[Distutils] a plea for backward-compatibility / smooth transitions

Antoine Pitrou solipsis at pitrou.net
Tue Jul 30 13:40:06 CEST 2013

Donald Stufft <donald <at> stufft.io> writes:
> > You don't happen to be a random security professional, you are actually part
> > of that upstream project and you have access to non-public (possibly
> > confidential)
> > data about its infrastructure, which gives you responsibilities towards your
> > peers.
> > 
> > I don't think I would be the only one to be angry if an infrastructure
> > starting publishing working exploits for unfixed vulnerabilities in the pdo
> > infrastructure. It is a completely irresponsible way to act when you are
> > of a project or community.
> I don't really care if you'd be angry.

Great to hear. This mindset is typical of many "security specialists":
you're ready to tell everyone to go f*** themselves (I don't know how to
voice this differently) if you think you have a higher mission to
denounce some vulnerability.

> The point of Full Disclosure (and it's cousin
> Responsible Disclosure) is to A) Inform everyone involved that they are taking
> a huge risk by using a particular thing and B) Provide incentive to people to
> fix their shit.

This does not necessarily involve publishing working exploits. By giving out
code that can immediately attack and bring down the pdo infrastructure, you
would be doing something else than merely "informing the public".

(neither Bruce Schneier nor Wikipedia states that Full Disclosure implies
publishing working exploits, btw. I suppose it means there is at the
minimum some contention, rather than consensus, over the issue.)

> If I can find a vulnerability then so can someone else.

You may (and probably do) have domain knowledge and inside knowledge that
others don't.

> If you feel I'd be
> overstepping my bounds then complain to my superiors, Richard/Nick on the
> packaging side of things and Noah on the Infrastructure team side of things.

"Superiors"? Are you making things up, or do you have an org chart to back that
up? :-)
(regardless, I would be surprised if any of those ordered *you* to publish an
exploit, rather than take the responsibility of doing it themselves - or,
rather, not doing it at all)



More information about the Distutils-SIG mailing list