[Python-Dev] Releases for recent security vulnerability
Jesse Noller
jnoller at gmail.com
Fri Apr 15 16:04:53 CEST 2011
On Fri, Apr 15, 2011 at 8:59 AM, Antoine Pitrou <solipsis at pitrou.net> wrote:
> On Fri, 15 Apr 2011 08:36:16 -0400
> Jesse Noller <jnoller at gmail.com> wrote:
>> On Fri, Apr 15, 2011 at 8:30 AM, Brian Curtin <brian.curtin at gmail.com> wrote:
>> >
>> > On Apr 15, 2011 3:46 AM, "Gustavo Narea" <me at gustavonarea.net> wrote:
>> >>
>> >> Hi all,
>> >>
>> >> How come a description of how to exploit a security vulnerability
>> >> comes before a release for said vulnerability? I'm talking about this:
>> >> http://blog.python.org/2011/04/urllib-security-vulnerability-fixed.html
>> >>
>> >> My understanding is that the whole point of asking people not to
>> >> report security vulnerability publicly was to allow time to release a
>> >> fix.
>> >
>> > To me, the fix *was* released. Sure, no fancy installers were generated yet,
>> > but people who are susceptible to this issue 1) now know about it, and 2)
>> > have a way to patch their system *if needed*.
>> >
>> > If that's wrong, I apologize for writing the post too early. On top of that,
>> > it seems I didn't get all of the details right either, so apologies on that
>> > as well.
>>
>> The code is open source: Anyone watching the commits/list know that
>> this issue was fixed. It's better to keep it in the public's eyes, so
>> they know *something was fixed and they should patch* than to rely on
>> people *not* watching these channels.
>>
>> Assume the bad guys already knew about the exploit: We have to spread
>> the knowledge of the fix as far and as wide as we can so that people
>> even know there is an issue, and that it was fixed. This applies to
>> users and *vendors* as well.
>
> True. However, many open source projects take the habit of cutting a
> release when a hole is discovered and fixed. It depends how seriously
> they (and their users) take security. Of course, there are different
> kinds of security issues, more or less severe. I don't know how severe
> the above issue is.
>
> Relying on a vendor distribution (such as a Linux distro, or
> ActiveState) is hopefully enough to get these security updates in time
> without patching anything by hand. I don't think many people compile
> Python for production use, but many do use our Windows installers.
>
> Regards
>
> Antoine.
>
Agreed; but all I'm defending is the post describing what, and how it
was fixed. Hiding it until we get around to eventually cutting a
release doesn't make the fix, or vulnerability go away. We need to
issue a release *quickly* - and we need to notify all of our consumers
quickly.
jesse
More information about the Python-Dev
mailing list