[EMAIL PROTECTED] wrote: > Aahz wrote: > > In article <[EMAIL PROTECTED]>, > > <[EMAIL PROTECTED]> wrote: > > > > > >Who are the appropriate people to report security problems to in > > >respect of a module included with the Python distribution? I don't > > >feel it appropriate to be reporting it on general mailing lists. > > > > There is no generally appropriate non-public mechanism for reporting > > security issues. If you really think this needs to be handled > > privately, do some research to find out which core developer is most > > likely to be familiar with it. Even before you do that, check > > SourceForge to find out whether anyone else has reported it as a bug. > > I find this response a bit dissappointing frankly. Open Source people > make > such a big deal about having lots of people being able to look at > source > code and from that discover security problems, thus making it somehow > making it better than proprietary source code. From what I can see, if > an > Open Source project is quite large with lots of people involved, it > makes it > very hard to try and identify who you should report something to when > there is no clearly identifiable single point of contact for security > related
The sourceforge bug tracker *is* the single right place to post such issues. The py-dev mailing list would be a second *useful* place to post such a comment, although not really the right place. The OP seemed to want an individual with whom he could have a private conversation about it. Regards, Fuzzy http://www.voidspace.org.uk/python/index.shtml > issues. Why should I have to go through hoops to try and track down who > is appropriate to send it to? All you need is a single advertised email > address > for security issues which is forwarded onto a small group of developers > who can then evaluate the issue and forward it on to the appropriate > person. > Such developers could probably do such evaluation in minutes, yet I > have > to spend a lot longer trying to research who to send it to and then > potentially > wait days for some obscure person mentioned in the source code who has > not touched it in years to respond, if at all. Meanwhile you have a > potentially > severe security hole sitting there wating for someone to expliot, with > the > only saving grace being the low relative numbers of users who may be > using > it in the insecure manner and that it would be hard to identify the > actual web > sites which suffer the problem. > > I'm sorry, but this isn't really good enough. If Open Source wants to > say that > they are better than these proprietary companies, they need to deal > with these > sorts of things more professionally and establish decent channels of > communications for dealing with it. > > And yes I have tried mailing the only people mentioned in the module in > question and am still waiting for a response. -- http://mail.python.org/mailman/listinfo/python-list
