[Python-Dev] Python security team

Guido van Rossum guido at python.org
Mon Sep 29 19:16:23 CEST 2008 

On Mon, Sep 29, 2008 at 5:11 AM, Jan Matejek <jan.matejek at novell.com> wrote:
> Brett Cannon napsal(a):
>> On Sat, Sep 27, 2008 at 8:54 AM, Victor Stinner
>> <victor.stinner at haypocalc.com> wrote:
>>> First, I would like to access to these informations. Not only this issue, but
>>> all security related issues. I have some knowledges about security and I can
>>> help to resolve issues and/or estimate the criticity of an issue.
>>>
>>
>> That would require commit privileges first. Don't know if the group
>> requires that a person have a decent amount of time committing to the
>> core first (I just joined the list in late July).
>
> commit privileges?
> I would be interested in joining the PSRT list too - as a python
> maintainer for openSUSE, i think that it would be beneficial for both my
> and your work. And i can imagine that maintainers from other
> distributions have similar opinion on this ;)
> And that does not necessarily mean commit privileges, right?
>
> Or is this an issue of trust, where "we trust you enough to make changes
> to the core" equals "we also trust you enough to see the security issues" ?

Traditionally we have been extremely careful in selecting people to
join the PSRT -- basically people that have many years of reputation
*within the Python community*.

I think we may have to expand our selection creteria, since the
existing approach has led to a small PSRT whose members are all too
busy to do the necessary legwork. At the same time we need to remain
selective -- I don't think having a crowd of hundreds would be
productive, and we need to be sure that every single member can
absolutely be trusted to take security seriously.

To answer your question directly, I don't think that just being the
Python maintainer for some Linux distribution is enough to qualify --
if our process worked well enough, you'd be getting the patches from
us via some downstream-flowing distribution mechanism that reaches
only trusted people within each vendor organization. I don't happen to
know you personally -- but perhaps other current members of the PSRT
do and that could be enough to secure an invitation.

-- 
--Guido van Rossum (home page: http://www.python.org/~guido/)

More information about the Python-Dev mailing list