Re: disclosing security release dates on django-announce

2016-10-10 Thread Tim Graham 
Thanks, I added that to the PR.

On Monday, October 10, 2016 at 3:43:09 PM UTC-4, Alex_Gaynor wrote:
>
> We already have one :-), our bounty indicates several severity levels: 
> https://hackerone.com/django
>
> Alex
>
> On Mon, Oct 10, 2016 at 3:40 PM, Tim Graham  > wrote:
>
>> Providing an indication of severity would be fine with me. Does anyone 
>> know of other web frameworks that have descriptions of severity 
>> classifications that we could borrow?
>>
>>
>> On Saturday, October 8, 2016 at 11:26:06 AM UTC-4, Shai Berger wrote:
>>>
>>> On Friday 07 October 2016 19:47:38 Markus Holtermann wrote: 
>>> > On Friday, October 7, 2016 at 4:58:00 PM UTC+2, Tim Graham wrote: 
>>> > > The Django team proposes [0] to add the following to the security 
>>> policy: 
>>> > > 
>>> > > Approximately one week before public disclosure, ... 
>>> > > we notify django-announce [1] of the date and approximate time of 
>>> the 
>>> > > upcoming security release. No information about the issues is given. 
>>> [...] 
>>> > 
>>> > While we haven't decided of any particular format, you can expect the 
>>> > announcements to look a bit like 
>>> >
>>> https://mta.openssl.org/pipermail/openssl-announce/2016-September/76.html
>>>  
>>> > 
>>>
>>> with nitpicking(): 
>>> this example does give some information about the issues -- the 
>>> number of 
>>> issues and an assessment of their severitly level. I believe it 
>>> is a good 
>>> example to follow. 
>>>
>>> Shai. 
>>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Django developers (Contributions to Django itself)" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to django-develop...@googlegroups.com .
>> To post to this group, send email to django-d...@googlegroups.com 
>> .
>> Visit this group at https://groups.google.com/group/django-developers.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/django-developers/41d3c6cc-76d6-4e10-aed6-5f1cb0d85f3f%40googlegroups.com
>>  
>> 
>> .
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> "I disapprove of what you say, but I will defend to the death your right 
> to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
> "The people's good is the highest law." -- Cicero
> GPG Key fingerprint: D1B3 ADC0 E023 8CA6
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/1e27a8a4-f760-494f-866d-9118b52e3bcb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: disclosing security release dates on django-announce

2016-10-10 Thread Alex Gaynor 
We already have one :-), our bounty indicates several severity levels:
https://hackerone.com/django

Alex

On Mon, Oct 10, 2016 at 3:40 PM, Tim Graham  wrote:

> Providing an indication of severity would be fine with me. Does anyone
> know of other web frameworks that have descriptions of severity
> classifications that we could borrow?
>
>
> On Saturday, October 8, 2016 at 11:26:06 AM UTC-4, Shai Berger wrote:
>>
>> On Friday 07 October 2016 19:47:38 Markus Holtermann wrote:
>> > On Friday, October 7, 2016 at 4:58:00 PM UTC+2, Tim Graham wrote:
>> > > The Django team proposes [0] to add the following to the security
>> policy:
>> > >
>> > > Approximately one week before public disclosure, ...
>> > > we notify django-announce [1] of the date and approximate time of the
>> > > upcoming security release. No information about the issues is given.
>> [...]
>> >
>> > While we haven't decided of any particular format, you can expect the
>> > announcements to look a bit like
>> >https://mta.openssl.org/pipermail/openssl-announce/2016-
>> September/76.html
>> >
>>
>> with nitpicking():
>> this example does give some information about the issues -- the
>> number of
>> issues and an assessment of their severitly level. I believe it
>> is a good
>> example to follow.
>>
>> Shai.
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/django-developers/41d3c6cc-76d6-4e10-aed6-
> 5f1cb0d85f3f%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>



-- 
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: D1B3 ADC0 E023 8CA6

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAFRnB2XjKM%3DLBm3yX4QmA9dEOJog9%3Dgi8rJC2aDB%2BvDARW%2Bkpg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: disclosing security release dates on django-announce

2016-10-10 Thread Tim Graham 
Providing an indication of severity would be fine with me. Does anyone know 
of other web frameworks that have descriptions of severity classifications 
that we could borrow?

