On Sun, Sep 28, 2008 at 6:39 AM, Steve Holden <steve@holdenweb.com> wrote:
Brett Cannon wrote:
On Sat, Sep 27, 2008 at 8:54 AM, Victor Stinner <victor.stinner@haypocalc.com> wrote:
Hi,
I would like to know if a Python security team does exist. I sent an email about an imageop issue, and I didn't get any answer. Later I learned that a security ticket was created, I don't have access to it.
Yes, the PSRT (Python Security Response Team) does exist. We did get your email; sorry we didn't respond. There are very few members on that list and most of them are extremely busy. Responding to your email just slipped through the cracks. I believe Benjamin was the last person to work on your submitted patch.
[...]
If we don't have a documented procedure, or if we do have a procedure and it isn't being followed, we can't be said to be taking security seriously, which I would find disappointing. This is one of the few areas where we probably *do* need to be meticulous, and the absence of a reply to a security report isn't really satisfactory.
Perhaps if the PSF does eventually hire some paid help, running the secretarial and administrative portions of the security team would help the busy members to avoid such issues dropping through the cracks in future.
That actually would be extremely beneficial since as right now a big problem we have is writing up the official announcement that some security issue has been plugged and then sticking up the patches online for people to download. -Brett