Re: Who should security issues be reported to?

From: Aahz (aahz_at_pythoncraft.com)
Date: 01/28/05 

Date: 28 Jan 2005 14:14:51 -0500

In article <1106911061.429966.303510@f14g2000cwb.googlegroups.com>,
 <grahamd@dscpl.com.au> wrote:
>Aahz wrote:
>> In article <1106863164.745581.11920@f14g2000cwb.googlegroups.com>,
>> <grahamd@dscpl.com.au> wrote:
>>>
>>>Who are the appropriate people to report security problems to in
>>>respect of a module included with the Python distribution? I don't
>>>feel it appropriate to be reporting it on general mailing lists.
>>
>> There is no generally appropriate non-public mechanism for reporting
>> security issues. If you really think this needs to be handled
>> privately, do some research to find out which core developer is most
>> likely to be familiar with it. Even before you do that, check
>> SourceForge to find out whether anyone else has reported it as a bug.
>
>I find this response a bit dissappointing frankly. Open Source people
>make such a big deal about having lots of people being able to look at
>source code and from that discover security problems, thus making it
>somehow making it better than proprietary source code.

That's generally true, but not universally. The key point you seem to
have missed in my response is "non-public mechanism". Historically,
Python security issues have been thrashed out in public; the Python
project does not have a release cycle that makes it possible to quickly
address security concerns, so keeping it private has little point.

Your decision to take the private route makes it your responsibility to
search for an appropriate mechanism.

>I'm sorry, but this isn't really good enough. If Open Source wants to
>say that they are better than these proprietary companies, they need
>to deal with these sorts of things more professionally and establish
>decent channels of communications for dealing with it.

As other people said, sounds like you want to volunteer for this. Which
would be fine -- but there's still not much point until/unless we get
enough volunteers to manage quicker release cycles. Then there's still
the problem of getting people to update their local copies of Python.
This is a complex issue. 

-- 
Aahz (aahz@pythoncraft.com)           <*>         http://www.pythoncraft.com/
"19. A language that doesn't affect the way you think about programming,
is not worth knowing."  --Alan Perlis

Relevant Pages

  • Re: Future architectures
    ... Many have, though -- like Python. ... That being said, programs that modify their ... own source code have limited applicability, ... performance and security into consideratoin. ...
    (alt.comp.hardware.pc-homebuilt)
  • Re: Who should security issues be reported to?
    ... > code and from that discover security problems, ... > making it better than proprietary source code. ... to want an individual with whom he could have a private conversation ...
    (comp.lang.python)
  • Re: OT: Whats up with the starship?
    ... the security advisory explains that the cause of the problem is a bug ... in the source code used to implement reprfor 32-bit Unicode strings, ... Python 2.2 was released in 2001. ...
    (comp.lang.python)
  • Re: Why less emphasis on private data?
    ... The truth of the matter is, MyClass.__private is not private at all. ... if you want to code defensively, you should simply assume that Python has ... if one deconstructs the use of private data in various ... involves a manual inspection of the source code of superclasses or the ...
    (comp.lang.python)
  • Re: For Tex, (Listening & Watching)
    ... "No Place to Hide might just do for privacy protection what Rachel ... We live in an ever more convenient society. ... O'Harrow unveils a modern world riddled with seemingly innocuous private ... Department of Homeland Security aggressively sought access to these ...
    (rec.arts.poems)