On Tue, Apr 29, 2014 at 12:07:00PM +0900, Stephen J. Turnbull wrote: > Mike Miller writes: > > > Microsoft's guidelines on where to install software are clear, and > > don't make exceptions that "tools" should be installed to the root > > of the drive to bypass file system permissions, for convenience. > > But there's the rub. In this case, Microsoft doesn't have *security*, > it has "guidelines". They are *still* guidelines, not security, > *exactly* because it's convenient for somebody. The fact that taking > advantage of that convenience has the side effect of bypassing > filesystem permissions is unfortunate (and a bug in Windows IMO). > > Note that if users actually paid attention to these guidelines, we'd > be getting complaints from *them*, not from you. I don't recall ever > seeing that. That implies that "normal users" will install anything > anwhere anyway.
I don't think that argument is terribly useful. If people waited for "normal users" to complain before doing something about Heartbeat, we'd be in a pretty pickle. "Normal users" don't understand the technology well enough to have a valid threat model or judge the consequences, and they are confused by a mixture of ignorance, misinformation and hype. It's up to technical users to lead, not to follow. > If it's that unimportant to Microsoft, I think that's unfair. I'm not a MS fan, not even close. I think their business practices in the past have been reprehensible. But if there is anyone who takes backwards-compatibility even more seriously than Python-Dev, it is them. You should give them the courtesy of assuming that their decision is not based on apathy, but on *exactly* the same reasoning that *you* apply below: > I see insufficient reason why > we should risk confusing those "normal users" who already have Python > 2.7 installed (and as pointed out, they *are* at risk precisely > because the proposal changes the default install location). And thus security vulnerabilities never get fixed :-) I don't have an opinion on the importance or magnitude of this security vulnerability, the risk of confusion, or whether it should be fixed or not. But I wonder why the installer is ignoring the OS's guidelines for where software should be installed? If this were Apple we were talking about, would we ignore their guidelines? Or on Linux, would we blithly install Python in / instead of (say) /usr/local/bin? I don't think so. I would have thought that the mere fact that Microsoft disapproves of installing applications into the root should be good enough reason to not do it. In the absense of an extremely compelling reason not to do so, we should be a "good citizen" regardless of the OS. -- Steven _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com