[Python-Dev] Releases for recent security vulnerability
Brian Curtin
brian.curtin at gmail.com
Sun Apr 17 04:32:48 CEST 2011
On Sat, Apr 16, 2011 at 06:45, Gustavo Narea <me at gustavonarea.net> wrote:
> Hello,
>
> On 15/04/11 13:30, Brian Curtin wrote:
> > To me, the fix *was* released.
>
> No, it wasn't. It was *committed* to the repository.
>
Yep, and that's enough for me. If you have a vulnerable system, you can now
patch it with an accepted fix.
>
> > Sure, no fancy installers were generated yet, but people who are
> > susceptible to this issue 1) now know about it, and 2) have a way to
> > patch their system *if needed*.
>
> Well, that's a long shot. I doubt the people/organizations affected are
> all aware.
Hence why this blog exists and why this post was made...
And I doubt they are all capable of patching their system or
> getting a patched Python from a trusted party.
>
Maybe that's where the post fell short. Should I have added a section with
an example of how to apply the patch to an example system like 2.6?
> Three weeks after this security vulnerability was *publicly* reported on
> bugs.python.org, and two days after it was semi-officially announced,
> I'm still waiting for security updates for my Ubuntu and Debian systems!
>
> I reckon if this had been handled differently (i.e., making new releases
> and communicating it via the relevant channels [1]), we wouldn't have
> the situation we have right now.
I don't really think there's a "situation" here, and I fail to see how the
development blog isn't one of the relevant channels.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20110416/bb0b3412/attachment.html>
More information about the Python-Dev
mailing list