On 20/03/2012, at 10:27 PM, Donald Stufft wrote: > > On Tuesday, March 20, 2012 at 10:08 AM, Tom Evans wrote: > >> On Tue, Mar 20, 2012 at 1:37 PM, Russell Keith-Magee >> <russ...@keith-magee.com> wrote: >>> >>> The key point here is that we're not forcing every Django user to discover >>> by accident that they need to run an ALTER TABLE statement in order for >>> their projects to keep working. The opt-in nature of the change is key. >> >> This argument again? If something is in the release notes for a new >> version, you only discover it 'by accident' if you do not read the >> release notes. How does this differ to enabling csrf protection by >> default? > I think the major difference is that CSRF protection for example always hard > failed, so even though > it was a change that required reading the release notes, if you didn't read > those release notes your > site would break obviously.
Another key distinction -- CSRF is a security issue. Without CSRF, it's very easy to accidentally write a site that can be exploited by an attacker. On the other hand, the 75 character email limit is, at worst, an inconvenience for a relatively small portion of the population, and both the email size limit and the username limit have (admittedly inelegant) workarounds. I'm sure someone will take issue with my description of this problem as only affecting a "relatively small" portion of the population -- so in my defence, I offer the following: Django's user model has been unchanged from day one -- which means we've been dealing with these problems for 6 years. And yet, somehow, Django as a project has managed to thrive. I'm not arguing that we shouldn't fix the problem -- just that it's not quite the apocalyptic problem that some people seem to be making it out to be. Yours, Russ Magee %-) -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
