I'm taking this thread across the great divide to the python-dev mailing list. The point Yasushi makes is that the security hole found and fixed by Zack Weinberg back in August 2002 (os.py 1.59) should be avaiable as a patch for versions of Python "out there" which might be affected. The versions he's concerned with are 1.5.2 and 2.1.3. I don't think we have to worry about 2.2.1 because those users can (and should) upgrade to 2.2.2 if the patch is important to them. To see the original thread, go here: http://mail.python.org/pipermail/python-list/2003-January/142352.html Yasushi> Thank you. But I think this patch or pached version of Python Yasushi> should be placed on ftp.python.org. Yasushi> Zope doesn't work with Python 2.2 yet. So many new Zope users Yasushi> will install Python 2.1.3. But there is no patch on Yasushi> ftp.python.org and no security alert on www.python.org. Zope ships with its own version of Python, often in binary (for Windows). The Zope folks probably need to provide their own patch. Yasushi> How do they know that Python 2.1.3 has security problem? Who are "they"? You have to realize that the people who develop Python don't know all the people who bundle Python in applications. It's open source and most of the people who work on Python are volunteers. Can someone on python-dev more in-the-know about these things respond? Skip