On Fri, Apr 15, 2011 at 8:30 AM, Brian Curtin <brian.cur...@gmail.com> wrote: > > On Apr 15, 2011 3:46 AM, "Gustavo Narea" <m...@gustavonarea.net> wrote: >> >> Hi all, >> >> How come a description of how to exploit a security vulnerability >> comes before a release for said vulnerability? I'm talking about this: >> http://blog.python.org/2011/04/urllib-security-vulnerability-fixed.html >> >> My understanding is that the whole point of asking people not to >> report security vulnerability publicly was to allow time to release a >> fix. > > To me, the fix *was* released. Sure, no fancy installers were generated yet, > but people who are susceptible to this issue 1) now know about it, and 2) > have a way to patch their system *if needed*. > > If that's wrong, I apologize for writing the post too early. On top of that, > it seems I didn't get all of the details right either, so apologies on that > as well.
The code is open source: Anyone watching the commits/list know that this issue was fixed. It's better to keep it in the public's eyes, so they know *something was fixed and they should patch* than to rely on people *not* watching these channels. Assume the bad guys already knew about the exploit: We have to spread the knowledge of the fix as far and as wide as we can so that people even know there is an issue, and that it was fixed. This applies to users and *vendors* as well. A blog post is good communication to our users. I have to side with Brian on this one. jesse _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
