[Changeset] r16033 - django/branches/releases/1.3.X/docs/internals

[noreply]

Author: jacob
Date: 2011-04-17 07:27:53 -0700 (Sun, 17 Apr 2011)
New Revision: 16033

Modified:
   django/branches/releases/1.3.X/docs/internals/contributing.txt
Log:
[1.3.X] Updated the contributing document to accurately reflect our security 
process.

Backport of [16032] from trunk.

Modified: django/branches/releases/1.3.X/docs/internals/contributing.txt
===================================================================
--- django/branches/releases/1.3.X/docs/internals/contributing.txt      
2011-04-17 14:13:19 UTC (rev 16032)
+++ django/branches/releases/1.3.X/docs/internals/contributing.txt      
2011-04-17 14:27:53 UTC (rev 16033)
@@ -104,19 +104,19 @@
       fix is forthcoming. We'll give a rough timeline and ask the reporter
       to keep the issue confidential until we announce it.
 
-    * Halt all other development as long as is needed to develop a fix,
-      including patches against the current and two previous releases.
+    * Focus on developing a fix as quickly as possible and produce patches
+      against the current and two previous releases.
 
     * Determine a go-public date for announcing the vulnerability and the fix.
       To try to mitigate a possible "arms race" between those applying the
       patch and those trying to exploit the hole, we will not announce
       security problems immediately.
 
-    * Pre-notify everyone we know to be running the affected version(s) of
-      Django. We will send these notifications through private e-mail
-      which will include documentation of the vulnerability, links to the
-      relevant patch(es), and a request to keep the vulnerability
-      confidential until the official go-public date.
+    * Pre-notify third-party distributors of Django ("vendors"). We will send
+      these vendor notifications through private email which will include
+      documentation of the vulnerability, links to the relevant patch(es), and 
a
+      request to keep the vulnerability confidential until the official
+      go-public date.
 
     * Publicly announce the vulnerability and the fix on the pre-determined
       go-public date. This will probably mean a new release of Django, but

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.