Who should security issues be reported to?

Terry Reedy tjreedy at udel.edu
Fri Jan 28 18:00:44 EST 2005

>>I find this response a bit dissappointing frankly. Open Source people
>>make such a big deal about having lots of people being able to look at
>>source code and from that discover security problems, thus making it
>>somehow making it better than proprietary source code.

OP: Did you discover this supposed security hole from black-box observation 
of behavior or by being one of the 'lots of people being able to look at 
source code', thereby giving evidence to the point?

Everyone: I say 'supposed' because
a) The OP has provided no info about his/her claim.
b) The OP's original post is a classical troll: blast volunteer developers 
for not having anticipated and planned for a novel situation; argue against 
things not said, at least now here, not recently; imply that volunteers own 
him something.  Most people with the expertise to detect a security hole 
would know better.
c) The noise generated because of b) has alerted any malware writers 
monitering c.l.p for hints about exploitable security holes that there 
might be one in one of the few modules where such could reasonably be.

OP: If my doubts are wrong and you really do have something to quietly 
report to the 'authority', then do so, and quit making a noise about it.

Terry J. Reedy

More information about the Python-list mailing list