On Sun, Apr 17, 2011 at 7:48 AM, Antoine Pitrou <solip...@pitrou.net> wrote: > On Sat, 16 Apr 2011 21:32:48 -0500 > Brian Curtin <brian.cur...@gmail.com> wrote: >> > Three weeks after this security vulnerability was *publicly* reported on >> > bugs.python.org, and two days after it was semi-officially announced, >> > I'm still waiting for security updates for my Ubuntu and Debian systems! >> > >> > I reckon if this had been handled differently (i.e., making new releases >> > and communicating it via the relevant channels [1]), we wouldn't have >> > the situation we have right now. >> >> >> I don't really think there's a "situation" here, and I fail to see how the >> development blog isn't one of the relevant channels. > > If we want to make official announcements (like releases or security > warnings), I don't think the blog is appropriate. A separate > announcement channel (mailing-list or newsgroup) would be better, where > people can subscribe knowing they will only get a couple of e-mails a > year. > > Regards > > Antoine.
And whose responsibility is it to email yet another mythical list? The person posting the fix? The person who found and filed the CVE? The release manager? Brian *helped* us by raising awareness of the issue: At least now there's a chance that one or more of the OS vendors *saw* that this was an issue that was fixed. _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
