On Fri, Apr 15, 2011 at 8:59 AM, Antoine Pitrou <solip...@pitrou.net> wrote: > On Fri, 15 Apr 2011 08:36:16 -0400 > Jesse Noller <jnol...@gmail.com> wrote: >> On Fri, Apr 15, 2011 at 8:30 AM, Brian Curtin <brian.cur...@gmail.com> wrote: >> > >> > On Apr 15, 2011 3:46 AM, "Gustavo Narea" <m...@gustavonarea.net> wrote: >> >> >> >> Hi all, >> >> >> >> How come a description of how to exploit a security vulnerability >> >> comes before a release for said vulnerability? I'm talking about this: >> >> http://blog.python.org/2011/04/urllib-security-vulnerability-fixed.html >> >> >> >> My understanding is that the whole point of asking people not to >> >> report security vulnerability publicly was to allow time to release a >> >> fix. >> > >> > To me, the fix *was* released. Sure, no fancy installers were generated >> > yet, >> > but people who are susceptible to this issue 1) now know about it, and 2) >> > have a way to patch their system *if needed*. >> > >> > If that's wrong, I apologize for writing the post too early. On top of >> > that, >> > it seems I didn't get all of the details right either, so apologies on that >> > as well. >> >> The code is open source: Anyone watching the commits/list know that >> this issue was fixed. It's better to keep it in the public's eyes, so >> they know *something was fixed and they should patch* than to rely on >> people *not* watching these channels. >> >> Assume the bad guys already knew about the exploit: We have to spread >> the knowledge of the fix as far and as wide as we can so that people >> even know there is an issue, and that it was fixed. This applies to >> users and *vendors* as well. > > True. However, many open source projects take the habit of cutting a > release when a hole is discovered and fixed. It depends how seriously > they (and their users) take security. Of course, there are different > kinds of security issues, more or less severe. I don't know how severe > the above issue is. > > Relying on a vendor distribution (such as a Linux distro, or > ActiveState) is hopefully enough to get these security updates in time > without patching anything by hand. I don't think many people compile > Python for production use, but many do use our Windows installers. > > Regards > > Antoine. >
Agreed; but all I'm defending is the post describing what, and how it was fixed. Hiding it until we get around to eventually cutting a release doesn't make the fix, or vulnerability go away. We need to issue a release *quickly* - and we need to notify all of our consumers quickly. jesse _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
