[Python-Dev] Wanted: members for Python Security Response Team

Guido van Rossum gvanrossum at gmail.com
Thu Feb 3 16:03:24 CET 2005

If you read BugTraq, python-announce or the Daily Python URL today,
you would have noticed a Python Security Advisory. (If you missed it:
http://www.python.org/security/PSF-2005-001/ .)

This was the first one issued in this form, but I'm sure it won't be
the last one. Until now, we haven't had any infrastructure for this
type of thing. In this particular case, the original discoverer first
asked on c.l.py for advice on how to proceed, which yielded only
unhelpful referrals to SF or python-dev. Then he wrote the authors of
the affected module. Fredrik was so kind to forward it to me, and I
happened to have time to deal with it. (Hey, I work for a security
company, so I would have *made* time if I had to.)

But I may not always be that responsive -- I could be busy, or
traveling, or people might not think of mailing me. I believe it would
be better if there was a "response team" for such situations. The
response team would normally not have to do anything; they wouldn't
have to be actively looking for security bugs, for example. But anyone
with a (suspected) security problem related to Python would be able to
email the team (e.g. security at python.org), trusting that the
information would be kept confidential until a patch is developed; the
response team would then investigate the problem and decide on an
appropriate response.

I want to be on the team; Barry also works for a security company and
I hope he'll want to join (he can also make up a better acronym :-); I
hope at least one person from the release team can be involved, e.g.
Anthony; and I would like to see some more volunteers involved to have
a good spread of availability and expertise. (How about a Windows
user?) If you want to be on the team, send email to me *personally*.
For discussion about the team's responsibilities and procedures,
please follow up here.

--Guido van Rossum (home page: http://www.python.org/~guido/)

More information about the Python-Dev mailing list