[issue31953] Dedicated place for security announcements?

[Jean-Philippe Ouellet]

New submission from Jean-Philippe Ouellet :

Hello,

My apologies if this is not the right place to discus this.

I would like to ensure that I stay informed of any potential future security 
issues in python (specifically at least the cpython runtime and standard 
library, although select very-popular 3rd party libraries wouldn't hurt). I 
cannot find a single place where such announcements are guaranteed to land.

Good examples of the type of thing I am looking for are the openssl-announce 
list [1][2] and the golang-announce list [3], where the projects pre-announce 
"Hey, we're going to have a release on  which addresses a  security issue in ." and then announces again 
when patches are available such that responsible maintainers (such as I am 
trying to be) can ensure that updates are available to our users ASAP.

The python-announce-list [4] does not serve this purpose because it has lots of 
noise from initial release announcements about random 3rd party stuff, and the 
"security news" page [5] is really just a "how to disclose vulns" page.

Note that I'm *not* advocating for the creation of a pre-disclosure list! 
Python is such a ubiquitous piece of software that I don't think it's 
reasonable to expect that such a list could contain all affected parties 
without also leaking details to those who would cause harm. I'm only asking for 
something public that I can subscribe to in order to be sure I'll have a heads 
up of when patching is imminently required.

Regards,
Jean-Philippe
(a contributor to the Qubes OS project [6] whose security relies mostly on 
Python's and Xen's - and is on Xen's pre-disclosure list)

[1]: https://mta.openssl.org/pipermail/openssl-announce/2017-October/thread.html
[2]: 
https://mta.openssl.org/pipermail/openssl-announce/2017-November/thread.html
[3]: https://groups.google.com/forum/#!forum/golang-announce
[4]: https://mail.python.org/mailman/listinfo/python-announce-list
[5]: https://www.python.org/news/security/
[6]: https://www.qubes-os.org/

--
assignee: docs@python
components: Documentation, email
messages: 305614
nosy: barry, docs@python, jpo, r.david.murray
priority: normal
severity: normal
status: open
title: Dedicated place for security announcements?
type: security

___
Python tracker 
<https://bugs.python.org/issue31953>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31953] Dedicated place for security announcements?

[Jean-Philippe Ouellet]

Jean-Philippe Ouellet  added the comment:

Ah, I now see there actually *is* a security-announce list [1]!

Unless one happens to already know that Python has two concurrent mailman 
instances hosting different lists [2][3], it's easy to miss.

Thanks, and sorry for the noise!

[1]: https://mail.python.org/mm3/archives/list/security-annou...@python.org/
[2]: https://mail.python.org/mm3/archives/
[3]: https://mail.python.org/mailman/listinfo

--

___
Python tracker 
<https://bugs.python.org/issue31953>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com