David Pratt wrote:
What about the idea of maintaining a text file in
the distribution specific to possible security issues. Is this worth
considering for historical purposes so they do not get lost over time or
implicitly understood by only a handful of people.
Exactly. Any package that needs security-related things verified should
have a test (doctest in a text file) describing the problem and
verifying that it has been fixed.
I don't think we want a single file to hold them though, tests
(including these) should normally live near the package that they test.
Senior Software Engineer
Zope3-users mailing list