Tres Seaver wrote:
If it is possible for a hostile outsider to trigger the DOS by sending
mail to be processed by an application using the library, and the
application can't avoid the DOS without ditching / forking /
monkeypatching the library, then I would call the bug a "security bug",
period.
Barry Warsaw wrote:
That aside, is it actually a python-wide policy to *forbid* patching
older releases where the patch isn't security-related?
I set this policy for the releases I manage, namely 2.4 and 2.5.
This is a Python-wide policy.
...and, now that Martin has explained it, it makes p
On Fri, 6 Mar 2009 at 20:57, "Martin v. L??wis" wrote:
If it is possible for a hostile outsider to trigger the DOS by sending
mail to be processed by an application using the library, and the
application can't avoid the DOS without ditching / forking /
monkeypatching the library, then I would cal
> If it is possible for a hostile outsider to trigger the DOS by sending
> mail to be processed by an application using the library, and the
> application can't avoid the DOS without ditching / forking /
> monkeypatching the library, then I would call the bug a "security bug",
> period.
IIUC, it w
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chris Withers wrote:
> Martin v. Löwis wrote:
>> Martin v. Löwis added the comment:
>>
>>> So all Chris has to do to get this applied to 2.5 is craft an exploit based
>>> on the current behavior, right? ;-)
>> Right :-) Of course, security patches sho
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Mar 5, 2009, at 6:18 PM, Martin v. Löwis wrote:
That aside, is it actually a python-wide policy to *forbid* patching
older releases where the patch isn't security-related?
I set this policy for the releases I manage, namely 2.4 and 2.5.
This
> That aside, is it actually a python-wide policy to *forbid* patching
> older releases where the patch isn't security-related?
I set this policy for the releases I manage, namely 2.4 and 2.5.
I still plan to write a PEP on security releases, and how they relate
to maintenance releases.
> I can
Chris Withers wrote:
> That aside, is it actually a python-wide policy to *forbid* patching
> older releases where the patch isn't security-related?
>
> I can understand the "no more releases unless there are security
> problems", but what's the harm in applying a patch to an old version
> branch
Martin v. Löwis wrote:
Martin v. Löwis added the comment:
So all Chris has to do to get this applied to 2.5 is craft an exploit based
on the current behavior, right? ;-)
Right :-) Of course, security patches should see a much more careful
review than regular bug fixes.
Well, it's funny you