If you read BugTraq, python-announce or the Daily Python URL today, you would have noticed a Python Security Advisory. (If you missed it: http://www.python.org/security/PSF-2005-001/ .)
This was the first one issued in this form, but I'm sure it won't be the last one. Until now, we haven't had any infrastructure for this type of thing. In this particular case, the original discoverer first asked on c.l.py for advice on how to proceed, which yielded only unhelpful referrals to SF or python-dev. Then he wrote the authors of the affected module. Fredrik was so kind to forward it to me, and I happened to have time to deal with it. (Hey, I work for a security company, so I would have *made* time if I had to.) But I may not always be that responsive -- I could be busy, or traveling, or people might not think of mailing me. I believe it would be better if there was a "response team" for such situations. The response team would normally not have to do anything; they wouldn't have to be actively looking for security bugs, for example. But anyone with a (suspected) security problem related to Python would be able to email the team (e.g. security at python.org), trusting that the information would be kept confidential until a patch is developed; the response team would then investigate the problem and decide on an appropriate response. I want to be on the team; Barry also works for a security company and I hope he'll want to join (he can also make up a better acronym :-); I hope at least one person from the release team can be involved, e.g. Anthony; and I would like to see some more volunteers involved to have a good spread of availability and expertise. (How about a Windows user?) If you want to be on the team, send email to me *personally*. For discussion about the team's responsibilities and procedures, please follow up here. -- --Guido van Rossum (home page: http://www.python.org/~guido/) _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com