On 8/11/06, e <[EMAIL PROTECTED]> wrote:
> Even partial disclosure
> would have helped a lot (and it was definitely a possibility, since
> exploiting the flaw requires a combination of unrelated parts of the
> application stack).
For what's worth, my 0.02 cents about this part. The good thing
On 8/10/06, e <[EMAIL PROTECTED]> wrote:
> Hopefully this is not out-of-line in this thread. I am a Rails person,
> not a Django person, although I have written a lot of Python in the
> past. I can give you some more information about the fallout in the
> rails community which might help you
Hi,
Hopefully this is not out-of-line in this thread. I am a Rails person,
not a Django person, although I have written a lot of Python in the
past. I can give you some more information about the fallout in the
rails community which might help you formulate your policy.
I agree with Simon,
Adrian Holovaty wrote:
> On 8/10/06, Jason Huggins <[EMAIL PROTECTED]> wrote:
> > At this point, I'll leave it to the project admins to decide how to
> > procede. But a new "django-announce" Google group sounds like the
> > logicial next step.
>
> I've created the django-announce mailing list:
James Bennett wrote:
> On 8/9/06, Jason Huggins <[EMAIL PROTECTED]> wrote:
> > I can see how a policy like that is "tricky"... What's to keep an evil
> > blackhat from subscribing to the very same list so he he knows when to
> > get busy cracking sites using the same information?
>
> I've been
On 8/10/06, Jason Huggins <[EMAIL PROTECTED]> wrote:
> At this point, I'll leave it to the project admins to decide how to
> procede. But a new "django-announce" Google group sounds like the
> logicial next step.
I've created the django-announce mailing list:
Jyrki Pulliainen wrote:
> On 8/10/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> >
> > For notification what about a low-volume django-announce group /
> > mailing list specifically for disclosures and point version upgrades?
> > This gives something for vendors etc to subscribe to and
On 8/10/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> For notification what about a low-volume django-announce group /
> mailing list specifically for disclosures and point version upgrades?
> This gives something for vendors etc to subscribe to and follow, and
> patches etc can be
For notification what about a low-volume django-announce group /
mailing list specifically for disclosures and point version upgrades?
This gives something for vendors etc to subscribe to and follow, and
patches etc can be announced in here before djangoproject.com or, say,
reddit.
--Simon
James Bennett wrote:
> One would hope that anyone who's using Django is subscribed to
> django-users and/or watches the Django blog
This would be less and less true as time goes because Django will spread
beyond early adopters to a new forming local communities. For example
there is russian
On Wed, 2006-08-09 at 23:50 -0500, James Bennett wrote:
> [...]
> And as much as some people I've talked to have been wailing and
> gnashing teeth about Rails being into Mac OS X 10.5 while Django
> isn't, well, I don't envy somebody who gets shipped as part of a major
> operating system when it
On 8/9/06, Jason Huggins <[EMAIL PROTECTED]> wrote:
> I can see how a policy like that is "tricky"... What's to keep an evil
> blackhat from subscribing to the very same list so he he knows when to
> get busy cracking sites using the same information?
I've been watching people go round and round
James Bennett wrote:
> > 3) Is there any sort of policy or promise on how many versions back
> > Django devs are willing to go back and support?
>
> The documentation page Malcolm linked states that patches will be
> developed for the current release and the two releases previous to it.
> That
Jeremy Dunck wrote:
> True, but Rails had lots of buzz and has -lots- of prod systems. Of
> the 2 people I talked to with prod rails systems, neither had heard of
> this 3 hours after the posting. I only knew because of luck on
> prog.reddit.
Same here, programming.reddit.com is my most hit
On 8/9/06, Jason Huggins <[EMAIL PROTECTED]> wrote:
> 2) How should the affected users be notified? Having read the above
> doc, I think this could use some more detail.
One would hope that anyone who's using Django is subscribed to
django-users and/or watches the Django blog (or that a company
Malcolm Tredinnick wrote:
> See
> http://www.djangoproject.com/documentation/contributing/#reporting-security-issues
Sorry I didn't read that first before posting here. Though I did a Trac
search for "security" and that page didn't come up in the first few
search results...
Though, looking at
On 8/9/06, Malcolm Tredinnick <[EMAIL PROTECTED]> wrote:
> I'm not completely sure I agree with the way the Ruby team are handling
> this release, but since I don't know the details yet, I can't really
> work out what is happening; they may have very good justification for
> the way they are
On Wed, 2006-08-09 at 18:41 -0700, Jason Huggins wrote:
[...]
> A few questions:
> 1) If there was critical security flaw found in Django (any version)
> today, are there plans in place on how to deal with it? If so, are
> those plans posted anywhere? If not, let's roll up our sleaves and do
>
I'm on the Apache security list, and I'll offer my 2c's on how they do it.1) A security@ email alias which is private and is a alias for the core developers. be prepared for a *LOT* of spam, and a lot of questionswhich should have been asked on dev@ or [EMAIL PROTECTED] security providers like to
I'm really feeling for our Rails Core friends... they're getting
blasted right now for not having a complete policy for releasing and
communicating urgent security flaws. I'm not poking fun, this is pretty
serious stuff.
Read here for some of the comments they're getting today via
Reddit.com:
20 matches
Mail list logo
