[Distutils] a plea for backward-compatibility / smooth transitions

Antoine Pitrou solipsis at pitrou.net
Tue Jul 30 11:57:50 CEST 2013


Donald Stufft <donald <at> stufft.io> writes:
> 
> On Jul 30, 2013, at 3:01 AM, Antoine Pitrou <solipsis <at> pitrou.net> wrote:
> 
> I don't know what I'm supposed to infer from such a statement, except that
Iprobably don't want to trust you. You might think that "publish[ing]
workingexploits into the wild" is some kind of heroic, altruistic act, but I
think fewpeople would agree.
> 
> 
> Full Disclosure is a common practice amongst security professionals
> whenthe upstream project is unwilling to rectify the problem. So yes I do
think
> the practice of Full Disclosure is an altruistic act and often times the only
> thing that gets people who don't care to pull their head out of the sand
> and actually care.

You don't happen to be a random security professional, you are actually part
of that upstream project and you have access to non-public (possibly
confidential)
data about its infrastructure, which gives you responsibilities towards your
peers.

I don't think I would be the only one to be angry if an infrastructure member
starting publishing working exploits for unfixed vulnerabilities in the pdo
infrastructure. It is a completely irresponsible way to act when you are part
of a project or community.

Regards

Antoine.




More information about the Distutils-SIG mailing list