[Python-Dev] Releases for recent security vulnerability
Jesse Noller
jnoller at gmail.com
Sun Apr 17 15:30:17 CEST 2011
On Sun, Apr 17, 2011 at 7:48 AM, Antoine Pitrou <solipsis at pitrou.net> wrote:
> On Sat, 16 Apr 2011 21:32:48 -0500
> Brian Curtin <brian.curtin at gmail.com> wrote:
>> > Three weeks after this security vulnerability was *publicly* reported on
>> > bugs.python.org, and two days after it was semi-officially announced,
>> > I'm still waiting for security updates for my Ubuntu and Debian systems!
>> >
>> > I reckon if this had been handled differently (i.e., making new releases
>> > and communicating it via the relevant channels [1]), we wouldn't have
>> > the situation we have right now.
>>
>>
>> I don't really think there's a "situation" here, and I fail to see how the
>> development blog isn't one of the relevant channels.
>
> If we want to make official announcements (like releases or security
> warnings), I don't think the blog is appropriate. A separate
> announcement channel (mailing-list or newsgroup) would be better, where
> people can subscribe knowing they will only get a couple of e-mails a
> year.
>
> Regards
>
> Antoine.
And whose responsibility is it to email yet another mythical list? The
person posting the fix? The person who found and filed the CVE? The
release manager?
Brian *helped* us by raising awareness of the issue: At least now
there's a chance that one or more of the OS vendors *saw* that this
was an issue that was fixed.
More information about the Python-Dev
mailing list