Who should security issues be reported to?

Duncan Booth duncan.booth at invalid.invalid
Fri Jan 28 07:00:18 EST 2005

grahamd at dscpl.com.au wrote:

> I find this response a bit dissappointing frankly. Open Source people
> make
> such a big deal about having lots of people being able to look at
> source
> code and from that discover security problems, thus making it somehow
> making it better than proprietary source code.

I think part of the problem you are having is that Python doesn't make any 
representations about security, so it is pretty hard to come up with issues 
which really are security related. Products which are based on Python (e.g. 
Zope) and which do aim to provide some kind of secure environment probably 
will have some clear mechanism for reporting security related issues.

The only part of Python which used to claim to offer security was rexec and 
the bastion module, but they had so many security issues that they were 
removed from the distribution.

In other words, I'm intrigued how you managed to come up with something you 
consider to be a security issue with Python since Python offers no 
security. Perhaps, without revealing the actual issue in question, you 
could give an example of some other situation which, if it came up in 
Python you would consider to be a security issue?

More information about the Python-list mailing list