On Thu, Oct 12, 2006 at 06:08:46PM +1000, Anthony Baxter wrote: > I've had a couple of queries about whether PSF-2006-001 merits a 2.3.6. > Personally, I lean towards "no" - 2.4 was nearly two years ago now. But I'm > open to other opinions - I guess people see the phrase "buffer overrun" and > they get scared.
As a data point: python 2.3 is the shipped version of python in current stable Debian release (sarge). It is also vulnerable by default (sys.maxunicode == 1114111). I'm sure the debian maintainers are capable of picking up the patch and sending out a security update themselves, but by releasing a fixed 2.3 you'll send a stronger message to all the distributions hopefully! > Plus once 2.4.4 final is out next week, I'll have cut 12 releases > since March. Assuming a 2.5.1 before March (very likely) that'll be > 14 releases in 12 months. 16 releases in 12 months would just about > make me go crazy. I sympathise! I do released for my current workplace and it is time consuming and exacting work. -- Nick Craig-Wood <[EMAIL PROTECTED]> -- http://www.craig-wood.com/nick _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com