[Distutils] a plea for backward-compatibility / smooth transitions

Donald Stufft donald at stufft.io
Tue Jul 30 14:23:45 CEST 2013

On Jul 30, 2013, at 8:06 AM, Nick Coghlan <ncoghlan at gmail.com> wrote:

> If Donald informed us of a vulnerability and we refused to allow him (or anyone else) to take the necessary steps to close it, then he would be *completely* justified in publishing full details of the vulnerability, up to and including working exploit code.
> It won't come to that though, because we're taking this seriously and closing security holes as quickly as is feasible while still ensuring a reasonable level of backwards compatibility :)
This basically.

Maybe I'm not being clear because I have a headache and I'm reading too
much into things because I'm sensitive to being shutdown on efforts to fix these
things*. I don't expect with Nick, Richard, and Noah to ever need to do a Full
Disclosure. I was only trying to be clear about what I consider my escalation path
to be if a current, or near future vulnerability is forced to remain open.

* I started trying to push for this ~2 years ago and got repeatedly shut down,
  for one reason or another. Which lead to to create Crate.io. It's only been
   relatively recently that I've been given permission to actually fix things.

Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130730/161b9234/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130730/161b9234/attachment-0001.pgp>

More information about the Distutils-SIG mailing list