[Python-Dev] security SIG?

Ethan Furman ethan at stoneleaf.us
Sat Jun 18 13:36:56 EDT 2016 

On 06/18/2016 07:30 AM, Cory Benfield wrote:
> On 18 Jun 2016, at 04:06, Brett Cannon wrote:

>> Do we need a security SIG? E.g. would people like Christian and Cory like
 >> to have a separate place to talk about the ssl stuff brought up at the
 >> language summit?
>
> Honestly, I’m not sure what we would gain.

We would gain a place where security enhancements/fixes can be discussed 
by those interested, where the environment is "how do we fix/improve 
such-and-such while breaking as little as possible" (those that want 
backward-compatibility at all costs need not apply ;).

Once a consensus has been reached (and possibly a PEP written, but 
hopefully that part will only rarely be necessary) then the proposal can 
be made to py-dev, complete with the "this portion is backwards 
incompatible, this is the expected impact, this is why it's important, 
here are the other far more painful alternatives".

> Unless that SIG is empowered to take action, all it will be is a factory for
 > generating arguments like this one. It will inevitably be either a toxic
 > environment in itself, or a source of toxic threads on python-dev as the
 > security SIG brings new threads like this one to the table.

I suspect the resulting thread on py-dev will be far less painful when 
the initial discussions on ways to fix/improve this-or-that has already 
been done, the various options are being laid out, it's clear the new 
method will be in the next major release (unless incredibly serious, of 
course).

> It should be noted that of the three developers that originally stepped forward
 > on the security side of things here (myself, Donald, and Christian), 
only I am
 > left subscribed to python-dev and nosy’d on the relevant issues. Put 
another way:
 > each time we do this, several people on the security side burn 
themselves out in
 > the thread and walk away (it’s possible that those on the other side 
of the
 > threads do too, I just don’t know those people so well). It’s hard to get
 > enthusiastic about signing people up for that. =)

One of the big advantages of a SIG is the much reduced pool of 
participants, and that those participants are usually interested in 
forward progress.  It would also be helpful to have a single person both 
champion and act as buffer for the proposals (not necessarily the same 
person each time).  I am reminded of the matrix-multiply PEP brought 
forward by Nathaniel a few months ago -- the proposal was researched 
outside of py-dev, presented to py-dev when ready, Nathaniel acted as 
the gateway between py-dev and those that wanted/needed the change, the 
discussion stayed (pretty much) on track, and it felt like the whole 
thing was very smooth.  (If it was somebody else, my apologies for my 
terrible memory! ;)

To sum up:  I think it would be a good idea.

--
~Ethan~

More information about the Python-Dev mailing list