Keeping an issue secret doesn't make people more secure, it only prevents
them from making an informed decision about the things they use.
Partial disclosure is typically publishing enough information to allow people
to make an informed choice but (hopefully) not enough information to allow
others to attack it.

Full Disclosure implies laying out the full details of the vulnerability. It doesn't
necessarily mean wrapping it up in ready to run code but they almost always
provide enough information so that anyone with a cursory understanding of
programming (or the area it affects depending on how hard it is to replicate)
can implement the attack and reproduce it.

The problem with Partial Disclosure is that often times vendors/upstream/whatever
will simply call the problem theoretical and still attempt to not fix things.
There's not really any inside knowledge. Everything is OSS.

Domain knowledge? Sure, but I really hope we aren't relying on people not
knowing enough about how the tooling works to exploit it.
Nick is the BDFL delegate for packaging tooling and Richard is the same for PyPI
and I generally consider my involvement as a PyPI admin to be under him.

Noah is in charge of the Infra team of which I am a member.
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

are
Effectively he does, yes. Richard is responsible for approving PyPI API
changes (including PyPI specific PEPs), I'm BDFL delegate for other
packaging PEPs and Noah has final say over the operation of the
python.orginfrastructure.

One or more of us are the ones that need to say yes on potentially
controversial changes, so the responsibility for any mistakes ultimately
lies with us, rather than Donald (and I'm greatly appreciative of the huge
amount of work he is putting into improving the PyPI security story).
If Donald informed us of a vulnerability and we refused to allow him (or
anyone else) to take the necessary steps to close it, then he would be
*completely* justified in publishing full details of the vulnerability, up
to and including working exploit code.

It won't come to that though, because we're taking this seriously and
closing security holes as quickly as is feasible while still ensuring a
reasonable level of backwards compatibility :)

Cheers,
Nick.

Thank you - both for the thoughtful response and the explanation of what is
going on in your thinking.

I certainly tend to think about possible issues rather than benefits, maybe
more than I should as I don't personally have any particular problems with
a rapid pace of change (except in some specific areas where I'm in so much
of a minority that I don't expect my concerns to be a big driver in the
grand scheme of things). I think I'm doing this to make sure people haven't
missed potential issues I'm aware of, but I can easily imagine that this
comes across as negative "stop energy". I'll try to stick to issues where I
have genuine concerns, and not theoretical ones in future.

And yes, it does feel like distutils-sig of 2013 is a much nicer place than
it used to be. Thanks to everyone for working to keep that the case.

Paul

To be fair, the tone you've taken (which can rub people up the wrong way)
hasn't just been over long-standing security issues. I've also felt
uncomfortable with some of your responses relating to the PEP 426
discussion around the JSON schema for requirements, where there is not the
same level of urgency, nor valid reason to believe that you're being thwarted
somehow.

If someone's approach comes off as unduly dismissive (even if not meant that
way), it makes it harder to engage in constructive discussion. I recognise
that it's hard communicating with people remotely, many of whom one might
never have met. It's easy to miss nuance and misconstrue turns of phrase. It's
best to tread gingerly, else too much time is spent smoothing ruffled feathers
at the expense of getting real work done.

Regards,

Vinay Sajip

Thanks for the thoughtful response. I appreciate it.

I also want to just throw in one extra piece of information for you
and anybody else reading this: 99% of "stop energy" doesn't happen
because people actively want to prevent progress or frustrate other
people. It simply happens when people notice a problem but don't have
as much personal stake in your goal as they do in not experiencing the
problem they will experience (or perceive they will), from the
proposed change.

When you look at it from this perspective, it's easier to understand
that the way to fix this is with more engagement on their part, which
can only be gotten by engagement on your part.

When I first proposed WSGI, the initial reaction of Web-SIG was pretty
negative. "Stop energy" if you will. Things only moved forward once
I was able to channel the energy of objections into offering
solutions. It's helpful to remember that asking, "okay, so how you
would recommend I do it?" *doesn't* obligate you to actually follow
all of the recommendations you get. (Especially since some of them
will be mutually contradictory!)

Anyway, I guess what I'm saying is that people lacking enthusiasm for
your goals is not really them trying to stop you. In fact, objections
are a positive thing: it means you got somebody's attention. The next
step is to leverage that attention into actually getting help, or at
least more constructive input. ;-)

It's true that some individuals will never provide really helpful
input. In the WSGI effort, there were people whose advice I never
took, because their goals were directed entirely opposite to where I
wanted to go. But I remained engaged until it was mutually clear (or
at least I thought it was) that our goals were different, and didn't
try to persuade them to go in the same direction. Such attempts at
persuasion are pretty much a waste of time, and a big energy drain.
Consensus-building is something that you do with people who have at
least some goals in common, so it's best to focus on finding out what
you *do* agree on.
Right. In such a case, a question you could ask is, "Do you agree in
general that we should move to a better hash at some point in the
future?", because then the disagreement can be narrowed down to
timeframe, migration or deprecation process, etc. The truth is, I had
no intention of "blocking the move", I had concerns I wanted addressed
about the impact, timing and process. (Actually, I originally just
noticed a couple of errors in what you'd laid out as the current state
of things, and wanted to make sure they were included in the
assessment.)

The point is, if somebody doesn't have *any* common ground with you,
it's unlikely they're even talking to you. At the very least, if
they're talking with you about PyPI, they must care about PyPI, even
if they care about different things than you, or with different
relative priorities. ;-)
Again, thank you. And hopefully, remember that probably nobody was
intentionally being your adversary before, either. As the old adage
says, the best way to destroy your enemies is to make friends with
them. ;-) And we do that by focusing on common ground, and inviting
participation.

(This is again not to say that I've been 100% Mr. Wonderful myself; I
know I haven't. But the community's best consensus-building happens
when somebody is doing the tough work of engaging with all parties.
Sometimes this doesn't happen, alas; back when I was developing
setuptools there just weren't enough people interested in the problems
available on Distutils-SIG to build any sort of consensus on the
solutions, so I *had* to go run with the ball myself. I'm really
happy that there is now BOTH a quorum of interested parties who
understand the problems, AND a few leaders able to drive the
consensus-building and actual development. If only we had done this
ten years ago, setuptools might not have been necessary. Well,
actually, that's probably not true: without *something* existing
first, that quorum of people who understand the problem wouldn't have
existed back then. But you know what I mean.)