Who should security issues be reported to?
duncan.booth at invalid.invalid
Fri Jan 28 07:00:18 EST 2005
grahamd at dscpl.com.au wrote:
> I find this response a bit dissappointing frankly. Open Source people
> such a big deal about having lots of people being able to look at
> code and from that discover security problems, thus making it somehow
> making it better than proprietary source code.
I think part of the problem you are having is that Python doesn't make any
representations about security, so it is pretty hard to come up with issues
which really are security related. Products which are based on Python (e.g.
Zope) and which do aim to provide some kind of secure environment probably
will have some clear mechanism for reporting security related issues.
The only part of Python which used to claim to offer security was rexec and
the bastion module, but they had so many security issues that they were
removed from the distribution.
In other words, I'm intrigued how you managed to come up with something you
consider to be a security issue with Python since Python offers no
security. Perhaps, without revealing the actual issue in question, you
could give an example of some other situation which, if it came up in
Python you would consider to be a security issue?
More information about the Python-list