Who should security issues be reported to?
tjreedy at udel.edu
Fri Jan 28 18:00:44 EST 2005
>>I find this response a bit dissappointing frankly. Open Source people
>>make such a big deal about having lots of people being able to look at
>>source code and from that discover security problems, thus making it
>>somehow making it better than proprietary source code.
OP: Did you discover this supposed security hole from black-box observation
of behavior or by being one of the 'lots of people being able to look at
source code', thereby giving evidence to the point?
Everyone: I say 'supposed' because
a) The OP has provided no info about his/her claim.
b) The OP's original post is a classical troll: blast volunteer developers
for not having anticipated and planned for a novel situation; argue against
things not said, at least now here, not recently; imply that volunteers own
him something. Most people with the expertise to detect a security hole
would know better.
c) The noise generated because of b) has alerted any malware writers
monitering c.l.p for hints about exploitable security holes that there
might be one in one of the few modules where such could reasonably be.
OP: If my doubts are wrong and you really do have something to quietly
report to the 'authority', then do so, and quit making a noise about it.
Terry J. Reedy
More information about the Python-list