Who should security issues be reported to?

Aahz aahz at pythoncraft.com
Sat Jan 29 11:57:45 EST 2005

In article <mailman.1566.1107005039.22381.python-list at python.org>,
Skip Montanaro  <skip at pobox.com> wrote:
>    Nick> Upgrading your Python interpreter (even to a new maintenance
>    Nick> branch release) in a production environment is usually a fairly
>    Nick> involved exercise requiring a significant amount of testing, and
>    Nick> the fact of the matter is, you're unlikely to do so unless there
>    Nick> is some feature or bug-fix in a new version that you really
>    Nick> need. (I'm still using Python 2.2.2 at work - it's entirely
>    Nick> adequate for our needs, so there's no real pressure to upgrade on
>    Nick> the current project. For a new project, I'd probably start with
>    Nick> 2.4, planning to go to 2.4.1 in a couple of months time, but there
>    Nick> aren't really any post-2.2 additions to Python that I can't handle
>    Nick> living without).
>Still, if a security bug was serious enough, my guess is that someone would
>step up to supply patches (or Windows installers) for any of a number of
>versions that were affected by the bug, even 2.1 or 1.5.2.  That someone
>might or might not be part of the core development team.  That nothing like
>that has been done before doesn't preclude it being done in the future.

While true, such coordination also requires public discussion, given the
way the Python community works.  Which obviates the OPs request for
private correspondence.
Aahz (aahz at pythoncraft.com)           <*>         http://www.pythoncraft.com/

"19. A language that doesn't affect the way you think about programming,
is not worth knowing."  --Alan Perlis

More information about the Python-list mailing list