Thank you for asking the questions. You've asked a couple of
questions for which we have not yet established and published
clear procedures, so we'll need to update our policies.
https://pylonsproject.org/community-support.html
I think we've just assumed what are best practices without
defining our procedures, but I'll defer to our more experienced
security issue response team members.
On 5/10/19 at 3:08 AM, [email protected] (Aritz
Sanchez) pronounced:
1. I read that contributors should use the e-mail address
[email protected] to report security
issues found in any Pylons product.
a. Is there any dedicated channel for releasing security
advisories/announcements?
There is no channel dedicated to only security issues. I assume
the announcements would be made via this list, pylons-devel, and
Twitter @pylonsproject as necessary.
b. Do you report CVE’s found in the Pylons products via NVD?
We have not had one yet, but I assume that we would.
2. As far as I see, you maintain two stable versions: the most
recent major release and the previous release. Currently,
Pyramid 1.10.x and 1.9.x. If I understand it correctly, as soon
as a new major version is released, the oldest of the two
previous stable versions is no longer maintained? E.g., when
Pyramid 2.0 is released (I guess it is going to be this year),
1.9.x will no longer be maintained. Is that so? (An approximate
period of two years)
Correct, although the exact release date of Pyramid 2.0 is to be
determined. However we could do a better job of publishing this
information for Pyramid. Where would you suggest as a good
place to publish our policy?
It's implied here:
https://trypyramid.com/documentation.html
I think we should explicitly state the policy in our README.rst.
3. Do you backport security fixes to stale versions (e.g.
1.8.x, 1.7.x, …), or should users try to migrate to the
newest releases as soon as possible?
We do not backport fixes to stale versions. Upgrading is the
recommended path.
I apologise again if I should have posted my message somewhere
else and would really appreciate if you could point out the
right place to do it instead.
Not at all. You've brought up some issues for us to discuss and
improve for those who follow in your footsteps.
--steve
------------------------
Steve Piercy, Eugene, OR
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/pylons-discuss/r480Ps-10126i-4886B700A1B24FBB9B3D70041BDB56DB%40Steves-iMac.local.
For more options, visit https://groups.google.com/d/optout.
