On 1/17/07, Adam Seering <[EMAIL PROTECTED]> wrote:
Out of curiosity, is there a log somewhere of major security holes that are fixed since a release? And, how does one get security patches into the releases used in major distro's?; who dropped the ball on this one?
Per the docs on security issues[1], there will either be an entirely new release, if warranted, or a patch released which can be applied to fix any security vulnerability. The policy is to release patches for the current released version and the two previous releases; at the moment, that means 0.95, 0.91 and 0.90 (there are "bugfixes" branches in the repository for 0.90 and 0.91 for this purpose, which exist only to collect security fixes and patches for known bugs in those releases). There's also a low-traffic announcements-only mailing list -- django-announce[2] -- used to send out notifications when this sort of thing happens (though in the past such announcements have also usually been cross-posted to the django-users and django-developers lists, just for good measure). I believe that at the time this bug was found and fixed, our security-reporting and notification infrastructure wasn't yet in place, which is why there isn't an announcement out for it.
We're not eager to use the SVN HEAD version of source on our main servers.
The patch for this should apply cleanly to 0.95; I don't personally know whether it'll be retroactively applied into the 0.95 release distribution or not, though. I think we do need to find some way to draw attention to this patch, however, because it's an important post-0.95 fix.
Some of the people on this project are having serious concerns about the choice to use Django for this particular project; do folks have any thoughts/answers for them?
I'm not sure really what sort of answers there are to give; there aren't any silver bullets which magically make web development "safe". The best you can do is carefully evaluate a product before you start using it, and continue evaluating it as you go; I've written up some thoughts on that with respect to web frameworks[3], but again, there are no universal answers to security questions; anyone who tries to tell you otherwise is selling something. [1] http://www.djangoproject.com/documentation/contributing/#reporting-security-issues [2] http://groups.google.com/group/django-announce/ [3] http://www.b-list.org/weblog/2006/08/13/lets-talk-about-frameworks-security-edition -- "May the forces of evil become confused on the way to your house." -- George Carlin --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
