Nick Coghlan writes:
> I'd personally like to see a couple of adjustments to
> http://www.python.org/news/security/:
For another thing, it needs to be more discoverable.
For yet another thing, it has two ancient entries on it. Surely there
are more than that?
Gustavo Narea writes:
> Well, that's a long shot. I doubt the people/organizations affected are
> all aware.
That's really not Python's responsibility. That's theirs. Caveats:
Python should have a single place where security patches are announced
*first*, before developer blogs and the like.
On Mon, Apr 18, 2011 at 12:03 AM, Jacob Kaplan-Moss wrote:
> Just to fill in a bit of missing detail about our process since the
> doc doesn't perfectly describe what happens:
>
> * Our pre-announce list is *really* short. It consists of release
> managers for various distributions that distribute
On Sun, 17 Apr 2011 09:30:17 -0400, Jesse Noller wrote:
> On Sun, Apr 17, 2011 at 7:48 AM, Antoine Pitrou wrote:
> > On Sat, 16 Apr 2011 21:32:48 -0500 Brian Curtin
> > wrote:
> >> > Three weeks after this security vulnerability was *publicly* reported on
> >> > bugs.python.org, and two days af
On Sat, Apr 16, 2011 at 9:23 AM, Nick Coghlan wrote:
> On Sat, Apr 16, 2011 at 9:45 PM, Gustavo Narea wrote:
>> May I suggest that you adopt a policy for handling security issues like
>> Django's?
>> http://docs.djangoproject.com/en/1.3/internals/contributing/#reporting-security-issues
>
> When t
On Sun, Apr 17, 2011 at 9:42 AM, Antoine Pitrou wrote:
> Le dimanche 17 avril 2011 à 09:30 -0400, Jesse Noller a écrit :
>> >
>> > If we want to make official announcements (like releases or security
>> > warnings), I don't think the blog is appropriate. A separate
>> > announcement channel (maili
On Sun, 17 Apr 2011 08:30:33 -0400
Fred Drake wrote:
> On Sun, Apr 17, 2011 at 7:48 AM, Antoine Pitrou wrote:
> > A separate announcement channel (mailing-list or newsgroup) would be better,
> > where people can subscribe knowing they will only get a couple of e-mails a
> > year.
>
> Sounds like
Le dimanche 17 avril 2011 à 09:30 -0400, Jesse Noller a écrit :
> >
> > If we want to make official announcements (like releases or security
> > warnings), I don't think the blog is appropriate. A separate
> > announcement channel (mailing-list or newsgroup) would be better, where
> > people can su
On Sun, Apr 17, 2011 at 7:48 AM, Antoine Pitrou wrote:
> On Sat, 16 Apr 2011 21:32:48 -0500
> Brian Curtin wrote:
>> > Three weeks after this security vulnerability was *publicly* reported on
>> > bugs.python.org, and two days after it was semi-officially announced,
>> > I'm still waiting for sec
On Sun, Apr 17, 2011 at 7:48 AM, Antoine Pitrou wrote:
> A separate announcement channel (mailing-list or newsgroup) would be better,
> where people can subscribe knowing they will only get a couple of e-mails a
> year.
Sounds like python-announce to me, with a matching entry on the front
of www.
On Sat, 16 Apr 2011 21:32:48 -0500
Brian Curtin wrote:
> > Three weeks after this security vulnerability was *publicly* reported on
> > bugs.python.org, and two days after it was semi-officially announced,
> > I'm still waiting for security updates for my Ubuntu and Debian systems!
> >
> > I recko
On Sat, Apr 16, 2011 at 06:45, Gustavo Narea wrote:
> Hello,
>
> On 15/04/11 13:30, Brian Curtin wrote:
> > To me, the fix *was* released.
>
> No, it wasn't. It was *committed* to the repository.
>
Yep, and that's enough for me. If you have a vulnerable system, you can now
patch it with an accep
On Sat, Apr 16, 2011 at 9:45 PM, Gustavo Narea wrote:
> I reckon if this had been handled differently (i.e., making new releases
> and communicating it via the relevant channels [1]), we wouldn't have
> the situation we have right now.
Nope, we would have a situation where the security team were
Hello,
On 15/04/11 13:30, Brian Curtin wrote:
> To me, the fix *was* released.
No, it wasn't. It was *committed* to the repository.
> Sure, no fancy installers were generated yet, but people who are
> susceptible to this issue 1) now know about it, and 2) have a way to
> patch their system *if n
On Fri, Apr 15, 2011 at 8:59 AM, Antoine Pitrou wrote:
> On Fri, 15 Apr 2011 08:36:16 -0400
> Jesse Noller wrote:
>> On Fri, Apr 15, 2011 at 8:30 AM, Brian Curtin wrote:
>> >
>> > On Apr 15, 2011 3:46 AM, "Gustavo Narea" wrote:
>> >>
>> >> Hi all,
>> >>
>> >> How come a description of how to ex
On Fri, Apr 15, 2011 at 8:59 AM, Antoine Pitrou wrote:
> Relying on a vendor distribution (such as a Linux distro, or
> ActiveState) is hopefully enough to get these security updates in time
> without patching anything by hand. I don't think many people compile
> Python for production use, but man
On Fri, 15 Apr 2011 08:36:16 -0400
Jesse Noller wrote:
> On Fri, Apr 15, 2011 at 8:30 AM, Brian Curtin wrote:
> >
> > On Apr 15, 2011 3:46 AM, "Gustavo Narea" wrote:
> >>
> >> Hi all,
> >>
> >> How come a description of how to exploit a security vulnerability
> >> comes before a release for said
On Fri, Apr 15, 2011 at 8:30 AM, Brian Curtin wrote:
>
> On Apr 15, 2011 3:46 AM, "Gustavo Narea" wrote:
>>
>> Hi all,
>>
>> How come a description of how to exploit a security vulnerability
>> comes before a release for said vulnerability? I'm talking about this:
>> http://blog.python.org/2011/0
On Apr 15, 2011 3:46 AM, "Gustavo Narea" wrote:
>
> Hi all,
>
> How come a description of how to exploit a security vulnerability
> comes before a release for said vulnerability? I'm talking about this:
> http://blog.python.org/2011/04/urllib-security-vulnerability-fixed.html
>
> My understanding
On Fri, Apr 15, 2011 at 09:35:06AM +0100, Gustavo Narea wrote:
>
> How come a description of how to exploit a security vulnerability
> comes before a release for said vulnerability? I'm talking about this:
> http://blog.python.org/2011/04/urllib-security-vulnerability-fixed.html
>
> My understand
Hi all,
How come a description of how to exploit a security vulnerability
comes before a release for said vulnerability? I'm talking about this:
http://blog.python.org/2011/04/urllib-security-vulnerability-fixed.html
My understanding is that the whole point of asking people not to
report security
21 matches
Mail list logo
