Contact info for possible workflow tool security issue
A colleague spotted a possible security issue with one of the CPython workflow tools (specifically with the configuration of our installation, rather than with the upstream project), and would like to know where to report it securely.
Currently the developer guide covers CPython itself (security@python.org), and infrastructure@python.org is the likely place for the main PSF infrastructure, but it isn't clear where such problems with the CPython worfklow tools should be reported.
Regards, Nick.
P.S. A page in the dev guide listing the new core-workflow list, the individual workflow tools, and their maintenance arrangements would be a nice thing to have...
-- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia
Le 19/06/2014 21:13, Nick Coghlan a écrit :
A colleague spotted a possible security issue with one of the CPython workflow tools (specifically with the configuration of our installation, rather than with the upstream project), and would like to know where to report it securely.
Currently the developer guide covers CPython itself (security@python.org), and infrastructure@python.org is the likely place for the main PSF infrastructure, but it isn't clear where such problems with the CPython worfklow tools should be reported.
I think security@ is fine. infrastructure@ is not, since anyone can read it.
Regards
Antoine.
On Thu, Jun 19, 2014, at 18:23, Antoine Pitrou wrote:
Le 19/06/2014 21:13, Nick Coghlan a écrit :
A colleague spotted a possible security issue with one of the CPython workflow tools (specifically with the configuration of our installation, rather than with the upstream project), and would like to know where to report it securely.
Currently the developer guide covers CPython itself (security@python.org), and infrastructure@python.org is the likely place for the main PSF infrastructure, but it isn't clear where such problems with the CPython worfklow tools should be reported.
I think security@ is fine. infrastructure@ is not, since anyone can read it.
There's also infrastructure-staff@python.org, which is private, but they don't own much of the CPython developer infra. If it's the tracker, for example, you're better off emailing Martin/bitdancer/Ezio privately.
security@ seems like the right address, since at a minimum we have all the people who'll know where to route the issue to.
Alex
On Thu, Jun 19, 2014 at 6:32 PM, Benjamin Peterson <benjamin@python.org> wrote:
On Thu, Jun 19, 2014, at 18:23, Antoine Pitrou wrote:
Le 19/06/2014 21:13, Nick Coghlan a écrit :
A colleague spotted a possible security issue with one of the CPython workflow tools (specifically with the configuration of our installation, rather than with the upstream project), and would like to know where to report it securely.
Currently the developer guide covers CPython itself (security@python.org), and infrastructure@python.org is the likely place for the main PSF infrastructure, but it isn't clear where such problems with the CPython worfklow tools should be reported.
I think security@ is fine. infrastructure@ is not, since anyone can read it.
There's also infrastructure-staff@python.org, which is private, but they don't own much of the CPython developer infra. If it's the tracker, for example, you're better off emailing Martin/bitdancer/Ezio privately.
python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
-- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: 125F 5C67 DFE9 4084
On 20.06.2014 03:13, Nick Coghlan wrote:
A colleague spotted a possible security issue with one of the CPython workflow tools (specifically with the configuration of our installation, rather than with the upstream project), and would like to know where to report it securely.
Currently the developer guide covers CPython itself (security@python.org), and infrastructure@python.org is the likely place for the main PSF infrastructure, but it isn't clear where such problems with the CPython worfklow tools should be reported.
If it's something our infra team can fix, it's probably best to directly send it to:
PSF Infrastructure Staff <infrastructure-staff@python.org>
Regards, Nick.
P.S. A page in the dev guide listing the new core-workflow list, the individual workflow tools, and their maintenance arrangements would be a nice thing to have...
-- Marc-Andre Lemburg eGenix.com
Professional Python Services directly from the Source (#1, Jun 20 2014)
Python Projects, Consulting and Support ... http://www.egenix.com/ mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
2014-06-17: Released eGenix PyRun 2.0.0 ... http://egenix.com/go58 2014-06-09: Released eGenix pyOpenSSL 0.13.3 ... http://egenix.com/go57 2014-07-02: Python Meeting Duesseldorf ... 12 days to go
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/
On Jun 20, 2014, at 11:13 AM, Nick Coghlan wrote:
Currently the developer guide covers CPython itself (security@python.org), and infrastructure@python.org is the likely place for the main PSF infrastructure, but it isn't clear where such problems with the CPython worfklow tools should be reported.
security@ should be the main entry point for all security issues for Python, including infrastructure, workflow, tools, etc. The folks on that team can forward to other teams as necessary.
Cheers, -Barry
On 20 June 2014 23:21, Barry Warsaw <barry@python.org> wrote:
On Jun 20, 2014, at 11:13 AM, Nick Coghlan wrote:
Currently the developer guide covers CPython itself (security@python.org), and infrastructure@python.org is the likely place for the main PSF infrastructure, but it isn't clear where such problems with the CPython worfklow tools should be reported.
security@ should be the main entry point for all security issues for Python, including infrastructure, workflow, tools, etc. The folks on that team can forward to other teams as necessary.
OK, thanks. We may want to make that scope clearer on https://www.python.org/security, as I suspect I'm not alone in assuming the security address was specifically for the interpreter, rather than also covering python.org and the workflow tools in general.
Cheers, Nick.
-- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia
participants (6)
-
Alex Gaynor
-
Antoine Pitrou
-
Barry Warsaw
-
Benjamin Peterson
-
M.-A. Lemburg
-
Nick Coghlan