How to document changes related to security in Python changelog?
Hi, I read the summary of Christian Heimes's talk at the language summit: "The Python security response team" http://lwn.net/Articles/691308/ Extract: "Some of the problems that have occurred are things like bug reports being sent to the list, but that couldn't be reproduced, or distributions not updating their Python packages because it wasn't clear to them that there was a security fix made in an upstream release. Heimes suggested that security fixes be clearly marked in the "News" file that accompanies releases." I suggest to add a new Security section to Misc/NEWS. So packagers should be able to quickly identify changes which should be backported (if they maintain a Python version which is no more supported upstream, or if you cannot use the latest version). Christian proposed to simply prefix changes with "[Security]". What do you think? Victor
On 06/21/2016 07:07 AM, Victor Stinner wrote:
Extract: "Some of the problems that have occurred are things like bug reports being sent to the list, but that couldn't be reproduced, or distributions not updating their Python packages because it wasn't clear to them that there was a security fix made in an upstream release. Heimes suggested that security fixes be clearly marked in the "News" file that accompanies releases."
Christian proposed to simply prefix changes with "[Security]".
Seems good to me -- are there any downsides? -- ~Ethan~
On Jun 21, 2016, at 07:52 AM, Ethan Furman wrote:
On 06/21/2016 07:07 AM, Victor Stinner wrote:
Christian proposed to simply prefix changes with "[Security]".
Seems good to me -- are there any downsides?
Nothing major IMHO. The whole point is to make it easy for downstreams to identify change. To that effect, I'd mildly prefer a Misc/NEWS section because it will be easier to pick out the changes, but OTOH "security" issues can span multiple sections, so it may just be more accurate to add a [Security] mark to issues that have a security aspect. Once downstreams are properly trained on the new mark, it should be just as easy to search for it. It *is* a little difficult to search for specific issues in NEWS that occur after a given release. I usually search for "What's new in X.Y" for the baseline X.Y I care about, and then search up for some reference to the issue I'm looking for. It wouldn't be much extra work to also search for [Security]. As an aside, when/if we ever get auto-NEWS file generation (to reduce conflicts), I would love to get the (git) commit id prepended to the NEWS item. Sure, a particular change can span multiple commits, but the one that changes NEWS should be enough to quickly jump me to the relevant changes. Cheers, -Barry
I don't think that it matters much at this point. We can start with the [Security] prefix and decide later to move items to a dedicated section. I expect that we have 10 security related changes or less. Maybe I'm wrong and we have way much than that :-) Victor 2016-06-22 0:40 GMT+02:00 Barry Warsaw <barry@python.org>:
On Jun 21, 2016, at 07:52 AM, Ethan Furman wrote:
On 06/21/2016 07:07 AM, Victor Stinner wrote:
Christian proposed to simply prefix changes with "[Security]".
Seems good to me -- are there any downsides?
Nothing major IMHO. The whole point is to make it easy for downstreams to identify change. To that effect, I'd mildly prefer a Misc/NEWS section because it will be easier to pick out the changes, but OTOH "security" issues can span multiple sections, so it may just be more accurate to add a [Security] mark to issues that have a security aspect.
Once downstreams are properly trained on the new mark, it should be just as easy to search for it. It *is* a little difficult to search for specific issues in NEWS that occur after a given release. I usually search for "What's new in X.Y" for the baseline X.Y I care about, and then search up for some reference to the issue I'm looking for. It wouldn't be much extra work to also search for [Security].
As an aside, when/if we ever get auto-NEWS file generation (to reduce conflicts), I would love to get the (git) commit id prepended to the NEWS item. Sure, a particular change can span multiple commits, but the one that changes NEWS should be enough to quickly jump me to the relevant changes.
Cheers, -Barry _______________________________________________ Security-SIG mailing list Security-SIG@python.org https://mail.python.org/mailman/listinfo/security-sig
Ok, I wrote a first patch to mark changes related to security in Python 3.5.2 changelog: https://bugs.python.org/issue27404 Victor
I also write a first draft of a document listing (3) recent Python security vulnerabilities: http://haypo-notes.readthedocs.io/python_security.html It includes a list of fixed and vulnerable versions of Python. What do you think of such table? It will not be easy to maintain such table up to date :-/ Victor 2016-06-27 23:15 GMT+02:00 Victor Stinner <victor.stinner@gmail.com>:
Ok, I wrote a first patch to mark changes related to security in Python 3.5.2 changelog: https://bugs.python.org/issue27404
Victor
Hi, I pushed my change to tag security related changes with a [Security] prefix in Python 3.5.2 changes. I was too lazy to make it for older and more recent changes. 3.5: https://hg.python.org/cpython/rev/a576a34f5386 default: https://hg.python.org/cpython/rev/6a2de662eeb7 Victor 2016-06-27 23:15 GMT+02:00 Victor Stinner <victor.stinner@gmail.com>:
Ok, I wrote a first patch to mark changes related to security in Python 3.5.2 changelog: https://bugs.python.org/issue27404
Victor
participants (3)
-
Barry Warsaw
-
Ethan Furman
-
Victor Stinner