[Python-Dev] security SIG?
ethan at stoneleaf.us
Sat Jun 18 13:36:56 EDT 2016
On 06/18/2016 07:30 AM, Cory Benfield wrote:
> On 18 Jun 2016, at 04:06, Brett Cannon wrote:
>> Do we need a security SIG? E.g. would people like Christian and Cory like
>> to have a separate place to talk about the ssl stuff brought up at the
>> language summit?
> Honestly, I’m not sure what we would gain.
We would gain a place where security enhancements/fixes can be discussed
by those interested, where the environment is "how do we fix/improve
such-and-such while breaking as little as possible" (those that want
backward-compatibility at all costs need not apply ;).
Once a consensus has been reached (and possibly a PEP written, but
hopefully that part will only rarely be necessary) then the proposal can
be made to py-dev, complete with the "this portion is backwards
incompatible, this is the expected impact, this is why it's important,
here are the other far more painful alternatives".
> Unless that SIG is empowered to take action, all it will be is a factory for
> generating arguments like this one. It will inevitably be either a toxic
> environment in itself, or a source of toxic threads on python-dev as the
> security SIG brings new threads like this one to the table.
I suspect the resulting thread on py-dev will be far less painful when
the initial discussions on ways to fix/improve this-or-that has already
been done, the various options are being laid out, it's clear the new
method will be in the next major release (unless incredibly serious, of
> It should be noted that of the three developers that originally stepped forward
> on the security side of things here (myself, Donald, and Christian),
only I am
> left subscribed to python-dev and nosy’d on the relevant issues. Put
> each time we do this, several people on the security side burn
themselves out in
> the thread and walk away (it’s possible that those on the other side
> threads do too, I just don’t know those people so well). It’s hard to get
> enthusiastic about signing people up for that. =)
One of the big advantages of a SIG is the much reduced pool of
participants, and that those participants are usually interested in
forward progress. It would also be helpful to have a single person both
champion and act as buffer for the proposals (not necessarily the same
person each time). I am reminded of the matrix-multiply PEP brought
forward by Nathaniel a few months ago -- the proposal was researched
outside of py-dev, presented to py-dev when ready, Nathaniel acted as
the gateway between py-dev and those that wanted/needed the change, the
discussion stayed (pretty much) on track, and it felt like the whole
thing was very smooth. (If it was somebody else, my apologies for my
terrible memory! ;)
To sum up: I think it would be a good idea.
More information about the Python-Dev