Ask the infrastructure team for a tracker instance. That would probably be more fruitful of an outlet than in the thread of this one issue. (I'm not trying to be flippant, I think a private issue tracker for vulnerabilities is a really good idea, I just don't think that bemoaning the lack of one in a thread about an FTP issue is likely to get much done.)
-----Original Message----- From: Python-Dev [mailto:python-dev-bounces+tritium- email@example.com] On Behalf Of Antoine Pitrou Sent: Friday, February 24, 2017 5:02 AM To: firstname.lastname@example.org Subject: Re: [Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)
On Thu, 23 Feb 2017 23:51:45 -0800 Benjamin Peterson email@example.com wrote:
Like all CPython developers, the Python security team are all volunteers. That combined with the fact that dealing with security issues is one of the least fun programming tasks means issues are sometimes dropped.
Perhaps some organization with a stake Python security would like to financially support Python security team members.
As for this, particular issue, we should determine if there's a tracker issue yet and continue discussion there.
Just for the record, I find the mailing-list scheme used by PSRT quite difficult to deal with. For many people it's easy to lose track of e-mails received more than one week ago, so the necessary followup to security issues received by e-mail suffers.
It's a bit sad that regular issues benefit from a full-fledged Roundup instance to allow for easy tracking of open issues (including comments and proposed fixes), but security issues are restricted to such a primitive communication setup which makes it so difficult to get work done.
AFAIK, other projects have full-fledged private bug trackers for their security issues (or access-restricted sections in the main bug tracker, where the software supports it).
Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/tritium- list%40sdamon.com