Security policy mentions nothing about sending emails to django-announce
|Reported by:||garrison||Owned by:||nobody|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
This morning I happened to notice that Jacob posted a security announcement to the Django development blog, and I was surprised I had not received an email about it (like most other such announcements before it). I re-read the documentation on Django's security policies:
On the day of disclosure, we will take the following steps:
- Apply the relevant patch(es) to Django’s codebase. The commit messages for these patches will indicate that they are for security issues, but will not describe the issue in any detail; instead, they will warn of upcoming disclosure.
- Issue the relevant release(s), by placing new packages on the Python Package Index and on the Django website, and tagging the new release(s) in Django’s git repository.
- Post a public entry on the official Django development blog, describing the issue and its resolution in detail, pointing to the relevant patches and new releases, and crediting the reporter of the issue (if the reporter wishes to be publicly identified).
To my surprise, I realized that emails to django-announce are only incidentally triggered if the security issue happens to result in a new release of Django. But yet I had come to rely on such emails, assuming it was the preferred avenue for learning of Django security announcements. Despite having read the security policy document several times in my life, I never noticed this fine detail in it.
I think there are two potential solutions here:
- Add a note to the above list, saying all security issues will be sent to django-announce as well; or,
- Add a note above explicitly mentioning that only security issues that trigger a new release will be reported on django-announce
I of course prefer the first option, as it keeps in line with expectations people (including myself) may have developed.
Change History (6)
comment:1 Changed 2 years ago by russellm
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
- Triage Stage changed from Unreviewed to Accepted
- Type changed from Uncategorized to Cleanup/optimization
comment:4 Changed 2 years ago by Tim Graham <timograham@…>
- Resolution set to fixed
- Status changed from new to closed