[Python-Dev] Releases for recent security vulnerability
Jesse Noller
jnoller at gmail.com
Fri Apr 15 14:36:16 CEST 2011
On Fri, Apr 15, 2011 at 8:30 AM, Brian Curtin <brian.curtin at gmail.com> wrote:
>
> On Apr 15, 2011 3:46 AM, "Gustavo Narea" <me at gustavonarea.net> wrote:
>>
>> Hi all,
>>
>> How come a description of how to exploit a security vulnerability
>> comes before a release for said vulnerability? I'm talking about this:
>> http://blog.python.org/2011/04/urllib-security-vulnerability-fixed.html
>>
>> My understanding is that the whole point of asking people not to
>> report security vulnerability publicly was to allow time to release a
>> fix.
>
> To me, the fix *was* released. Sure, no fancy installers were generated yet,
> but people who are susceptible to this issue 1) now know about it, and 2)
> have a way to patch their system *if needed*.
>
> If that's wrong, I apologize for writing the post too early. On top of that,
> it seems I didn't get all of the details right either, so apologies on that
> as well.
The code is open source: Anyone watching the commits/list know that
this issue was fixed. It's better to keep it in the public's eyes, so
they know *something was fixed and they should patch* than to rely on
people *not* watching these channels.
Assume the bad guys already knew about the exploit: We have to spread
the knowledge of the fix as far and as wide as we can so that people
even know there is an issue, and that it was fixed. This applies to
users and *vendors* as well.
A blog post is good communication to our users. I have to side with
Brian on this one.
jesse
More information about the Python-Dev
mailing list