[Python-Dev] Releases for recent security vulnerability (original) (raw)

Jesse Noller jnoller at gmail.com
Fri Apr 15 16:04:53 CEST 2011

On Fri, Apr 15, 2011 at 8:59 AM, Antoine Pitrou <solipsis at pitrou.net> wrote:

On Fri, 15 Apr 2011 08:36:16 -0400 Jesse Noller <jnoller at gmail.com> wrote:

On Fri, Apr 15, 2011 at 8:30 AM, Brian Curtin <brian.curtin at gmail.com> wrote: > > On Apr 15, 2011 3:46 AM, "Gustavo Narea" <me at gustavonarea.net> wrote: >> >> Hi all, >> >> How come a description of how to exploit a security vulnerability >> comes before a release for said vulnerability? I'm talking about this: >> http://blog.python.org/2011/04/urllib-security-vulnerability-fixed.html >> >> My understanding is that the whole point of asking people not to >> report security vulnerability publicly was to allow time to release a >> fix. > > To me, the fix was released. Sure, no fancy installers were generated yet, > but people who are susceptible to this issue 1) now know about it, and 2) > have a way to patch their system if needed. > > If that's wrong, I apologize for writing the post too early. On top of that, > it seems I didn't get all of the details right either, so apologies on that > as well.

The code is open source: Anyone watching the commits/list know that this issue was fixed. It's better to keep it in the public's eyes, so they know something was fixed and they should patch than to rely on people not watching these channels. Assume the bad guys already knew about the exploit: We have to spread the knowledge of the fix as far and as wide as we can so that people even know there is an issue, and that it was fixed. This applies to users and vendors as well. True. However, many open source projects take the habit of cutting a release when a hole is discovered and fixed. It depends how seriously they (and their users) take security. Of course, there are different kinds of security issues, more or less severe. I don't know how severe the above issue is. Relying on a vendor distribution (such as a Linux distro, or ActiveState) is hopefully enough to get these security updates in time without patching anything by hand. I don't think many people compile Python for production use, but many do use our Windows installers. Regards Antoine.

Agreed; but all I'm defending is the post describing what, and how it was fixed. Hiding it until we get around to eventually cutting a release doesn't make the fix, or vulnerability go away. We need to issue a release quickly - and we need to notify all of our consumers quickly.

jesse

More information about the Python-Dev mailing list