I just got a few questions on how to apply security fixes. To clarify, I recommend the following guidelines:
- whether something constitutes a security bug is sometimes debatable - in case of doubt, discussion is needed. I would be in favor of fixing it if the patch is small and obviously correct, and opposed if the patch looks tricky. Double check that the routine behavior (the "good" cases) stay completely unchanged (in particular, be aware of not allowing new exceptions to occur). - if you want to backport a security bug fix to 2.5, ALWAYS consider 2.4 as well. They are in the same state, and should get the same care (2.3 is closed for good). Of course, it might be that the bug doesn't exist in 2.4. - ALWAYS notify secur...@python.org. For one thing, they might offer advise on how to proceed, but also, they might consider publishing an advisory, and/or notifying some CERT. Notification is in particular necessary if you are unfamiliar with security issues, how they get classified, and so on - so do ask the experts. (and no, I'm not one of them :-) Regards, Martin _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
