On 29 September 2017 at 00:44, Victor Stinner <victor.stin...@gmail.com> wrote:
> Hi,
>
> What is the policy for "critical" bugfixes regarding to Python
> branches which only accept security fixes?
>
> I'm thinking at https://bugs.python.org/issue31095 "fix potential
> crash during GC".
>
> The bug was fixed in Python 3.5 while this change only accepted
> security fixes. Should we backport the fix to Python 3.3 and 3.4 as
> well?

Generally speaking, no, since we ship with known segfaults as a
baseline state (even without accounting for ctypes), which means
security policies around managing CPython deployments already need to
take "It may segfault" into account.

While I do think it would be nice to be able to change that policy and
treat all new non-ctypes segfaults as security flaws, we'd need to
work through the crashers list (see Lib/test/test_crashers.py) and
resolve the already known segfaults first.

Cheers,
Nick.

-- 
Nick Coghlan   |   ncogh...@gmail.com   |   Brisbane, Australia
_______________________________________________
Security-SIG mailing list
security-sig@python.org
https://mail.python.org/mm3/mailman3/lists/security-sig.python.org/

Reply via email to