[Python-Dev] Releases for recent security vulnerability (original) (raw)

R. David Murray rdmurray at bitdance.com
Sun Apr 17 16:54:03 CEST 2011

On Sun, 17 Apr 2011 09:30:17 -0400, Jesse Noller <jnoller at gmail.com> wrote:

On Sun, Apr 17, 2011 at 7:48 AM, Antoine Pitrou <solipsis at pitrou.net> wrote: > On Sat, 16 Apr 2011 21:32:48 -0500 Brian Curtin <brian.curtin at gmail.com> wrote: >> > Three weeks after this security vulnerability was publicly reported on >> > bugs.python.org, and two days after it was semi-officially announced, >> > I'm still waiting for security updates for my Ubuntu and Debian systems! >> > >> > I reckon if this had been handled differently (i.e., making new releases >> > and communicating it via the relevant channels [1]), we wouldn't have >> > the situation we have right now. >> >> I don't really think there's a "situation" here, and I fail to see how the >> development blog isn't one of the relevant channels. > > If we want to make official announcements (like releases or security > warnings), I don't think the blog is appropriate. A separate > announcement channel (mailing-list or newsgroup) would be better, where > people can subscribe knowing they will only get a couple of e-mails a > year.

And whose responsibility is it to email yet another mythical list? The person posting the fix? The person who found and filed the CVE? The release manager? Brian helped us by raising awareness of the issue: At least now there's a chance that one or more of the OS vendors saw that this was an issue that was fixed.

That fact that Brian helped publicize it is not really relevant to Antoine's point. The obvious answer to your question about whose responsibility it is is: the security team. Brian's blog post would then have been much more like he envisioned it when he wrote it, a peek inside the process, rather than appearing to be the primary announcement as many seem to be perceiving it.

That's how distributions, at least, handle this. There's a mailing list for security related announcements on which only the "security officer" or "security team" posts announcements, and security related announcements only. Then then the people responsible for security in any context (a distribution, a security manager for a company, J Random User) can subscribe to it and get only security announcements. That allows them to easily prioritize those announcements on receipt.

Python should have such a mailing list.

-- R. David Murray http://www.bitdance.com

More information about the Python-Dev mailing list