A colleague spotted a possible security issue with one of the CPython workflow tools (specifically with the configuration of our installation, rather than with the upstream project), and would like to know where to report it securely.
Currently the developer guide covers CPython itself (security@python.org), and infrastructure@python.org is the likely place for the main PSF infrastructure, but it isn't clear where such problems with the CPython worfklow tools should be reported.
Regards, Nick.
P.S. A page in the dev guide listing the new core-workflow list, the individual workflow tools, and their maintenance arrangements would be a nice thing to have...
Le 19/06/2014 21:13, Nick Coghlan a écrit :
A colleague spotted a possible security issue with one of the CPython workflow tools (specifically with the configuration of our installation, rather than with the upstream project), and would like to know where to report it securely.
Currently the developer guide covers CPython itself (security@python.org), and infrastructure@python.org is the likely place for the main PSF infrastructure, but it isn't clear where such problems with the CPython worfklow tools should be reported.
I think security@ is fine. infrastructure@ is not, since anyone can read it.
Regards
Antoine.
On Thu, Jun 19, 2014, at 18:23, Antoine Pitrou wrote:
Le 19/06/2014 21:13, Nick Coghlan a écrit :
A colleague spotted a possible security issue with one of the CPython workflow tools (specifically with the configuration of our installation, rather than with the upstream project), and would like to know where to report it securely.
Currently the developer guide covers CPython itself (security@python.org), and infrastructure@python.org is the likely place for the main PSF infrastructure, but it isn't clear where such problems with the CPython worfklow tools should be reported.
I think security@ is fine. infrastructure@ is not, since anyone can read it.
There's also infrastructure-staff@python.org, which is private, but they don't own much of the CPython developer infra. If it's the tracker, for example, you're better off emailing Martin/bitdancer/Ezio privately.
security@ seems like the right address, since at a minimum we have all the people who'll know where to route the issue to.
Alex
On Thu, Jun 19, 2014 at 6:32 PM, Benjamin Peterson benjamin@python.org wrote:
On Thu, Jun 19, 2014, at 18:23, Antoine Pitrou wrote:
Le 19/06/2014 21:13, Nick Coghlan a écrit :
A colleague spotted a possible security issue with one of the CPython workflow tools (specifically with the configuration of our installation, rather than with the upstream project), and would like to know where to report it securely.
Currently the developer guide covers CPython itself (security@python.org), and infrastructure@python.org is the likely place for the main PSF infrastructure, but it isn't clear where such problems with the CPython worfklow tools should be reported.
I think security@ is fine. infrastructure@ is not, since anyone can read it.
There's also infrastructure-staff@python.org, which is private, but they don't own much of the CPython developer infra. If it's the tracker, for example, you're better off emailing Martin/bitdancer/Ezio privately. _______________________________________________ python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
On 20.06.2014 03:13, Nick Coghlan wrote:
A colleague spotted a possible security issue with one of the CPython workflow tools (specifically with the configuration of our installation, rather than with the upstream project), and would like to know where to report it securely.
Currently the developer guide covers CPython itself (security@python.org), and infrastructure@python.org is the likely place for the main PSF infrastructure, but it isn't clear where such problems with the CPython worfklow tools should be reported.
If it's something our infra team can fix, it's probably best to directly send it to:
PSF Infrastructure Staff infrastructure-staff@python.org
Regards, Nick.
P.S. A page in the dev guide listing the new core-workflow list, the individual workflow tools, and their maintenance arrangements would be a nice thing to have...
On Jun 20, 2014, at 11:13 AM, Nick Coghlan wrote:
Currently the developer guide covers CPython itself (security@python.org), and infrastructure@python.org is the likely place for the main PSF infrastructure, but it isn't clear where such problems with the CPython worfklow tools should be reported.
security@ should be the main entry point for all security issues for Python, including infrastructure, workflow, tools, etc. The folks on that team can forward to other teams as necessary.
Cheers, -Barry
On 20 June 2014 23:21, Barry Warsaw barry@python.org wrote:
On Jun 20, 2014, at 11:13 AM, Nick Coghlan wrote:
Currently the developer guide covers CPython itself (security@python.org), and infrastructure@python.org is the likely place for the main PSF infrastructure, but it isn't clear where such problems with the CPython worfklow tools should be reported.
security@ should be the main entry point for all security issues for Python, including infrastructure, workflow, tools, etc. The folks on that team can forward to other teams as necessary.
OK, thanks. We may want to make that scope clearer on https://www.python.org/security, as I suspect I'm not alone in assuming the security address was specifically for the interpreter, rather than also covering python.org and the workflow tools in general.
Cheers, Nick.