Paul Ivanov pi at berkeley.edu
Fri Aug 1 17:40:38 EDT 2014

Hi Julian, Kyle, and list,

I just wanted to publicly thank Kyle again for following through
with these and ensure that they get reported and communicated in
the right manner. None of the other other IPython developers have
any experience with disclosing security vulnerabilities to
appropriate channels, and Kyle has stepped up entirely in a
volunteer capacity to do this for the benefit of the community.

Thanks to you as well, Julian, for bringing that CDN certificate
issue to our attention. We need all the help we can get, and I
my immediate reaction to reading "...making it quite
pointless..." was that Kyle is getting the stick instead of a
carrot for following through and doing a better job than we would
have done without him (your point about reporting this back in
0.12 is an example of our previous lack of familiarity,
appreciation, and engagement with security related issues).

If you have the time and interest, We'd love your help on the
security side of things (contact Kyle or me offlist), and I think
Kyle is striving to do a much more punctual disclosure of this
vulnerability in part because of your feedback on CVE-2014-3429.
I just want to make sure that we continue to have productive
interactions.

my sincerest appreciation to both of you,
--
_
/ \
A*   \^   -
,./   _.\\ / \
/ ,--.S    \/   \
/  "~,_     \    \
__o           ?
_ \<,_         /:\
--(_)/-(_)----.../ | \
--------------.......J
Paul Ivanov
ipython and matplotlib core developer
http://pirsquared.org