <at> gmail.com> writes:
> >> Personally, none of the changes have detrimentally affected me, so my
> >> opinion is largely theoretical. But even I am getting a little
> >> by the constant claims that "what we have now is insecure and broken,
> >> must be fixed ASAP".
> > FWIW, +1. You may be paranoid, but not everyone has to be (or suffer the
> > consequences of it). Security issues should be fixed without breaking
> > in a hassle (which is the policy we followed e.g. for the ssl module, or
> > randomization).
> People are generally not paranoid until they've been successfully
> attacked. I
> *will* advocate and push for breaking things where security is concerned
> regardless of if you care or not, a lot of people *do* care and the nature
> of the
> beast is that you're only as strong as the weakest link. This particular
> wasn't an immediate vulnerability that I felt was urgent, hence why I've
> off on it when people were concerned about the backwards compat
> implications. I
> will not back off when it comes to issues that *do* have an immediate or
> term issue, regardless of if some people don't care or not.
And in case it's not obvious, I think this is important. We need to have
this sort of debate, certainly, but it won't happen without someone
advocating (and implementing!) the changes, so many thanks for being that
person and putting up with the flak.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Distutils-SIG