[Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)

Antoine Pitrou solipsis at pitrou.net
Fri Feb 24 05:01:41 EST 2017

On Thu, 23 Feb 2017 23:51:45 -0800
Benjamin Peterson <benjamin at python.org> wrote:
> Like all CPython developers, the Python security team are all
> volunteers. That combined with the fact that dealing with security
> issues is one of the least fun programming tasks means issues are
> sometimes dropped.
> Perhaps some organization with a stake Python security would like to
> financially support Python security team members.
> As for this, particular issue, we should determine if there's a tracker
> issue yet and continue discussion there.

Just for the record, I find the mailing-list scheme used by PSRT quite
difficult to deal with.  For many people it's easy to lose track of
e-mails received more than one week ago, so the necessary followup to
security issues received by e-mail suffers.

It's a bit sad that regular issues benefit from a full-fledged
Roundup instance to allow for easy tracking of open issues (including
comments and proposed fixes), but security issues are restricted to such
a primitive communication setup which makes it so difficult to get work

AFAIK, other projects have full-fledged private bug trackers for their
security issues (or access-restricted sections in the main bug tracker,
where the software supports it).



More information about the Python-Dev mailing list