[Python-Dev] security SIG? (was: Discussion overload)

Steve Dower steve.dower at python.org
Sat Jun 18 18:47:57 EDT 2016

It's not just security discussions. The same thing happened with fspath, tzinfo, and many others that I have erased from my own memory. distutils-sig sees them often as well.

The whole thing seems like a limitation of written communication. There's no way to indicate or define whether something should be nitpicked or not, and so everything gets line-by-line analysis whether it deserves it or not, which is what leads to such huge and fragmented threads, regardless of topic.

At work, when we start seeing email or IM discussions going this way, we schedule a meeting. Perhaps we need a formal outlet for suspending discussion (and moderating incoming emails with a particular subject?) until an online call can be held and outcomes presented back to the list. Maybe we should schedule monthly online language summits and defer these discussions/decisions to that?

I know that change won't be popular with some people. Honestly, if you haven't contributed more than the people who quit python-dev over these threads, you don't get to demand status quo. We need to change something, and I don't think more email or mute buttons (sorry Guido :) ) are the answer.

Top-posted from my Windows Phone

-----Original Message-----
From: "Brett Cannon" <brett at python.org>
Sent: ‎6/‎18/‎2016 11:13
To: "Cory Benfield" <cory at lukasa.co.uk>
Cc: "Nick Coghlan" <ncoghlan at gmail.com>; "Python Dev" <python-dev at python.org>
Subject: Re: [Python-Dev] security SIG? (was: Discussion overload)

On Sat, 18 Jun 2016 at 07:30 Cory Benfield <cory at lukasa.co.uk> wrote:

> On 18 Jun 2016, at 04:06, Brett Cannon <brett at python.org> wrote:
> Do we need a security SIG? E.g. would people like Christian and Cory like to have a separate place to talk about the ssl stuff brought up at the language summit?

Honestly, I’m not sure what we would gain.

Unless that SIG is empowered to take action, all it will be is a factory for generating arguments like this one. It will inevitably be either a toxic environment in itself, or a source of toxic threads on python-dev as the security SIG brings new threads like this one to the table.

It should be noted that of the three developers that originally stepped forward on the security side of things here (myself, Donald, and Christian), only I am left subscribed to python-dev and nosy’d on the relevant issues. Put another way: each time we do this, several people on the security side burn themselves out in the thread and walk away (it’s possible that those on the other side of the threads do too, I just don’t know those people so well). It’s hard to get enthusiastic about signing people up for that. =)

And this is the problem I'm trying to solve. As various people have pointed out, the conversation was pretty much cordial, but it did end up feeling like "you're not listening to me" on both sides on top of the volume, which is what I think burned people out on this thread.

I think Nick brought up the point that we as a group need to come up with some guideline that we more-or-less stick with to help guide this kind of discussion or else we are going to burn out regularly any time security comes up; we can't keep holding security discussions like this or else we're going to end up in a bad place when everyone burns out and stops caring. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20160618/5205b2b3/attachment.html>

More information about the Python-Dev mailing list