Who should security issues be reported to?

[grahamd at dscpl.com.au]

> OP: Did you discover this supposed security hole from black-box
observation
> of behavior or by being one of the 'lots of people being able to look
at
> source code', thereby giving evidence to the point?

The technique used which is the source of the problem was actually
first discovered in a separate package to the Python distribution, but
it was known that the same technique was used in a module within the
Python distribution. It is quite possible that other third party
packages might use it as well, although a few of the main stream
packages have been checked and they don't use exactly the same
technique so are okay. I could have just ignored the fact that the
Python distribution had the problem and worried about the other package
only.

> a) The OP has provided no info about his/her claim.

Since the problem at least affects two packages and because of the
potential for mischief, I am hardly about to identify the packages
concerned, nor describe anything that is going to allow people to work
out what the issue is.

> b) The OP's original post is a classical troll: blast volunteer
developers
> for not having anticipated and planned for a novel situation; argue
against
> things not said, at least now here, not recently; imply that
volunteers own
> him something.  Most people with the expertise to detect a security
hole
> would know better.

And the reaction is what I have more and more been seeing in Open
Source circles. That, is either treat posters like ignoreant newbies
who know no better, or assume they are a trolls trying to discredit
Open Source. Quite sad really, one tries to do the right thing and gets
abused for it. It doesn't matter if a large project may be perceived as
being mostly immune to security problems, one could still occur and if
it isn't simple to raise such an issue I am sure than some people
wouldn't even bother.

> c) The noise generated because of b) has alerted any malware writers
> monitering c.l.p for hints about exploitable security holes that
there
> might be one in one of the few modules where such could reasonably
be.

With approx 200+ modules in the Python distribution I can hardly see
how this helps. If I had done what you had wanted in (a) and gave
actual information about the problem I would have been narrowing down
the problem to less than a dozen modules. You can't have it both ways.

> OP: If my doubts are wrong and you really do have something to
quietly
> report to the 'authority', then do so, and quit making a noise about
it.

And so it is was and knowledgeable people are looking at the issue. It
should not though have necessitated me making a noise in order to find
someone to deal with it in a timely manner. When a proprietary company
doesn't have an easy way of reporting problems or seems not to care too
much, Open Source people are on top of them like wolves. Why can't Open
Source people hold themselves to the same standard.

Not sure why I have even bothered to respond to you as it is probably
just the sort of attention you want. You even appear to have some
history of taking issue with people, even though in one of your own
posts you state:

> Responding to trollish postings. (Jan 26)
>
> My personal strategy is to read only as much of trollish
> threads as I find interesting or somehow instructive, almost never
respond,
> and then ignore the rest.  I also mostly ignore discussions about
such
> threads.
>
> Terry J. Reedy

Maybe you should simply have not responded. Lets see if you now ignore
the followup discussion. :-)