[Python-Dev] Releases for recent security vulnerability (original) (raw)

Jesse Noller jnoller at gmail.com
Fri Apr 15 14:36:16 CEST 2011

On Fri, Apr 15, 2011 at 8:30 AM, Brian Curtin <brian.curtin at gmail.com> wrote:

On Apr 15, 2011 3:46 AM, "Gustavo Narea" <me at gustavonarea.net> wrote:

Hi all, How come a description of how to exploit a security vulnerability comes before a release for said vulnerability? I'm talking about this: http://blog.python.org/2011/04/urllib-security-vulnerability-fixed.html My understanding is that the whole point of asking people not to report security vulnerability publicly was to allow time to release a fix. To me, the fix was released. Sure, no fancy installers were generated yet, but people who are susceptible to this issue 1) now know about it, and 2) have a way to patch their system if needed. If that's wrong, I apologize for writing the post too early. On top of that, it seems I didn't get all of the details right either, so apologies on that as well.

The code is open source: Anyone watching the commits/list know that this issue was fixed. It's better to keep it in the public's eyes, so they know something was fixed and they should patch than to rely on people not watching these channels.

Assume the bad guys already knew about the exploit: We have to spread the knowledge of the fix as far and as wide as we can so that people even know there is an issue, and that it was fixed. This applies to users and vendors as well.

A blog post is good communication to our users. I have to side with Brian on this one.

jesse

More information about the Python-Dev mailing list