On Jul 30, 2013, at 8:06 AM, Nick Coghlan <[email protected]> wrote:
> If Donald informed us of a vulnerability and we refused to allow him (or > anyone else) to take the necessary steps to close it, then he would be > *completely* justified in publishing full details of the vulnerability, up to > and including working exploit code. > > It won't come to that though, because we're taking this seriously and closing > security holes as quickly as is feasible while still ensuring a reasonable > level of backwards compatibility :) > This basically. Maybe I'm not being clear because I have a headache and I'm reading too much into things because I'm sensitive to being shutdown on efforts to fix these things*. I don't expect with Nick, Richard, and Noah to ever need to do a Full Disclosure. I was only trying to be clear about what I consider my escalation path to be if a current, or near future vulnerability is forced to remain open. * I started trying to push for this ~2 years ago and got repeatedly shut down, for one reason or another. Which lead to to create Crate.io. It's only been relatively recently that I've been given permission to actually fix things. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - [email protected] http://mail.python.org/mailman/listinfo/distutils-sig
