> On May 10, 2019, at 06:27, Steve Piercy <[email protected]> wrote:
>
> Thank you for asking the questions. You've asked a couple of questions for
> which we have not yet established and published clear procedures, so we'll
> need to update our policies.
>
> https://pylonsproject.org/community-support.html
>
> I think we've just assumed what are best practices without defining our
> procedures, but I'll defer to our more experienced security issue response
> team members.
>
>
> On 5/10/19 at 3:08 AM, [email protected] (Aritz Sanchez) pronounced:
>
>> 1. I read that contributors should use the e-mail address
>> [email protected] to report security issues found in
>> any Pylons product.
>>
>> a. Is there any dedicated channel for releasing security
>> advisories/announcements?
>
> There is no channel dedicated to only security issues. I assume the
> announcements would be made via this list, pylons-devel, and Twitter
> @pylonsproject as necessary.
Just reiterating this, we do send out notifications of new releases on a
variety of platforms, mailing list, twitter, and I post on Keybase. This will
include call-outs on security issues:
https://twitter.com/PylonsProject/status/1091407873496702977
>
>> b. Do you report CVE’s found in the Pylons products via NVD?
>
> We have not had one yet, but I assume that we would.
This is inaccurate.
The project Colander which is part of the Pylons Project was recently fixed for
an infinite loop in the regex for validation that could have led to denial of
service attacks, I received and got
CVE-ID: CVE-2017-18361
assigned as the CVE ID, this information is also available in NVD.
https://nvd.nist.gov/vuln/detail/CVE-2017-18361
Yes, we do report CVE's and Mitre submits those to NVD.
>
>> 2. As far as I see, you maintain two stable versions: the most recent major
>> release and the previous release. Currently, Pyramid 1.10.x and 1.9.x. If I
>> understand it correctly, as soon as a new major version is released, the
>> oldest of the two previous stable versions is no longer maintained? E.g.,
>> when Pyramid 2.0 is released (I guess it is going to be this year), 1.9.x
>> will no longer be maintained. Is that so? (An approximate period of two
>> years)
>
> Correct, although the exact release date of Pyramid 2.0 is to be determined.
> However we could do a better job of publishing this information for Pyramid.
> Where would you suggest as a good place to publish our policy?
>
> It's implied here:
> https://trypyramid.com/documentation.html
>
> I think we should explicitly state the policy in our README.rst.
>
>> 3. Do you backport security fixes to stale versions (e.g. 1.8.x, 1.7.x, …),
>> or should users try to migrate to the newest releases as soon as possible?
>
> We do not backport fixes to stale versions. Upgrading is the recommended
> path.
We do attempt to make upgrading as painless as possible. We do not have a LTS
release and do not have the man power to do so.
>
>> I apologise again if I should have posted my message somewhere else and
>> would really appreciate if you could point out the right place to do it
>> instead.
>
> Not at all. You've brought up some issues for us to discuss and improve for
> those who follow in your footsteps.
>
> --steve
>
> ------------------------
> Steve Piercy, Eugene, OR
>
> --
> You received this message because you are subscribed to the Google Groups
> "pylons-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/pylons-discuss/r480Ps-10126i-4886B700A1B24FBB9B3D70041BDB56DB%40Steves-iMac.local.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/pylons-discuss/40289C37-2E48-4F9F-93D6-D58A03762034%400x58.com.
For more options, visit https://groups.google.com/d/optout.