On Saturday, October 8, 2016 at 11:26:06 AM UTC-4, Shai Berger wrote:
>
> On Friday 07 October 2016 19:47:38 Markus Holtermann wrote: 
> > On Friday, October 7, 2016 at 4:58:00 PM UTC+2, Tim Graham wrote: 
> > > The Django team proposes [0] to add the following to the security 
> policy: 
> > > 
> > > Approximately one week before public disclosure, ... 
> > > we notify django-announce [1] of the date and approximate time of the 
> > > upcoming security release. No information about the issues is given. 
> [...] 
> > 
> > While we haven't decided of any particular format, you can expect the 
> > announcements to look a bit like 
> >
> https://mta.openssl.org/pipermail/openssl-announce/2016-September/76.html 
> > 
>
> with nitpicking(): 
> this example does give some information about the issues -- the 
> number of 
> issues and an assessment of their severitly level. I believe it is 
> a good 
> example to follow. 
>
> Shai. 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/41d3c6cc-76d6-4e10-aed6-5f1cb0d85f3f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: disclosing security release dates on django-announce

2016-10-08 Thread Shai Berger 
On Friday 07 October 2016 19:47:38 Markus Holtermann wrote:
> On Friday, October 7, 2016 at 4:58:00 PM UTC+2, Tim Graham wrote:
> > The Django team proposes [0] to add the following to the security policy:
> > 
> > Approximately one week before public disclosure, ...
> > we notify django-announce [1] of the date and approximate time of the
> > upcoming security release. No information about the issues is given. [...]
> 
> While we haven't decided of any particular format, you can expect the
> announcements to look a bit like
>https://mta.openssl.org/pipermail/openssl-announce/2016-September/76.html
> 

with nitpicking():
this example does give some information about the issues -- the number 
of
issues and an assessment of their severitly level. I believe it is a 
good
example to follow.

Shai.

Re: disclosing security release dates on django-announce

2016-10-07 Thread Markus Holtermann 
While we haven't decided of any particular format, you can expect the 
announcements to look a bit 
like 
https://mta.openssl.org/pipermail/openssl-announce/2016-September/76.html

/Markus

On Friday, October 7, 2016 at 4:58:00 PM UTC+2, Tim Graham wrote:
>
> The Django team proposes [0] to add the following to the security policy:
>
> Approximately one week before public disclosure, ...
> we notify django-announce [1] of the date and approximate time of the
> upcoming security release. No information about the issues is given. This 
> is to 
> aid organizations that need to ensure they have staff available to handle 
> triaging our announcement and upgrade Django as needed.
>
> [0] https://github.com/django/django/pull/7356
> [1] 
> https://docs.djangoproject.com/en/dev/internals/mailing-lists/#django-announce
>
> Feedback is welcome.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/0e0ce8fc-3a99-448c-92c6-907052b30b97%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

disclosing security release dates on django-announce

2016-10-07 Thread Tim Graham 
The Django team proposes [0] to add the following to the security policy:

Approximately one week before public disclosure, ...
we notify django-announce [1] of the date and approximate time of the
upcoming security release. No information about the issues is given. This 
is to 
aid organizations that need to ensure they have staff available to handle 
triaging our announcement and upgrade Django as needed.

[0] https://github.com/django/django/pull/7356
[1] 
https://docs.djangoproject.com/en/dev/internals/mailing-lists/#django-announce

Feedback is welcome.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/20c490af-14ea-4822-a153-daf663c48aa5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.