Alexander Schremmer wrote: >>I can understand that position. The bugs they find include potential >>security flaws, for which exploits could be created if the results are >>freely available. > > > On the other hand, the exploit could be crafted based on reading the SVN > check-ins ...
Sure. However, at that point, the bug is fixed (atleast in SVN); crackers need to act comparatively fast then to exploit it. OTOH, if only the report was available, the project might not take any action for some time, increasing the risk of an exploit. Only telling the developers is an established tradition for security-relevant bugs, and a reasonable one IMO. Regards, Martin _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
