On Thu, Mar 19, 2009 at 02:04, "Martin v. Löwis" <mar...@v.loewis.de> wrote:
> I just got a few questions on how to apply security fixes. > To clarify, I recommend the following guidelines: > > - whether something constitutes a security bug is sometimes > debatable - in case of doubt, discussion is needed. I would > be in favor of fixing it if the patch is small and obviously > correct, and opposed if the patch looks tricky. Double check > that the routine behavior (the "good" cases) stay completely > unchanged (in particular, be aware of not allowing new > exceptions to occur). > - if you want to backport a security bug fix to 2.5, ALWAYS > consider 2.4 as well. They are in the same state, and should > get the same care (2.3 is closed for good). Of course, it > might be that the bug doesn't exist in 2.4. > - ALWAYS notify secur...@python.org. For one thing, they might > offer advise on how to proceed, but also, they might consider > publishing an advisory, and/or notifying some CERT. Notification > is in particular necessary if you are unfamiliar with security > issues, how they get classified, and so on - so do ask the > experts. (and no, I'm not one of them :-) All sounds reasonable, although getting those of us on security@ to get an announcement out has not gone so well as of late. =) -Brett
_______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
