On 29 September 2017 at 00:44, Victor Stinner <victor.stin...@gmail.com> wrote: > Hi, > > What is the policy for "critical" bugfixes regarding to Python > branches which only accept security fixes? > > I'm thinking at https://bugs.python.org/issue31095 "fix potential > crash during GC". > > The bug was fixed in Python 3.5 while this change only accepted > security fixes. Should we backport the fix to Python 3.3 and 3.4 as > well?
Generally speaking, no, since we ship with known segfaults as a baseline state (even without accounting for ctypes), which means security policies around managing CPython deployments already need to take "It may segfault" into account. While I do think it would be nice to be able to change that policy and treat all new non-ctypes segfaults as security flaws, we'd need to work through the crashers list (see Lib/test/test_crashers.py) and resolve the already known segfaults first. Cheers, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia _______________________________________________ Security-SIG mailing list security-sig@python.org https://mail.python.org/mm3/mailman3/lists/security-sig.python.org/