[Python-Dev] Python security team
Brett Cannon
brett at python.org
Mon Sep 29 00:43:08 CEST 2008
On Sun, Sep 28, 2008 at 6:39 AM, Steve Holden <steve at holdenweb.com> wrote:
> Brett Cannon wrote:
>> On Sat, Sep 27, 2008 at 8:54 AM, Victor Stinner
>> <victor.stinner at haypocalc.com> wrote:
>>> Hi,
>>>
>>> I would like to know if a Python security team does exist. I sent an email
>>> about an imageop issue, and I didn't get any answer. Later I learned that a
>>> security ticket was created, I don't have access to it.
>>>
>>
>> Yes, the PSRT (Python Security Response Team) does exist. We did get
>> your email; sorry we didn't respond. There are very few members on
>> that list and most of them are extremely busy. Responding to your
>> email just slipped through the cracks. I believe Benjamin was the last
>> person to work on your submitted patch.
>>
> [...]
>
> If we don't have a documented procedure, or if we do have a procedure
> and it isn't being followed, we can't be said to be taking security
> seriously, which I would find disappointing. This is one of the few
> areas where we probably *do* need to be meticulous, and the absence of a
> reply to a security report isn't really satisfactory.
>
> Perhaps if the PSF does eventually hire some paid help, running the
> secretarial and administrative portions of the security team would help
> the busy members to avoid such issues dropping through the cracks in future.
>
That actually would be extremely beneficial since as right now a big
problem we have is writing up the official announcement that some
security issue has been plugged and then sticking up the patches
online for people to download.
-Brett
More information about the Python-Dev
mailing list