[Python-Dev] Releases for recent security vulnerability

Sat Apr 16 16:23:42 CEST 2011

On Sat, Apr 16, 2011 at 9:45 PM, Gustavo Narea <me at gustavonarea.net> wrote:
> I reckon if this had been handled differently (i.e., making new releases
> and communicating it via the relevant channels [1]), we wouldn't have
> the situation we have right now.

Nope, we would have a situation where the security team were still
attempting to coordinate with the release managers to cut new source
releases and new binary releases, and not even releasing the source
level patches that *will* allow many, many people to fix the problem
on their own.

I don't agree that such a situation would be better than the status
quo (i.e. where both the problem and *how to fix it yourself* are
public knowledge).

The *exact* patches for all affected versions of Python are readily
available by checking the changesets linked from
http://bugs.python.org/issue11662#msg132517

> May I suggest that you adopt a policy for handling security issues like
> Django's?
> http://docs.djangoproject.com/en/1.3/internals/contributing/#reporting-security-issues

When the list of people potentially using the software is "anyone
running Linux or Mac OS X and an awful lot of people running Windows
or an embedded device", private pre-announcements simply aren't a
practical reality. Neither is "stopping all other development" when
most of the core development team aren't on the security at python.org
list and don't even know a security issue exists until it is announced
publicly. Take those two impractical steps out of the process, and
what you have *is* the python.org procedure for dealing with security
issues.

And when official python.org releases require coordination of
volunteers scattered around the planet, there is a harsh trade-off to
be made when it comes to deciding how long to wait before publishing
the information people need in order to fix the issue themselves.

Bumping the priority of the next round of python.org releases should
definitely be on the agenda, but the "rapid response" side of things
needs to come from the OS vendors with paid release engineers. Dealing
with security issues on behalf of their end users is one of the key
reasons they're getting paid for free software in the first place.

It may be worth asking the OS vendors whether or not they have
representatives that receive the security at python.org notifications,
and if not, why they haven't approached python-dev about receiving
such notifications.

> Cheers,
>
> [1] For example,
> <http://mail.python.org/mailman/listinfo/python-announce-list>,
> <http://www.python.org/news/>, <http://www.python.org/news/security/>.

Agreed that an announcement should be made on those locations, with a
list of links to the exact changesets for each affected version.

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia