On Thu, Mar 19, 2009 at 02:04, "Martin v. Löwis" <martin at v.loewis.de> wrote: > I just got a few questions on how to apply security fixes. > To clarify, I recommend the following guidelines: > > - whether something constitutes a security bug is sometimes > debatable - in case of doubt, discussion is needed. I would > be in favor of fixing it if the patch is small and obviously > correct, and opposed if the patch looks tricky. Double check > that the routine behavior (the "good" cases) stay completely > unchanged (in particular, be aware of not allowing new > exceptions to occur). > - if you want to backport a security bug fix to 2.5, ALWAYS > consider 2.4 as well. They are in the same state, and should > get the same care (2.3 is closed for good). Of course, it > might be that the bug doesn't exist in 2.4. > - ALWAYS notify security at python.org. For one thing, they might > offer advise on how to proceed, but also, they might consider > publishing an advisory, and/or notifying some CERT. Notification > is in particular necessary if you are unfamiliar with security > issues, how they get classified, and so on - so do ask the > experts. (and no, I'm not one of them :-) All sounds reasonable, although getting those of us on security@ to get an announcement out has not gone so well as of late. =) -Brett -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20090319/a22ec219/attachment.htm>
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4