> OP: Did you discover this supposed security hole from black-box observation > of behavior or by being one of the 'lots of people being able to look at > source code', thereby giving evidence to the point?
The technique used which is the source of the problem was actually first discovered in a separate package to the Python distribution, but it was known that the same technique was used in a module within the Python distribution. It is quite possible that other third party packages might use it as well, although a few of the main stream packages have been checked and they don't use exactly the same technique so are okay. I could have just ignored the fact that the Python distribution had the problem and worried about the other package only. > a) The OP has provided no info about his/her claim. Since the problem at least affects two packages and because of the potential for mischief, I am hardly about to identify the packages concerned, nor describe anything that is going to allow people to work out what the issue is. > b) The OP's original post is a classical troll: blast volunteer developers > for not having anticipated and planned for a novel situation; argue against > things not said, at least now here, not recently; imply that volunteers own > him something. Most people with the expertise to detect a security hole > would know better. And the reaction is what I have more and more been seeing in Open Source circles. That, is either treat posters like ignoreant newbies who know no better, or assume they are a trolls trying to discredit Open Source. Quite sad really, one tries to do the right thing and gets abused for it. It doesn't matter if a large project may be perceived as being mostly immune to security problems, one could still occur and if it isn't simple to raise such an issue I am sure than some people wouldn't even bother. > c) The noise generated because of b) has alerted any malware writers > monitering c.l.p for hints about exploitable security holes that there > might be one in one of the few modules where such could reasonably be. With approx 200+ modules in the Python distribution I can hardly see how this helps. If I had done what you had wanted in (a) and gave actual information about the problem I would have been narrowing down the problem to less than a dozen modules. You can't have it both ways. > OP: If my doubts are wrong and you really do have something to quietly > report to the 'authority', then do so, and quit making a noise about it. And so it is was and knowledgeable people are looking at the issue. It should not though have necessitated me making a noise in order to find someone to deal with it in a timely manner. When a proprietary company doesn't have an easy way of reporting problems or seems not to care too much, Open Source people are on top of them like wolves. Why can't Open Source people hold themselves to the same standard. Not sure why I have even bothered to respond to you as it is probably just the sort of attention you want. You even appear to have some history of taking issue with people, even though in one of your own posts you state: > Responding to trollish postings. (Jan 26) > > My personal strategy is to read only as much of trollish > threads as I find interesting or somehow instructive, almost never respond, > and then ignore the rest. I also mostly ignore discussions about such > threads. > > Terry J. Reedy Maybe you should simply have not responded. Lets see if you now ignore the followup discussion. :-) -- http://mail.python.org/mailman/listinfo/python-list
