[Python-Dev] Releases for recent security vulnerability

R. David Murray rdmurray at bitdance.com
Sun Apr 17 16:54:03 CEST 2011 

On Sun, 17 Apr 2011 09:30:17 -0400, Jesse Noller <jnoller at gmail.com> wrote:
> On Sun, Apr 17, 2011 at 7:48 AM, Antoine Pitrou <solipsis at pitrou.net> wrote:
> > On Sat, 16 Apr 2011 21:32:48 -0500 Brian Curtin <brian.curtin at gmail.com> wrote:
> >> > Three weeks after this security vulnerability was *publicly* reported on
> >> > bugs.python.org, and two days after it was semi-officially announced,
> >> > I'm still waiting for security updates for my Ubuntu and Debian systems!
> >> >
> >> > I reckon if this had been handled differently (i.e., making new releases
> >> > and communicating it via the relevant channels [1]), we wouldn't have
> >> > the situation we have right now.
> >>
> >> I don't really think there's a "situation" here, and I fail to see how the
> >> development blog isn't one of the relevant channels.
> >
> > If we want to make official announcements (like releases or security
> > warnings), I don't think the blog is appropriate. A separate
> > announcement channel (mailing-list or newsgroup) would be better, where
> > people can subscribe knowing they will only get a couple of e-mails a
> > year.
> 
> And whose responsibility is it to email yet another mythical list? The
> person posting the fix? The person who found and filed the CVE? The
> release manager?
> 
> Brian *helped* us by raising awareness of the issue: At least now
> there's a chance that one or more of the OS vendors *saw* that this
> was an issue that was fixed.

That fact that Brian helped publicize it is not really relevant to
Antoine's point.  The *obvious* answer to your question about whose
responsibility it is is: *the security team*.  Brian's blog post would
then have been much more like he envisioned it when he wrote it, a peek
inside the process, rather than appearing to be the primary announcement
as many seem to be perceiving it.

That's how distributions, at least, handle this.  There's a mailing list for
security related announcements on which only the "security officer" or
"security team" posts announcements, and security related announcements
*only*.  Then then the people responsible for security in any context
(a distribution, a security manager for a company, J Random User) can
subscribe to it and get *only* security announcements.  That allows them
to easily prioritize those announcements on receipt.

Python should have such a mailing list.

--
R. David Murray           http://www.bitdance.com

More information about the Python-Dev mailing list