Hello, On 15/04/11 13:30, Brian Curtin wrote: > To me, the fix *was* released. No, it wasn't. It was *committed* to the repository. > Sure, no fancy installers were generated yet, but people who are > susceptible to this issue 1) now know about it, and 2) have a way to > patch their system *if needed*. Well, that's a long shot. I doubt the people/organizations affected are all aware. And I doubt they are all capable of patching their system or getting a patched Python from a trusted party. Three weeks after this security vulnerability was *publicly* reported on bugs.python.org, and two days after it was semi-officially announced, I'm still waiting for security updates for my Ubuntu and Debian systems! I reckon if this had been handled differently (i.e., making new releases and communicating it via the relevant channels [1]), we wouldn't have the situation we have right now. May I suggest that you adopt a policy for handling security issues like Django's? http://docs.djangoproject.com/en/1.3/internals/contributing/#reporting-security-issues Cheers, [1] For example, <http://mail.python.org/mailman/listinfo/python-announce-list>, <http://www.python.org/news/>, <http://www.python.org/news/security/>. -- Gustavo Narea <xri://=Gustavo>. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about |
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4