Hello, On 15/04/11 13:30, Brian Curtin wrote: > To me, the fix *was* released.
No, it wasn't. It was *committed* to the repository. > Sure, no fancy installers were generated yet, but people who are > susceptible to this issue 1) now know about it, and 2) have a way to > patch their system *if needed*. Well, that's a long shot. I doubt the people/organizations affected are all aware. And I doubt they are all capable of patching their system or getting a patched Python from a trusted party. Three weeks after this security vulnerability was *publicly* reported on bugs.python.org, and two days after it was semi-officially announced, I'm still waiting for security updates for my Ubuntu and Debian systems! I reckon if this had been handled differently (i.e., making new releases and communicating it via the relevant channels [1]), we wouldn't have the situation we have right now. May I suggest that you adopt a policy for handling security issues like Django's? http://docs.djangoproject.com/en/1.3/internals/contributing/#reporting-security-issues Cheers, [1] For example, <http://mail.python.org/mailman/listinfo/python-announce-list>, <http://www.python.org/news/>, <http://www.python.org/news/security/>. -- Gustavo Narea <xri://=Gustavo>. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
