Update the Rejected Ideas section

Signed-off-by: Matt Wozniski <godlygeek@gmail.com>

Author: godlygeek

peps/pep-0768.rst

@@ -390,17 +390,22 @@ can be found `here
 Rejected Ideas
 ==============
 
-Using a path as the debugger input
-----------------------------------
-
-We have selected that the mechanism for executing remote code is that tools
-write the code directly in the remote process to eliminate a possible security
-vulnerability in which the file to be executed can be altered by parties other
-than the debugger process if permissions are not set correctly or filesystem
-configurations allow for this to happen. It is also trivial to write code that
-executes the contents of a file so the current mechanism doesn't disallow tools
-that want to just execute files to just do so if they are ok with the security
-profile of such operation.
+Using a script as the debugger input
+------------------------------------
+
+We have chosen to have debuggers write the code to be executed into a file
+whose path is written into a buffer in the remote process. This has been deemed
+more secure than writing the Python code to be executed itself into a buffer in
+the remote process, because it means that an attacker who has gained arbitrary
+writes in a process but not arbitrary code execution or file system
+manipulation can't escalate to arbitrary code execution through this interface.
+
+This does require the attaching debugger to pay close attention to filesystem
+permissions when creating the file containing the code to be executed, however.
+If an attacker has the ability to overwrite the file, or to replace a symlink
+in the file path to point to somewhere attacker controlled, this would allow
+them to force their malicious code to be executed rather than the code the
+debugger intends to run.
 
 Thanks
 ======