On 11/26/05, Kenneth Gonsalves <[EMAIL PROTECTED]> wrote: > have been talking to some php folk about switching to django, but > they have raised a serious concern: Django website does not have a > page for security alerts and the django team has not released any > security patches - so they feel very uneasy about the whole thing. > Can this defect somehow be rectified?
Let me get this straight. They're worried that nobody has found security holes in Django? I guess I don't understand the logic there: "No security issues have been found; therefore it's insecure"? But seriously, there haven't been any security-related fixes in Django since July 19 (http://code.djangoproject.com/changeset/230), when about 2 people were using it. I guess you could count http://code.djangoproject.com/changeset/1242, which changed the debug page's behavior not to display the database password and secret key, but that's hardly a huge thing. Jacob has drafted a "Contributing to Django" page, which has a full section on how we handle security bugs/alerts, but he hasn't posted that to the site yet. It will have the full scoop on how we handle security problems if they arise. Adrian -- Adrian Holovaty holovaty.com | djangoproject.com | chicagocrime.org
