Paul Rubin wrote: > "Fuzzyman" <[EMAIL PROTECTED]> writes: > > The sourceforge bug tracker *is* the single right place to post such > > issues. The py-dev mailing list would be a second *useful* place to > > post such a comment, although not really the right place. The OP seemed > > to want an individual with whom he could have a private conversation > > about it. > > I think he wanted a place to send a bug report that wouldn't be > exposed to public view until the developers had a chance to issue a > patch. With bugzilla, for example, you can check a bug labelled "this > is a security bug, keep it confidential". There's lots of dilemmas > and some controversy about keeping any bug reports confidential in an > open source system. But the general strategy selected by Mozilla > after much debate seems to mostly work ok. It basically says develop > a patch quickly, keep the bug confidential while the patch is being > developed, and once the patch is available, notify distro maintainers > to install it, and then after a short delay (like a couple days), > publish the bug. > > Note that anyone with access to the bug (that includes the reporter > and selected developers) can uncheck the box at any time, if they > think the bug no longer needs to be confidential. The bug then > becomes visible to the public.
Sounds like a useful feature request to Sourceforge. Regards, Fuzzy http://www.voidspace.org.uk/python/index.shtml -- http://mail.python.org/mailman/listinfo/python-list
