Re: Who should security issues be reported to?
From: Fuzzyman (fuzzyman_at_gmail.com)
Date: 02/02/05
- Next message: jrlen balane: "Re: how to separate hexadecimal"
- Previous message: Alex Martelli: "Re: Next step after pychecker"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 2 Feb 2005 00:05:19 -0800
Paul Rubin wrote:
> "Fuzzyman" <fuzzyman@gmail.com> writes:
> > The sourceforge bug tracker *is* the single right place to post
such
> > issues. The py-dev mailing list would be a second *useful* place to
> > post such a comment, although not really the right place. The OP
seemed
> > to want an individual with whom he could have a private
conversation
> > about it.
>
> I think he wanted a place to send a bug report that wouldn't be
> exposed to public view until the developers had a chance to issue a
> patch. With bugzilla, for example, you can check a bug labelled
"this
> is a security bug, keep it confidential". There's lots of dilemmas
> and some controversy about keeping any bug reports confidential in an
> open source system. But the general strategy selected by Mozilla
> after much debate seems to mostly work ok. It basically says develop
> a patch quickly, keep the bug confidential while the patch is being
> developed, and once the patch is available, notify distro maintainers
> to install it, and then after a short delay (like a couple days),
> publish the bug.
>
> Note that anyone with access to the bug (that includes the reporter
> and selected developers) can uncheck the box at any time, if they
> think the bug no longer needs to be confidential. The bug then
> becomes visible to the public.
Sounds like a useful feature request to Sourceforge.
Regards,
Fuzzy
http://www.voidspace.org.uk/python/index.shtml
- Next message: jrlen balane: "Re: how to separate hexadecimal"
- Previous message: Alex Martelli: "Re: Next step after pychecker"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
