Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#20868 closed Cleanup/optimization (fixed)

Security policy mentions nothing about sending emails to django-announce

Reported by: garrison Owned by: nobody
Component: Documentation Version: 1.5
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


This morning I happened to notice that Jacob posted a security announcement to the Django development blog, and I was surprised I had not received an email about it (like most other such announcements before it). I re-read the documentation on Django's security policies:

On the day of disclosure, we will take the following steps:

  1. Apply the relevant patch(es) to Django’s codebase. The commit messages for these patches will indicate that they are for security issues, but will not describe the issue in any detail; instead, they will warn of upcoming disclosure.
  2. Issue the relevant release(s), by placing new packages on the Python Package Index and on the Django website, and tagging the new release(s) in Django’s git repository.
  3. Post a public entry on the official Django development blog, describing the issue and its resolution in detail, pointing to the relevant patches and new releases, and crediting the reporter of the issue (if the reporter wishes to be publicly identified).

To my surprise, I realized that emails to django-announce are only incidentally triggered if the security issue happens to result in a new release of Django. But yet I had come to rely on such emails, assuming it was the preferred avenue for learning of Django security announcements. Despite having read the security policy document several times in my life, I never noticed this fine detail in it.

I think there are two potential solutions here:

  • Add a note to the above list, saying all security issues will be sent to django-announce as well; or,
  • Add a note above explicitly mentioning that only security issues that trigger a new release will be reported on django-announce

I of course prefer the first option, as it keeps in line with expectations people (including myself) may have developed.

Change History (6)

comment:1 Changed 3 years ago by russellm

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted
  • Type changed from Uncategorized to Cleanup/optimization

Thanks for the suggestion, @garrison.

This particular announcement is a bit of an unusual case - to my knowledge, this is the first time we've made a security announcement that *hasn't* involved a new release of Django.

However, your point is a fair one -- we maintain django-announce as a low traffic mailing list specifically so that important messages get out there, and this is definitely an important message. I'll raise this with Jacob.

comment:2 Changed 3 years ago by russellm

Jacob has just posted an announcement to django-announce; I'll leave this ticket open as a note that we should modify the text for our security policy to indicate django-announce is a channel that will be used.

comment:3 Changed 3 years ago by garrison

Thanks, guys!

comment:4 Changed 3 years ago by Tim Graham <timograham@…>

  • Resolution set to fixed
  • Status changed from new to closed

In 5737c57d95cc8c17b1aa2da4809f70ad4c212716:

Fixed #20868 -- Added an email to django-announce as a security step.

Thanks garrison for the report.

comment:5 Changed 3 years ago by Tim Graham <timograham@…>

In 2cd1439c06b2834942545a5679fa50691a736d50:

[1.6.x] Fixed #20868 -- Added an email to django-announce as a security step.

Thanks garrison for the report.

Backport of 5737c57d95 from master

comment:6 Changed 3 years ago by Tim Graham <timograham@…>

In 12edced1de2b38fbb0c3c2070ba5c7302ab1843c:

[1.5.x] Fixed #20868 -- Added an email to django-announce as a security step.

Thanks garrison for the report.

Backport of 5737c57d95 from master

Note: See TracTickets for help on using tickets.
Back to Top