On Mon, 2021-04-05 at 11:17 -0700, Ethan Furman wrote:
On 4/4/21 7:10 AM, Michał Górny wrote:
This is precisely what I meant when I said I don't like the idea of combining security fixes with irrelevant changes. Good that I've chosen to backport the secfixes instead of pushing the new version to Gentoo stable.
If I'm a user of Gentoo stable, how would I know from the Python installation itself that those vulnerabilities have been fixed? Would I have to go find the release/update notes to know?
I suppose the best way is to look at the security bug:
I'm working on a better tool to check your system for vulnerable packages but I can only dedicate a little time every few days to work on it, so it will take some time before it's ready.