[Distutils] a plea for backward-compatibility / smooth transitions

Donald Stufft donald at stufft.io
Tue Jul 30 12:46:08 CEST 2013 

On Jul 30, 2013, at 5:57 AM, Antoine Pitrou <solipsis at pitrou.net> wrote:

> Donald Stufft <donald <at> stufft.io> writes:
>> 
>> On Jul 30, 2013, at 3:01 AM, Antoine Pitrou <solipsis <at> pitrou.net> wrote:
>> 
>> I don't know what I'm supposed to infer from such a statement, except that
> Iprobably don't want to trust you. You might think that "publish[ing]
> workingexploits into the wild" is some kind of heroic, altruistic act, but I
> think fewpeople would agree.
>> 
>> 
>> Full Disclosure is a common practice amongst security professionals
>> whenthe upstream project is unwilling to rectify the problem. So yes I do
> think
>> the practice of Full Disclosure is an altruistic act and often times the only
>> thing that gets people who don't care to pull their head out of the sand
>> and actually care.
> 
> You don't happen to be a random security professional, you are actually part
> of that upstream project and you have access to non-public (possibly
> confidential)
> data about its infrastructure, which gives you responsibilities towards your
> peers.
> 
> I don't think I would be the only one to be angry if an infrastructure member
> starting publishing working exploits for unfixed vulnerabilities in the pdo
> infrastructure. It is a completely irresponsible way to act when you are part
> of a project or community.


I don't really care if you'd be angry. The point of Full Disclosure (and it's cousin
Responsible Disclosure) is to A) Inform everyone involved that they are taking
a huge risk by using a particular thing and B) Provide incentive to people to
fix their shit. If others are preventing fixes from landing then both reasons still
apply wether the reporter is involved with the project or not.

If I can find a vulnerability then so can someone else. Someone who won't
inform people and will use it to maliciously attack people. If you feel I'd be
overstepping my bounds then complain to my superiors, Richard/Nick on the
packaging side of things and Noah on the Infrastructure team side of things.

I'll continue to do what I feel best serves the community for as long as I have
the ability to do so. Which I believe is work on improving these issues, fight
and advocate for the important ones, accept defeat on less important ones,
and, if necessary, issue a Full Disclosure.

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130730/a432e139/attachment.pgp>

More information about the Distutils-SIG mailing list