[Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)

[Antoine Pitrou]

On Thu, 23 Feb 2017 23:51:45 -0800
Benjamin Peterson <benjamin at python.org> wrote:
> 
> Like all CPython developers, the Python security team are all
> volunteers. That combined with the fact that dealing with security
> issues is one of the least fun programming tasks means issues are
> sometimes dropped.
> 
> Perhaps some organization with a stake Python security would like to
> financially support Python security team members.
> 
> As for this, particular issue, we should determine if there's a tracker
> issue yet and continue discussion there.

Just for the record, I find the mailing-list scheme used by PSRT quite
difficult to deal with.  For many people it's easy to lose track of
e-mails received more than one week ago, so the necessary followup to
security issues received by e-mail suffers.

It's a bit sad that regular issues benefit from a full-fledged
Roundup instance to allow for easy tracking of open issues (including
comments and proposed fixes), but security issues are restricted to such
a primitive communication setup which makes it so difficult to get work
done.

AFAIK, other projects have full-fledged private bug trackers for their
security issues (or access-restricted sections in the main bug tracker,
where the software supports it).

Regards

Antoine.