Who should security issues be reported to?

[Skip Montanaro]

    Nick> Upgrading your Python interpreter (even to a new maintenance
    Nick> branch release) in a production environment is usually a fairly
    Nick> involved exercise requiring a significant amount of testing, and
    Nick> the fact of the matter is, you're unlikely to do so unless there
    Nick> is some feature or bug-fix in a new version that you really
    Nick> need. (I'm still using Python 2.2.2 at work - it's entirely
    Nick> adequate for our needs, so there's no real pressure to upgrade on
    Nick> the current project. For a new project, I'd probably start with
    Nick> 2.4, planning to go to 2.4.1 in a couple of months time, but there
    Nick> aren't really any post-2.2 additions to Python that I can't handle
    Nick> living without).

Still, if a security bug was serious enough, my guess is that someone would
step up to supply patches (or Windows installers) for any of a number of
versions that were affected by the bug, even 2.1 or 1.5.2.  That someone
might or might not be part of the core development team.  That nothing like
that has been done before doesn't preclude it being done in the future.

Skip