I'm really feeling for our Rails Core friends... they're getting blasted right now for not having a complete policy for releasing and communicating urgent security flaws. I'm not poking fun, this is pretty serious stuff.
Read here for some of the comments they're getting today via Reddit.com: "Mandatory security patch issued for Rails, but the vulnerability is not disclosed. " http://programming.reddit.com/info/cvlr/comments Rather than poke fun or make light of the today's situation with Rails, I'd rather like to turn the focus on the Django project and play the "But what if it happened to you?" game. I heard way-back-when that Django was security-audited, and found to be secure, but that was (I think) before Django was open-sourced, and I don't remember seeing many details.. However, doing a quick search for "security" of the Dev list shows this message from Jacob: http://groups.google.com/group/django-developers/msg/682543e6c084ff75 Should someone commission a new audit given the amount of code changes in Django since last year? (It would be a great opportunity for some company <cough Google cough ThoughtWorks cough WorldOnline /> to sponsor. A few questions: 1) If there was critical security flaw found in Django (any version) today, are there plans in place on how to deal with it? If so, are those plans posted anywhere? If not, let's roll up our sleaves and do it! :-) 2) Is there a Django mailing list for security alerts? If not, let's create one! 3) What are some projects to emulate in terms of "They do security right"? I've heard Debian has good policies and execution on those plans. Any others? Having an emergency plan ready to go the moment a security issue crops up is one of those things that will really ease the mind of an "enterprise" flirting with the idea of going Django. It's also an area where Django can really shine compared to other web frameworks (Python or otherwise). -Jason --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~----------~----~----~----~------~----~------~--~---
