On Fri, 15 Apr 2011 08:36:16 -0400 Jesse Noller <jnol...@gmail.com> wrote: > On Fri, Apr 15, 2011 at 8:30 AM, Brian Curtin <brian.cur...@gmail.com> wrote: > > > > On Apr 15, 2011 3:46 AM, "Gustavo Narea" <m...@gustavonarea.net> wrote: > >> > >> Hi all, > >> > >> How come a description of how to exploit a security vulnerability > >> comes before a release for said vulnerability? I'm talking about this: > >> http://blog.python.org/2011/04/urllib-security-vulnerability-fixed.html > >> > >> My understanding is that the whole point of asking people not to > >> report security vulnerability publicly was to allow time to release a > >> fix. > > > > To me, the fix *was* released. Sure, no fancy installers were generated yet, > > but people who are susceptible to this issue 1) now know about it, and 2) > > have a way to patch their system *if needed*. > > > > If that's wrong, I apologize for writing the post too early. On top of that, > > it seems I didn't get all of the details right either, so apologies on that > > as well. > > The code is open source: Anyone watching the commits/list know that > this issue was fixed. It's better to keep it in the public's eyes, so > they know *something was fixed and they should patch* than to rely on > people *not* watching these channels. > > Assume the bad guys already knew about the exploit: We have to spread > the knowledge of the fix as far and as wide as we can so that people > even know there is an issue, and that it was fixed. This applies to > users and *vendors* as well.
True. However, many open source projects take the habit of cutting a release when a hole is discovered and fixed. It depends how seriously they (and their users) take security. Of course, there are different kinds of security issues, more or less severe. I don't know how severe the above issue is. Relying on a vendor distribution (such as a Linux distro, or ActiveState) is hopefully enough to get these security updates in time without patching anything by hand. I don't think many people compile Python for production use, but many do use our Windows installers. Regards Antoine. _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
