Who should security issues be reported to?
Duncan Booth
duncan.booth at invalid.invalid
Fri Jan 28 10:22:05 EST 2005
Paul Rubin wrote:
> The Cookie issue is discussed some in that bug thread. But more
> relevant is bug 471893. Sorry.
Thanks. There's an interesting comment in that thread:
A.M. Kuchling (akuchling) wrote:
> Date: 2003-02-06 09:29
>
> The Cookie classes that use pickle have DeprecationWarnings in
> 2.3, and should disappear in 2.4.
Its a real pity that nobody seems to have remembered to actually remove
them.
>> I think its a bit borderline whether this really was a security bug in
>> Python rather than just a problem with the way some people used Python.
>
> If using a module the way it's documented results in a security hole,
> that's definitely a security bug.
>
> If using the module in an obvious and natural way that looks correct
> results in a security hole, I'd say it's at least an issue needing
> attention, even if some sufficiently hairsplitting reading of the
> documentation says that usage is incorrect. Principle of least
> astonishment.
Agreed. Principle of least astonishment is definitely good.
More information about the Python-list
mailing list