On Sun, 17 Apr 2011 09:30:17 -0400, Jesse Noller <jnol...@gmail.com> wrote: > On Sun, Apr 17, 2011 at 7:48 AM, Antoine Pitrou <solip...@pitrou.net> wrote: > > On Sat, 16 Apr 2011 21:32:48 -0500 Brian Curtin <brian.cur...@gmail.com> > > wrote: > >> > Three weeks after this security vulnerability was *publicly* reported on > >> > bugs.python.org, and two days after it was semi-officially announced, > >> > I'm still waiting for security updates for my Ubuntu and Debian systems! > >> > > >> > I reckon if this had been handled differently (i.e., making new releases > >> > and communicating it via the relevant channels [1]), we wouldn't have > >> > the situation we have right now. > >> > >> I don't really think there's a "situation" here, and I fail to see how the > >> development blog isn't one of the relevant channels. > > > > If we want to make official announcements (like releases or security > > warnings), I don't think the blog is appropriate. A separate > > announcement channel (mailing-list or newsgroup) would be better, where > > people can subscribe knowing they will only get a couple of e-mails a > > year. > > And whose responsibility is it to email yet another mythical list? The > person posting the fix? The person who found and filed the CVE? The > release manager? > > Brian *helped* us by raising awareness of the issue: At least now > there's a chance that one or more of the OS vendors *saw* that this > was an issue that was fixed.
That fact that Brian helped publicize it is not really relevant to Antoine's point. The *obvious* answer to your question about whose responsibility it is is: *the security team*. Brian's blog post would then have been much more like he envisioned it when he wrote it, a peek inside the process, rather than appearing to be the primary announcement as many seem to be perceiving it. That's how distributions, at least, handle this. There's a mailing list for security related announcements on which only the "security officer" or "security team" posts announcements, and security related announcements *only*. Then then the people responsible for security in any context (a distribution, a security manager for a company, J Random User) can subscribe to it and get *only* security announcements. That allows them to easily prioritize those announcements on receipt. Python should have such a mailing list. -- R. David Murray http://www.bitdance.com _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
