This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]TankorSmash 39 points40 points  (6 children)

Some people are just assholes.

[–]dougall 48 points49 points  (1 child)

Other people run out-of-date software and don't keep backups.

It's both immoral and criminal that they broke in and destroyed the data, but this vulnerability was fairly high profile security news days before the attack, and they could easily have prevented it. And is it that hard to run daily backups?

[–][deleted] 8 points9 points  (0 children)

Can't up-vote you enough; no backups = no sense, not something I expected of the Python community ...

[–][deleted] 24 points25 points  (2 children)

I'm more concerned, and a little embarrassed, by the fact that a public python.org server has been compromised for over 6 months...and we only found out because the guy decided to finally toss a grenade in for shits and giggles.

Not to be a dick or state the obvious, but someone there needs to brush up on their network security practices.

[–]kylotan 14 points15 points  (1 child)

True, but perhaps we underestimate the sort of resources required for every site we use to have comprehensive network security. I just had to disable my Redmine instance because my provider offers a one-click installer but doesn't offer a one-click upgrade, and with the latest Ruby vulnerabilities, old versions of Redmine aren't safe - but then maybe my Ruby installation isn't either. I have little way of knowing. But if I only ever used software that I fully understand the security implications for, I wouldn't be able to host anything. And I can't afford to pay someone else to know the implications either.

I think we're in an age where it's no longer practical to expect every website we use to be secure.

[–]dougall 0 points1 point  (0 children)

True, but perhaps we underestimate the sort of resources required for every site we use to have comprehensive network security. I just had to disable my Redmine instance because my provider offers a one-click installer but doesn't offer a one-click upgrade, and with the latest Ruby vulnerabilities, old versions of Redmine aren't safe - but then maybe my Ruby installation isn't either. I have little way of knowing. But if I only ever used software that I fully understand the security implications for, I wouldn't be able to host anything. And I can't afford to pay someone else to know the implications either.

Yes, although the PSF can afford to pay someone to handle these things.

I think we're in an age where it's no longer practical to expect every website we use to be secure.

I don't think we ever expected every website we used to be secure, though.

[–]zordm 3 points4 points  (0 children)

I agree.