[Python-Dev] Releases for recent security vulnerability
Jacob Kaplan-Moss
jacob at jacobian.org
Sun Apr 17 16:03:51 CEST 2011
On Sat, Apr 16, 2011 at 9:23 AM, Nick Coghlan <ncoghlan at gmail.com> wrote:
> On Sat, Apr 16, 2011 at 9:45 PM, Gustavo Narea <me at gustavonarea.net> wrote:
>> May I suggest that you adopt a policy for handling security issues like
>> Django's?
>> http://docs.djangoproject.com/en/1.3/internals/contributing/#reporting-security-issues
>
> When the list of people potentially using the software is "anyone
> running Linux or Mac OS X and an awful lot of people running Windows
> or an embedded device", private pre-announcements simply aren't a
> practical reality. Neither is "stopping all other development" when
> most of the core development team aren't on the security at python.org
> list and don't even know a security issue exists until it is announced
> publicly. Take those two impractical steps out of the process, and
> what you have *is* the python.org procedure for dealing with security
> issues.
Just to fill in a bit of missing detail about our process since the
doc doesn't perfectly describe what happens:
* Our pre-announce list is *really* short. It consists of release
managers for various distributions that distribute packaged versions
of Django -- Ubuntu, RedHat, and the like. Yes it's a bit of
bookkeeping, but we feel it's really important to our users: not
everyone installs the Django package *we* put out, so we think it's
important to coordinate security releases with downstream distributors
so that users get a fixed version of Django regardless of how they're
installing Django in the first place.
* We don't really halt all development. I don't know why that's in
there, except maybe that it pre-dates there being more than a
couple-three committers. The point is just that we treat the security
issue as our most important issue at the moment and fix it as quickly
as possible.
I don't really have a point here as it pertains to python-dev, but I
thought it's important to clarify what Django *actually* does if it's
being discussed as a model.
Jacob
More information about the Python-Dev
mailing list