[Python-Dev] security SIG? (was: Discussion overload)

Guido van Rossum guido at python.org
Sat Jun 18 20:39:54 EDT 2016

Like it or not, written communication is all we have. However, I do think
we are running into some kind of limitation: the ancient concept of mailing
lists (or newsgroups). I would like to continue the discussion of this
limitation in the original thread.

PS. I think it's somewhat ironic that Steve posted his idea to deal with
discussions run amok in the forked thread that was meant specifically t
discuss the proposal for a security-sig. Ditto that Cory used this same
thread to bring up his philosophy about computer security -- that topic
itself belongs clearly in the proposed SIG or on python-dev (if we don't
create a SIG) but not (yet) in the discussion about whether we should
create a SIG.

On Sat, Jun 18, 2016 at 3:47 PM, Steve Dower <steve.dower at python.org> wrote:

> It's not just security discussions. The same thing happened with fspath,
> tzinfo, and many others that I have erased from my own memory.
> distutils-sig sees them often as well.
> The whole thing seems like a limitation of written communication. There's
> no way to indicate or define whether something should be nitpicked or not,
> and so everything gets line-by-line analysis whether it deserves it or not,
> which is what leads to such huge and fragmented threads, regardless of
> topic.
> At work, when we start seeing email or IM discussions going this way, we
> schedule a meeting. Perhaps we need a formal outlet for suspending
> discussion (and moderating incoming emails with a particular subject?)
> until an online call can be held and outcomes presented back to the list.
> Maybe we should schedule monthly online language summits and defer these
> discussions/decisions to that?
> I know that change won't be popular with some people. Honestly, if you
> haven't contributed more than the people who quit python-dev over these
> threads, you don't get to demand status quo. We need to change something,
> and I don't think more email or mute buttons (sorry Guido :) ) are the
> answer.
> Top-posted from my Windows Phone
> ------------------------------
> From: Brett Cannon <brett at python.org>
> Sent: ‎6/‎18/‎2016 11:13
> To: Cory Benfield <cory at lukasa.co.uk>
> Cc: Nick Coghlan <ncoghlan at gmail.com>; Python Dev <python-dev at python.org>
> Subject: Re: [Python-Dev] security SIG? (was: Discussion overload)
> On Sat, 18 Jun 2016 at 07:30 Cory Benfield <cory at lukasa.co.uk> wrote:
>> > On 18 Jun 2016, at 04:06, Brett Cannon <brett at python.org> wrote:
>> >
>> > Do we need a security SIG? E.g. would people like Christian and Cory
>> like to have a separate place to talk about the ssl stuff brought up at the
>> language summit?
>> Honestly, I’m not sure what we would gain.
>> Unless that SIG is empowered to take action, all it will be is a factory
>> for generating arguments like this one. It will inevitably be either a
>> toxic environment in itself, or a source of toxic threads on python-dev as
>> the security SIG brings new threads like this one to the table.
>> It should be noted that of the three developers that originally stepped
>> forward on the security side of things here (myself, Donald, and
>> Christian), only I am left subscribed to python-dev and nosy’d on the
>> relevant issues. Put another way: each time we do this, several people on
>> the security side burn themselves out in the thread and walk away (it’s
>> possible that those on the other side of the threads do too, I just don’t
>> know those people so well). It’s hard to get enthusiastic about signing
>> people up for that. =)
> And this is the problem I'm trying to solve. As various people have
> pointed out, the conversation was pretty much cordial, but it did end up
> feeling like "you're not listening to me" on both sides on top of the
> volume, which is what I think burned people out on this thread.
> I think Nick brought up the point that we as a group need to come up with
> some guideline that we more-or-less stick with to help guide this kind of
> discussion or else we are going to burn out regularly any time security
> comes up; we can't keep holding security discussions like this or else
> we're going to end up in a bad place when everyone burns out and stops
> caring.
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
> https://mail.python.org/mailman/options/python-dev/guido%40python.org

--Guido van Rossum (python.org/~guido)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20160618/6fb94251/attachment.html>

More information about the Python-Dev mailing list