Author: jacob Date: 2011-04-17 07:27:53 -0700 (Sun, 17 Apr 2011) New Revision: 16033
Modified: django/branches/releases/1.3.X/docs/internals/contributing.txt Log: [1.3.X] Updated the contributing document to accurately reflect our security process. Backport of [16032] from trunk. Modified: django/branches/releases/1.3.X/docs/internals/contributing.txt =================================================================== --- django/branches/releases/1.3.X/docs/internals/contributing.txt 2011-04-17 14:13:19 UTC (rev 16032) +++ django/branches/releases/1.3.X/docs/internals/contributing.txt 2011-04-17 14:27:53 UTC (rev 16033) @@ -104,19 +104,19 @@ fix is forthcoming. We'll give a rough timeline and ask the reporter to keep the issue confidential until we announce it. - * Halt all other development as long as is needed to develop a fix, - including patches against the current and two previous releases. + * Focus on developing a fix as quickly as possible and produce patches + against the current and two previous releases. * Determine a go-public date for announcing the vulnerability and the fix. To try to mitigate a possible "arms race" between those applying the patch and those trying to exploit the hole, we will not announce security problems immediately. - * Pre-notify everyone we know to be running the affected version(s) of - Django. We will send these notifications through private e-mail - which will include documentation of the vulnerability, links to the - relevant patch(es), and a request to keep the vulnerability - confidential until the official go-public date. + * Pre-notify third-party distributors of Django ("vendors"). We will send + these vendor notifications through private email which will include + documentation of the vulnerability, links to the relevant patch(es), and a + request to keep the vulnerability confidential until the official + go-public date. * Publicly announce the vulnerability and the fix on the pre-determined go-public date. This will probably mean a new release of Django, but -- You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@googlegroups.com. To unsubscribe from this group, send email to django-updates+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-updates?hl=en.