Hello Steve, Bert, Thanks your for answers. I think, everything is pretty clear. About Steve's question on where to publish the release policy, I would say either trypyramid.com or the main documentation site could be appropriate places to publish the release policy.
Best regards, Aritz Sanchez Am Freitag, 10. Mai 2019 18:41:25 UTC+2 schrieb Bert JW Regeer: > > > > > On May 10, 2019, at 06:27, Steve Piercy <[email protected] > <javascript:>> wrote: > > > > Thank you for asking the questions. You've asked a couple of questions > for which we have not yet established and published clear procedures, so > we'll need to update our policies. > > > > https://pylonsproject.org/community-support.html > > > > I think we've just assumed what are best practices without defining our > procedures, but I'll defer to our more experienced security issue response > team members. > > > > > > On 5/10/19 at 3:08 AM, [email protected] <javascript:> (Aritz > Sanchez) pronounced: > > > >> 1. I read that contributors should use the e-mail address > [email protected] <javascript:> to report security issues > found in any Pylons product. > >> > >> a. Is there any dedicated channel for releasing security > advisories/announcements? > > > > There is no channel dedicated to only security issues. I assume the > announcements would be made via this list, pylons-devel, and Twitter > @pylonsproject as necessary. > > Just reiterating this, we do send out notifications of new releases on a > variety of platforms, mailing list, twitter, and I post on Keybase. This > will include call-outs on security issues: > > https://twitter.com/PylonsProject/status/1091407873496702977 > > > > >> b. Do you report CVE’s found in the Pylons products via NVD? > > > > We have not had one yet, but I assume that we would. > > This is inaccurate. > > The project Colander which is part of the Pylons Project was recently > fixed for an infinite loop in the regex for validation that could have led > to denial of service attacks, I received and got > > CVE-ID: CVE-2017-18361 > > assigned as the CVE ID, this information is also available in NVD. > > https://nvd.nist.gov/vuln/detail/CVE-2017-18361 > > Yes, we do report CVE's and Mitre submits those to NVD. > > > > >> 2. As far as I see, you maintain two stable versions: the most recent > major release and the previous release. Currently, Pyramid 1.10.x and > 1.9.x. If I understand it correctly, as soon as a new major version is > released, the oldest of the two previous stable versions is no longer > maintained? E.g., when Pyramid 2.0 is released (I guess it is going to be > this year), 1.9.x will no longer be maintained. Is that so? (An approximate > period of two years) > > > > Correct, although the exact release date of Pyramid 2.0 is to be > determined. However we could do a better job of publishing this > information for Pyramid. Where would you suggest as a good place to > publish our policy? > > > > It's implied here: > > https://trypyramid.com/documentation.html > > > > I think we should explicitly state the policy in our README.rst. > > > >> 3. Do you backport security fixes to stale versions (e.g. 1.8.x, 1.7.x, > …), or should users try to migrate to the newest releases as soon as > possible? > > > > We do not backport fixes to stale versions. Upgrading is the > recommended path. > > We do attempt to make upgrading as painless as possible. We do not have a > LTS release and do not have the man power to do so. > > > > >> I apologise again if I should have posted my message somewhere else and > would really appreciate if you could point out the right place to do it > instead. > > > > Not at all. You've brought up some issues for us to discuss and improve > for those who follow in your footsteps. > > > > --steve > > > > ------------------------ > > Steve Piercy, Eugene, OR > > > > -- > > You received this message because you are subscribed to the Google > Groups "pylons-discuss" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > To post to this group, send email to [email protected] > <javascript:>. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/pylons-discuss/r480Ps-10126i-4886B700A1B24FBB9B3D70041BDB56DB%40Steves-iMac.local. > > > > For more options, visit https://groups.google.com/d/optout. > > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/a297e0db-7e63-4c09-aa88-893a39c4b526%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
