[Python-Dev] security SIG? (was: Discussion overload)

Stephen J. Turnbull stephen at xemacs.org
Sat Jun 18 06:38:34 EDT 2016

Brett Cannon writes:

 > Do we need a security SIG? E.g. would people like Christian and
 > Cory like to have a separate place to talk about the ssl stuff
 > brought up at the language summit?

Besides what Barry brought up about the potential for attractive
nuisance where people post security issues that should be confidential
(I don't think it's that great, though), I don't see it solving the
"clash of cultures" issue.  The people who have invested in learning a
lot of technical stuff related to security post as if they believe
that "consenting adults" cannot be applied to security issues (more on
that below), while RMs and working on distros tend to take the
position that, of course, "consenting adults" covers security too.

A SIG does help to address Christian's "ya gotta be this tall" to
contribute to security discussions, at least in the early stages of
discussion, but eventually it's going to arrive at python-dev.[1]
ISTM that in this case sufficient behind the scenes discussion took
place that the main contributors to the ultimate decision had a pretty
good idea of where each other stood, and (I'm guessing here) Larry
said "OK, we agree to disagree.  I could say I'm RM, you lose, but to
be fair I'll ask for a BDFL ruling."  Even though there really wasn't
anything for most of us to do but wait for that ruling (really --
Guido talks to Ted T'so and Theo de Raadt when he wants advice, there
are very few among us who travel in those circles), it ended up that
several of the security guys say they're not sure they can participate
in Python development any more.

I see the security issue as a backyard swimming pool.  The law may say
you must put a fence around it, but even 6 year olds can climb the
fence, fall in the pool, and drown.  The hard-line security advocate
position then is "the risk is a *kid's life*, backyard pools must be
banned".  You have to sympathize with their honest and deep concern,
but the community accepts that risk in the case of swimming pools.  I
suspect the Python community at large is going to be happy with
Larry's decision and the strategy of emphasizing the secrets module
starting with 3.6.

If so, the hard-line security advocates are going to have to accept
that, or stay painfully frustrated.  That would be very unfortunate,
because their knowledge is very much needed.

[1]  Keeping the BFDL ruling within the security group isn't going to
work, either -- the news of a secret patch will become public quickly,
and it will just seriously harm the trust the community has in its

More information about the Python-Dev mailing list