On Sun, 17 Apr 2011 09:30:17 -0400, Jesse Noller
On Sun, Apr 17, 2011 at 7:48 AM, Antoine Pitrou
wrote: On Sat, 16 Apr 2011 21:32:48 -0500 Brian Curtin
wrote: Three weeks after this security vulnerability was *publicly* reported on bugs.python.org, and two days after it was semi-officially announced, I'm still waiting for security updates for my Ubuntu and Debian systems!
I reckon if this had been handled differently (i.e., making new releases and communicating it via the relevant channels [1]), we wouldn't have the situation we have right now.
I don't really think there's a "situation" here, and I fail to see how the development blog isn't one of the relevant channels.
If we want to make official announcements (like releases or security warnings), I don't think the blog is appropriate. A separate announcement channel (mailing-list or newsgroup) would be better, where people can subscribe knowing they will only get a couple of e-mails a year.
And whose responsibility is it to email yet another mythical list? The person posting the fix? The person who found and filed the CVE? The release manager?
Brian *helped* us by raising awareness of the issue: At least now there's a chance that one or more of the OS vendors *saw* that this was an issue that was fixed.
That fact that Brian helped publicize it is not really relevant to Antoine's point. The *obvious* answer to your question about whose responsibility it is is: *the security team*. Brian's blog post would then have been much more like he envisioned it when he wrote it, a peek inside the process, rather than appearing to be the primary announcement as many seem to be perceiving it. That's how distributions, at least, handle this. There's a mailing list for security related announcements on which only the "security officer" or "security team" posts announcements, and security related announcements *only*. Then then the people responsible for security in any context (a distribution, a security manager for a company, J Random User) can subscribe to it and get *only* security announcements. That allows them to easily prioritize those announcements on receipt. Python should have such a mailing list. -- R. David Murray http://www.bitdance.com