python-dev

On Thu, Mar 19, 2009 at 02:04, "Martin v. Löwis" <[EMAIL PROTECTED]> wrote:

> I just got a few questions on how to apply security fixes.
> To clarify, I recommend the following guidelines:
>
> - whether something constitutes a security bug is sometimes
>  debatable - in case of doubt, discussion is needed. I would
>  be in favor of fixing it if the patch is small and obviously
>  correct, and opposed if the patch looks tricky. Double check
>  that the routine behavior (the "good" cases) stay completely
>  unchanged (in particular, be aware of not allowing new
>  exceptions to occur).
> - if you want to backport a security bug fix to 2.5, ALWAYS
>  consider 2.4 as well. They are in the same state, and should
>  get the same care (2.3 is closed for good). Of course, it
>  might be that the bug doesn't exist in 2.4.
> - ALWAYS notify [EMAIL PROTECTED] For one thing, they might
>  offer advise on how to proceed, but also, they might consider
>  publishing an advisory, and/or notifying some CERT. Notification
>  is in particular necessary if you are unfamiliar with security
>  issues, how they get classified, and so on - so do ask the
>  experts. (and no, I'm not one of them :-)


All sounds reasonable, although getting those of us on security@ to get an
announcement out has not gone so well as of late. =)

-Brett

_______________________________________________
Python-Dev mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/alexiscircle%40gmail.com