[Python-Dev] Releases for recent security vulnerability
Antoine Pitrou
solipsis at pitrou.net
Sun Apr 17 15:42:49 CEST 2011
Le dimanche 17 avril 2011 à 09:30 -0400, Jesse Noller a écrit :
> >
> > If we want to make official announcements (like releases or security
> > warnings), I don't think the blog is appropriate. A separate
> > announcement channel (mailing-list or newsgroup) would be better, where
> > people can subscribe knowing they will only get a couple of e-mails a
> > year.
> >
> > Regards
> >
> > Antoine.
>
> And whose responsibility is it to email yet another mythical list? The
> person posting the fix? The person who found and filed the CVE? The
> release manager?
Well, whose responsibility is it to make blog posts about security
issues? If you can answer this question then the other question
shouldn't be any more difficult to answer ;)
I don't think the people who may be interested in security announcements
want to monitor a generic development blog, since Python is far from the
only piece of software they rely on. /I/ certainly wouldn't want to.
Also, I think Gustavo's whole point is that if we don't have a
well-defined, deterministic procedure for security announcements and
releases, then it's just as though we didn't care about security at all.
Saying "look, we mentioned this one on our development blog" isn't
really reassuring for the target group of people.
Regards
Antoine.
More information about the Python-Dev
mailing list