On Sat, Apr 16, 2011 at 9:23 AM, Nick Coghlan <ncoghlan at gmail.com> wrote: > On Sat, Apr 16, 2011 at 9:45 PM, Gustavo Narea <me at gustavonarea.net> wrote: >> May I suggest that you adopt a policy for handling security issues like >> Django's? >> http://docs.djangoproject.com/en/1.3/internals/contributing/#reporting-security-issues > > When the list of people potentially using the software is "anyone > running Linux or Mac OS X and an awful lot of people running Windows > or an embedded device", private pre-announcements simply aren't a > practical reality. Neither is "stopping all other development" when > most of the core development team aren't on the security at python.org > list and don't even know a security issue exists until it is announced > publicly. Take those two impractical steps out of the process, and > what you have *is* the python.org procedure for dealing with security > issues. Just to fill in a bit of missing detail about our process since the doc doesn't perfectly describe what happens: * Our pre-announce list is *really* short. It consists of release managers for various distributions that distribute packaged versions of Django -- Ubuntu, RedHat, and the like. Yes it's a bit of bookkeeping, but we feel it's really important to our users: not everyone installs the Django package *we* put out, so we think it's important to coordinate security releases with downstream distributors so that users get a fixed version of Django regardless of how they're installing Django in the first place. * We don't really halt all development. I don't know why that's in there, except maybe that it pre-dates there being more than a couple-three committers. The point is just that we treat the security issue as our most important issue at the moment and fix it as quickly as possible. I don't really have a point here as it pertains to python-dev, but I thought it's important to clarify what Django *actually* does if it's being discussed as a model. Jacob
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4