[Python-Dev] Releases for recent security vulnerability
Gustavo Narea
me at gustavonarea.net
Sat Apr 16 13:45:42 CEST 2011
Hello,
On 15/04/11 13:30, Brian Curtin wrote:
> To me, the fix *was* released.
No, it wasn't. It was *committed* to the repository.
> Sure, no fancy installers were generated yet, but people who are
> susceptible to this issue 1) now know about it, and 2) have a way to
> patch their system *if needed*.
Well, that's a long shot. I doubt the people/organizations affected are
all aware. And I doubt they are all capable of patching their system or
getting a patched Python from a trusted party.
Three weeks after this security vulnerability was *publicly* reported on
bugs.python.org, and two days after it was semi-officially announced,
I'm still waiting for security updates for my Ubuntu and Debian systems!
I reckon if this had been handled differently (i.e., making new releases
and communicating it via the relevant channels [1]), we wouldn't have
the situation we have right now.
May I suggest that you adopt a policy for handling security issues like
Django's?
http://docs.djangoproject.com/en/1.3/internals/contributing/#reporting-security-issues
Cheers,
[1] For example,
<http://mail.python.org/mailman/listinfo/python-announce-list>,
<http://www.python.org/news/>, <http://www.python.org/news/security/>.
--
Gustavo Narea <xri://=Gustavo>.
| Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about |
More information about the Python-Dev
mailing list