Who should security issues be reported to?

Aahz aahz at pythoncraft.com
Fri Jan 28 14:14:51 EST 2005

In article <1106911061.429966.303510 at f14g2000cwb.googlegroups.com>,
 <grahamd at dscpl.com.au> wrote:
>Aahz wrote:
>> In article <1106863164.745581.11920 at f14g2000cwb.googlegroups.com>,
>>  <grahamd at dscpl.com.au> wrote:
>>>Who are the appropriate people to report security problems to in
>>>respect of a module included with the Python distribution?  I don't
>>>feel it appropriate to be reporting it on general mailing lists.
>> There is no generally appropriate non-public mechanism for reporting
>> security issues.  If you really think this needs to be handled
>> privately, do some research to find out which core developer is most
>> likely to be familiar with it.  Even before you do that, check
>> SourceForge to find out whether anyone else has reported it as a bug.
>I find this response a bit dissappointing frankly. Open Source people
>make such a big deal about having lots of people being able to look at
>source code and from that discover security problems, thus making it
>somehow making it better than proprietary source code.

That's generally true, but not universally.  The key point you seem to
have missed in my response is "non-public mechanism".  Historically,
Python security issues have been thrashed out in public; the Python
project does not have a release cycle that makes it possible to quickly
address security concerns, so keeping it private has little point.

Your decision to take the private route makes it your responsibility to
search for an appropriate mechanism.

>I'm sorry, but this isn't really good enough. If Open Source wants to
>say that they are better than these proprietary companies, they need
>to deal with these sorts of things more professionally and establish
>decent channels of communications for dealing with it.

As other people said, sounds like you want to volunteer for this.  Which
would be fine -- but there's still not much point until/unless we get
enough volunteers to manage quicker release cycles.  Then there's still
the problem of getting people to update their local copies of Python.
This is a complex issue.
Aahz (aahz at pythoncraft.com)           <*>         http://www.pythoncraft.com/

"19. A language that doesn't affect the way you think about programming,
is not worth knowing."  --Alan Perlis

More information about the Python-list mailing list