[Python-Dev] Releases for recent security vulnerability (original) (raw)

Nick Coghlan ncoghlan at gmail.com
Sat Apr 16 16:23:42 CEST 2011

On Sat, Apr 16, 2011 at 9:45 PM, Gustavo Narea <me at gustavonarea.net> wrote:

I reckon if this had been handled differently (i.e., making new releases and communicating it via the relevant channels [1]), we wouldn't have the situation we have right now.

Nope, we would have a situation where the security team were still attempting to coordinate with the release managers to cut new source releases and new binary releases, and not even releasing the source level patches that will allow many, many people to fix the problem on their own.

I don't agree that such a situation would be better than the status quo (i.e. where both the problem and how to fix it yourself are public knowledge).

The exact patches for all affected versions of Python are readily available by checking the changesets linked from http://bugs.python.org/issue11662#msg132517

May I suggest that you adopt a policy for handling security issues like Django's? http://docs.djangoproject.com/en/1.3/internals/contributing/#reporting-security-issues

When the list of people potentially using the software is "anyone running Linux or Mac OS X and an awful lot of people running Windows or an embedded device", private pre-announcements simply aren't a practical reality. Neither is "stopping all other development" when most of the core development team aren't on the security at python.org list and don't even know a security issue exists until it is announced publicly. Take those two impractical steps out of the process, and what you have is the python.org procedure for dealing with security issues.

And when official python.org releases require coordination of volunteers scattered around the planet, there is a harsh trade-off to be made when it comes to deciding how long to wait before publishing the information people need in order to fix the issue themselves.

Bumping the priority of the next round of python.org releases should definitely be on the agenda, but the "rapid response" side of things needs to come from the OS vendors with paid release engineers. Dealing with security issues on behalf of their end users is one of the key reasons they're getting paid for free software in the first place.

It may be worth asking the OS vendors whether or not they have representatives that receive the security at python.org notifications, and if not, why they haven't approached python-dev about receiving such notifications.

Cheers,

[1] For example, <http://mail.python.org/mailman/listinfo/python-announce-list>, <http://www.python.org/news/>, <http://www.python.org/news/security/>.

Agreed that an announcement should be made on those locations, with a list of links to the exact changesets for each affected version.

Cheers, Nick.

-- Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Python-Dev mailing list