[Python-Dev] Python 2.7.7. on Windows

Stephen J. Turnbull stephen at xemacs.org
Tue Apr 29 08:56:02 CEST 2014 

Steven D'Aprano writes:
 > On Tue, Apr 29, 2014 at 12:07:00PM +0900, Stephen J. Turnbull wrote:

 > > Note that if users actually paid attention to these guidelines, we'd
 > > be getting complaints from *them*, not from you.  I don't recall ever
 > > seeing that.  That implies that "normal users" will install anything
 > > anwhere anyway.
 > 
 > I don't think that argument is terribly useful. If people waited for 
 > "normal users"

I'm not suggesting that we wait for such reports in any case.  My
point is that the "security hole" is apparently wide open and nobody,
not Microsoft and not corporate IT, is doing anything to close it.  If
it were, it would inconvenience users and we'd hear about it.  I infer
they assess the threat to be essentially zero.

 > > If it's that unimportant to Microsoft, 
 > 
 > I think that's unfair.

What's unfair?  Mr. Miller is evidently concerned about users who have
completely left their security up to their OS vendor.  Isn't reference
to the importance of an alleged security hole to that vendor both fair
and relevant to a decision to make a backwards-incompatible change in
a Python bugfix release, even in the installer?

 > You should give them the courtesy of assuming that their decision
 > is not based on apathy,

My point is that Microsoft has *not* made a decision, but left it up
to anybody who has software they hope Windows users will install --
both Python-Dev and crackers.  I infer they do not consider this a
security issue worthy of notice.

 > And thus security vulnerabilities never get fixed :-)

I have no objection *at all* to making the change in the next feature
release.  I think the "good citizenship" argument is more than
sufficient, but of course I'll leave it up to the release manager.  As
for bugfix releases, given the arguments above, I want a stronger
argument than "Microsoft guidelines", that's all.  I don't even ask
for a CVE. :-)

 > I would have thought that the mere fact that Microsoft disapproves
 > of installing applications into the root should be good enough
 > reason to not do it.

I'm not defending the failure to follow the guideline in the Python
2.x.0 releases (IIUC the guideline pre-existed 2.7).  I'm questioning
whether it is a sufficient reason to make a backwards-incompatible
change in a bugfix release.

My take is that Microsoft itself doesn't think it's very important.

Regards,

More information about the Python-Dev mailing list