Wanted: members for Python Security Response Team
If you read BugTraq, python-announce or the Daily Python URL today, you would have noticed a Python Security Advisory. (If you missed it: http://www.python.org/security/PSF-2005-001/ .) This was the first one issued in this form, but I'm sure it won't be the last one. Until now, we haven't had any infrastructure for this type of thing. In this particular case, the original discoverer first asked on c.l.py for advice on how to proceed, which yielded only unhelpful referrals to SF or python-dev. Then he wrote the authors of the affected module. Fredrik was so kind to forward it to me, and I happened to have time to deal with it. (Hey, I work for a security company, so I would have *made* time if I had to.) But I may not always be that responsive -- I could be busy, or traveling, or people might not think of mailing me. I believe it would be better if there was a "response team" for such situations. The response team would normally not have to do anything; they wouldn't have to be actively looking for security bugs, for example. But anyone with a (suspected) security problem related to Python would be able to email the team (e.g. security at python.org), trusting that the information would be kept confidential until a patch is developed; the response team would then investigate the problem and decide on an appropriate response. I want to be on the team; Barry also works for a security company and I hope he'll want to join (he can also make up a better acronym :-); I hope at least one person from the release team can be involved, e.g. Anthony; and I would like to see some more volunteers involved to have a good spread of availability and expertise. (How about a Windows user?) If you want to be on the team, send email to me *personally*. For discussion about the team's responsibilities and procedures, please follow up here. -- --Guido van Rossum (home page: http://www.python.org/~guido/)
Guido> For discussion about the team's responsibilities and procedures, Guido> please follow up here. I noticed the checkins. I think there is one other necessary output: source patches against all the affected versions need to be made available so people can apply the patch to an existing installed version without needing to upgrade. Skip
I noticed the checkins. I think there is one other necessary output: source patches against all the affected versions need to be made available so people can apply the patch to an existing installed version without needing to upgrade.
Patches for 2.2, 2.3 and 2.4 are on the website (python.org/security/PSF-2005-001/ has links). The module didn't exist before 2.2. -- --Guido van Rossum (home page: http://www.python.org/~guido/)
On Thu, 3 Feb 2005, Guido van Rossum wrote: [...]
hope at least one person from the release team can be involved, e.g. [...]
Guido, from python-announce list: [...]
Python 2.3.5 will be released from www.python.org within a few days containing a fix for this issue. Python 2.4.1 will be released later this month containing the same fix. Patches for Python 2.2, 2.3 and 2.4 are also immediately available: [...]
Hope this question isn't too dumb: How will Python releases made in response to security bugs be done: will they just include the security fix (rather than being taken from CVS HEAD), without the usual alpha / beta testing cycle? Or what...? John
How will Python releases made in response to security bugs be done: will they just include the security fix (rather than being taken from CVS HEAD), without the usual alpha / beta testing cycle? Or what...?
Depends where you get the release. *Vendors* (ActiveState, Red Hat, Ubuntu, Debian, etc.) typically release a new version that has *just* the fix; they have the infrastructure in place to do this sort of thing quickly and to let their customers benefit quickly. On python.org, however, we tend to take the maintenance branch for a particular version (e.g. 2.3.x or 2.4.x), add the fix, and accellerate the release. For example, we'll release 2.3.5 next week, and 2.4.1 probably some time this month. (In addition, of course, we publish the raw patch; also, we might end up making exceptions and/or start following the vendors' example in some or all cases). -- --Guido van Rossum (home page: http://www.python.org/~guido/)
>> How will Python releases made in response to security bugs be done: >> will they just include the security fix (rather than being taken from >> CVS HEAD), without the usual alpha / beta testing cycle? Or what...? Guido> On python.org, however, we tend to take the maintenance branch Guido> for a particular version (e.g. 2.3.x or 2.4.x), add the fix, and Guido> accellerate the release. Would it be possible to release a 2.3.4a that has just the fix over and above the released version? In this case it turns out that the fix nearly coincided with the release of 2.3.5 and 2.4.1. Would you do an accelerated release if this had come up right after they were released? Skip
Would it be possible to release a 2.3.4a that has just the fix over and above the released version? In this case it turns out that the fix nearly coincided with the release of 2.3.5 and 2.4.1. Would you do an accelerated release if this had come up right after they were released?
Just go to 2.3.6. No need to add a further complication to the numbering scheme. Raymond
"Raymond Hettinger" <python@rcn.com> wrote in message news:001b01c50bc3$81f3e460$fa01a044@oemcomputer...
Would it be possible to release a 2.3.4a that has just the fix over and above the released version? In this case it turns out that the fix nearly coincided with the release of 2.3.5 and 2.4.1. Would you do an accelerated release if this had come up right after they were released?
Just go to 2.3.6. No need to add a further complication to the numbering scheme.
As I remember, 2.3.1 was precedent for this -- a quick fix-one-critical-item release about a week after 2.3. Perhaps Python.org should have a release-announcement-only mailing list for people who would not get the news any other way. And/or perhaps final release announcements and security warnings could be made on the various Python-application mail lists if not so done already. Terry J. Reedy
Terry Reedy wrote:
Perhaps Python.org should have a release-announcement-only mailing list for people who would not get the news any other way. And/or perhaps final release announcements and security warnings could be made on the various Python-application mail lists if not so done already.
Alternately, could some topics be set up on the existing lists? (ala the new PEP topic for the checkins list). Regards, Nick. -- Nick Coghlan | ncoghlan@email.com | Brisbane, Australia --------------------------------------------------------------- http://boredomandlaziness.skystorm.net
participants (6)
-
Guido van Rossum -
John J Lee -
Nick Coghlan -
Raymond Hettinger -
Skip Montanaro -
Terry Reedy