On Thu, Mar 27, 2014 at 8:58 PM, Nick Coghlan <ncogh...@gmail.com> wrote: >On 27 March 2014 19:10, Maciej Fijalkowski <fij...@gmail.com> wrote: >> I just find "my company is stupid so let's work around it by putting >> stuff to python standard library" unacceptable argument for python-dev >> and all the python community. > > Due diligence and prudent risk management are not stupid - most open > source projects and small companies just don't have the luxury of > worrying about them, as they're so far down the list of concerns that > the additional risk of using arbitrary code downloaded off the > internet doesn't even register.
I don't think anyone's saying it's stupid to be cautious, but more that it's stupid to blindly accept the latest python.org release and *not* accept something from another source. And if that's stupid, well, I'm stupid too - blindly accepting a whole lot of binary package updates because they're on ftp.au.debian.org, for instance. Why do I trust that, and not random sites on the internet? Because I trust that the Debian package maintainers to check what goes through, and I trust that there are people with reputations at stake, who won't want to send something dodgy through. It's not perfect, but it's a whole lot easier than checking every single package that goes through. ChrisA _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
