Who should security issues be reported to?
Fuzzyman
fuzzyman at gmail.com
Wed Feb 2 03:05:19 EST 2005
Paul Rubin wrote:
> "Fuzzyman" <fuzzyman at gmail.com> writes:
> > The sourceforge bug tracker *is* the single right place to post
such
> > issues. The py-dev mailing list would be a second *useful* place to
> > post such a comment, although not really the right place. The OP
seemed
> > to want an individual with whom he could have a private
conversation
> > about it.
>
> I think he wanted a place to send a bug report that wouldn't be
> exposed to public view until the developers had a chance to issue a
> patch. With bugzilla, for example, you can check a bug labelled
"this
> is a security bug, keep it confidential". There's lots of dilemmas
> and some controversy about keeping any bug reports confidential in an
> open source system. But the general strategy selected by Mozilla
> after much debate seems to mostly work ok. It basically says develop
> a patch quickly, keep the bug confidential while the patch is being
> developed, and once the patch is available, notify distro maintainers
> to install it, and then after a short delay (like a couple days),
> publish the bug.
>
> Note that anyone with access to the bug (that includes the reporter
> and selected developers) can uncheck the box at any time, if they
> think the bug no longer needs to be confidential. The bug then
> becomes visible to the public.
Sounds like a useful feature request to Sourceforge.
Regards,
Fuzzy
http://www.voidspace.org.uk/python/index.shtml
More information about the Python-list
mailing list