[Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)

tritium-list at sdamon.com tritium-list at sdamon.com
Fri Feb 24 05:52:01 EST 2017 

Ask the infrastructure team for a tracker instance.  That would probably be
more fruitful of an outlet than in the thread of this one issue.  (I'm not
trying to be flippant, I think a private issue tracker for vulnerabilities
is a really good idea, I just don't think that bemoaning the lack of one in
a thread about an FTP issue is likely to get much done.)

> -----Original Message-----
> From: Python-Dev [mailto:python-dev-bounces+tritium-
> list=sdamon.com at python.org] On Behalf Of Antoine Pitrou
> Sent: Friday, February 24, 2017 5:02 AM
> To: python-dev at python.org
> Subject: Re: [Python-Dev] Python FTP Injections Allow for Firewall Bypass
> (oss-security advisory)
> 
> On Thu, 23 Feb 2017 23:51:45 -0800
> Benjamin Peterson <benjamin at python.org> wrote:
> >
> > Like all CPython developers, the Python security team are all
> > volunteers. That combined with the fact that dealing with security
> > issues is one of the least fun programming tasks means issues are
> > sometimes dropped.
> >
> > Perhaps some organization with a stake Python security would like to
> > financially support Python security team members.
> >
> > As for this, particular issue, we should determine if there's a tracker
> > issue yet and continue discussion there.
> 
> Just for the record, I find the mailing-list scheme used by PSRT quite
> difficult to deal with.  For many people it's easy to lose track of
> e-mails received more than one week ago, so the necessary followup to
> security issues received by e-mail suffers.
> 
> It's a bit sad that regular issues benefit from a full-fledged
> Roundup instance to allow for easy tracking of open issues (including
> comments and proposed fixes), but security issues are restricted to such
> a primitive communication setup which makes it so difficult to get work
> done.
> 
> AFAIK, other projects have full-fledged private bug trackers for their
> security issues (or access-restricted sections in the main bug tracker,
> where the software supports it).
> 
> Regards
> 
> Antoine.
> 
> 
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/tritium-
> list%40sdamon.com

More information about the Python-Dev mailing list