[Python-Dev] Python security team (original) (raw)

Guido van Rossum guido at python.org
Mon Sep 29 19:16:23 CEST 2008

On Mon, Sep 29, 2008 at 5:11 AM, Jan Matejek <jan.matejek at novell.com> wrote:

Brett Cannon napsal(a):

On Sat, Sep 27, 2008 at 8:54 AM, Victor Stinner <victor.stinner at haypocalc.com> wrote:

First, I would like to access to these informations. Not only this issue, but all security related issues. I have some knowledges about security and I can help to resolve issues and/or estimate the criticity of an issue.

That would require commit privileges first. Don't know if the group requires that a person have a decent amount of time committing to the core first (I just joined the list in late July). commit privileges? I would be interested in joining the PSRT list too - as a python maintainer for openSUSE, i think that it would be beneficial for both my and your work. And i can imagine that maintainers from other distributions have similar opinion on this ;) And that does not necessarily mean commit privileges, right? Or is this an issue of trust, where "we trust you enough to make changes to the core" equals "we also trust you enough to see the security issues" ?

Traditionally we have been extremely careful in selecting people to join the PSRT -- basically people that have many years of reputation within the Python community.

I think we may have to expand our selection creteria, since the existing approach has led to a small PSRT whose members are all too busy to do the necessary legwork. At the same time we need to remain selective -- I don't think having a crowd of hundreds would be productive, and we need to be sure that every single member can absolutely be trusted to take security seriously.

To answer your question directly, I don't think that just being the Python maintainer for some Linux distribution is enough to qualify -- if our process worked well enough, you'd be getting the patches from us via some downstream-flowing distribution mechanism that reaches only trusted people within each vendor organization. I don't happen to know you personally -- but perhaps other current members of the PSRT do and that could be enough to secure an invitation.

-- --Guido van Rossum (home page: http://www.python.org/~guido/)

More information about the Python-Dev mailing list