Aahz wrote: > In article <[EMAIL PROTECTED]>, > <[EMAIL PROTECTED]> wrote: > > > >Who are the appropriate people to report security problems to in > >respect of a module included with the Python distribution? I don't > >feel it appropriate to be reporting it on general mailing lists. > > There is no generally appropriate non-public mechanism for reporting > security issues. If you really think this needs to be handled > privately, do some research to find out which core developer is most > likely to be familiar with it. Even before you do that, check > SourceForge to find out whether anyone else has reported it as a bug.
I find this response a bit dissappointing frankly. Open Source people make such a big deal about having lots of people being able to look at source code and from that discover security problems, thus making it somehow making it better than proprietary source code. From what I can see, if an Open Source project is quite large with lots of people involved, it makes it very hard to try and identify who you should report something to when there is no clearly identifiable single point of contact for security related issues. Why should I have to go through hoops to try and track down who is appropriate to send it to? All you need is a single advertised email address for security issues which is forwarded onto a small group of developers who can then evaluate the issue and forward it on to the appropriate person. Such developers could probably do such evaluation in minutes, yet I have to spend a lot longer trying to research who to send it to and then potentially wait days for some obscure person mentioned in the source code who has not touched it in years to respond, if at all. Meanwhile you have a potentially severe security hole sitting there wating for someone to expliot, with the only saving grace being the low relative numbers of users who may be using it in the insecure manner and that it would be hard to identify the actual web sites which suffer the problem. I'm sorry, but this isn't really good enough. If Open Source wants to say that they are better than these proprietary companies, they need to deal with these sorts of things more professionally and establish decent channels of communications for dealing with it. And yes I have tried mailing the only people mentioned in the module in question and am still waiting for a response. -- http://mail.python.org/mailman/listinfo/python-list
